Experiences in Intel SGX research Dongsu Han and Seongmin Kim KAIST - - PowerPoint PPT Presentation

Experiences in Intel SGX research

Dongsu Han and Seongmin Kim

KAIST

Joint work with: Changho Choi, Soham Desai*, Juhyeng Han, Jaehyung Ha, Prerit Jain*, JaeHyuk Lee, Youjung Shin, Brent Byounghoon Kang and Taesoo Kim*

1 APNet 2017

*

Trend 1: Security and Privacy CriBcal Factors in Technology AdopBon

• Demands for “security” and “privacy” are increasing

– Widespread use of Transport Layer Security (TLS) – Popularity of anonymity networks (e.g., Tor) – Use of strong authenTcaTon/encrypTon in WiFi

• ExpectaTon on security and privacy impacts design

decisions:

– OperaTng system (iOS, Android) – Apps/services (e.g., messenger, adblocker) – Network infrastructure (inter-domain SDN)

2 APNet 2017

• Demands for “security” and “privacy” are increasing

– Widespread use of Transport Layer Security (TLS) – Popularity of anonymity networks (e.g., Tor) – Use of strong authenTcaTon/encrypTon in WiFi

• ExpectaTon on security and privacy impacts design

decisions:

– OperaTng system (iOS, Android) – Apps/services (e.g., messenger, adblocker) – Network infrastructure (inter-domain SDN)

Trend 1: Security and Privacy CriBcal Factors in Technology AdopBon

3 APNet 2017

Trend 2: CommodiBzaBon of Trusted ExecuBon Environment

• Trusted ExecuTon Environment (TEE)

– Isolated execuTon: integrity of code, confidenTality – Remote a_estaTon

• CommodiTzaTon of TEE

– Trusted Plaaorm Module (TPM) : Slow performance – ARM TrustZone : Only available for embedded devices – Intel Sodware Guard Extension (SGX)

• 1. NaTve performance
• 2. CompaTbility with x86

4

The commoditization of TEE brings new

• pportunities for networking.

APNet 2017

SGX : Isolated ExecuBon

• ApplicaTon keeps its data/code inside the “enclave”

– Smallest a_ack surface by reducing TCB (App + processor) – Protect app’s secret from untrusted privilege sodware (e.g., OS, VMM)

5

CPU Package System Memory Enclave Memory EncrypTon Engine (MEE) Snooping Access from OS/VMM

Encrypted code/data

APNet 2017

Challenger

SGX : Remote ALestaBon

• A_est an applicaTon on remote plaaorm
• Check the idenTty of enclave (hash of code/data

pages)

• Can establish a “secure channel” between enclaves

6

Target Enclave

QuoBng Enclave SGX CPU

Host plaaorm Remote plaaorm

• 1. Request
• 2. Calculate

MAC

• 3. Send MAC
• 6. Send signature

CMAC Hash

• 4. Verify
• 5. Sign with group key [EPID]

APNet 2017

SGX Research: Current Status and Challenges

• SGX specificaTon released in 2013.

– SGX available in Intel’s Skylake microarchitecture (2015) – Hardware and sodware implementaTons for SGX lag behind their specificaTons.

7

SGX CPU and SDK is now available! But..

• SpecificaTon for SGX [revision 1 & 2] is not fully available
• n the SGX hardware (only funcTonaliTes in revision 1)
• SGX technology has a complex license model

– Hard to obtain full license.

Barriers to SGX research

APNet 2017

Our work

• 1. Open-source emulator plaaorm for SGX research
• OpenSGX [NDSS16]
• 2. What impact does SGX have on networking?
• A first Step Towards Leveraging Commodity Trusted execuTon

Environments for Network ApplicaTons [HotNets15]

• Enhancing Security and Privacy of Tor’s Ecosystem by using

Trusted ExecuTon Environment [NSDI17]

• SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure

Middlebox Module [APNet17]

8

Network ApplicaBons + TEE = ?

• What impact does TEE have on networking?

[HotNets15]

• Previous efforts: AdopTng TEE to cloud plaaorm

– Haven [OSDI’14] : Protects applicaTons from an untrusted cloud – VC3 [S&P’15] : Trustworthy data analyTcs in the cloud

9

Network ApplicaBons

TEE

Intel SGX Enhanced security New design space New funcBonality

Case Studies: Three ApplicaBons

• 1. Network infrastructure: Sodware-defined inter-

domain rouTng [HotNets2015]

• 2. Peer-to-peer systems: Tor anonymity network

[NSDI2017]

• 3. Middlebox: Secure Middlebox [APNet2017]

10

Network ApplicaBons

TEE

Intel SGX Enhanced security New design space New funcBonality

Our work

• 1. OpenSGX [NDSS16]: Open-source emulator plaaorm

for SGX research

• 2. What impact does SGX have on networking?
• A first Step Towards Leveraging Commodity Trusted execuTon

Environments for Network ApplicaTons [HotNets15] -

• Enhancing Security and Privacy of Tor’s Ecosystem by using

Trusted ExecuTon Environment [NSDI17]

• SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure

Middlebox Module [APNet17]

11

Virtual Address Space Physical Address Space

• 1. ECREATE

Create an enclave

EPC

Memory (Untrusted) Plaintext Code/Data

• 2. EADD

Add pages

Code/Data

Plaintext Code/Data

Code/Data

Plaintext Code/Data Plaintext Code/Data

• 4. EENTER

Enters the enclave

• 5. EEXIT

Leaves the enclave

Code/Data Code/Data

Background: Enclave Life Cycle

13

• 3. EINIT

Finalize the enclave

Enclave

ApplicaTon code

OpenSGX: Design Goal

13

• Offer a complete plaaorm for SGX research

– To explore sodware and hardware design space of SGX – To develop and evaluate SGX-enabled applicaTons

• Solve non-trivial issues on SGX sodware components

– Support for system sodware and user-level APIs – Familiar programming model and interface – Secure design to defend against potenTal a_ack vectors (e.g., Iago a_acks)

APNet 2017

OpenSGX: Component Overview

14

• Emulated SGX hardware
• Enclave loader

ü ü ü

SGX OS EmulaBon SGX QEMU (HW emulaBon) Enclave Program OpenSGX toolchain Enclave loader SGX Libraries

Trampoline Stub

RunBme library Enclave Debugger Performance Monitor

• OS emulaTon layer
• OpenSGX user library
• OpenSGX toolchain
• Enclave debugger
• Performance monitor

APNet 2017

Binary TranslaTon

OpenSGX: Approach

15

• Using user-space emulaTon of QEMU

– Binary translaTon to support SGX instrucTons – QEMU helper rouTne to implement complex instrucTons Helper rouTne

• Set registers
• Operates

SGX instrucBons

QEMU Host (single address space)

Wrapper

Lib Stack Heap

Enclave

Code Data

EPC EPC EPC EPC EPC

… …

enclu(){ …

asm(“.byte 0x0f” “.byte 0x01” “.byte 0xd7” “rax=entry”

… }

Entry point

… if(opcode == 0x0f01d7) { helper_enclu(); } …

RIP

EENTER

Hardware EmulaBon

16

• Emulates SGX data structures and SGX processor key
• Enclave page cache (EPC) memory management

– Direct mapping on virtual memory – Access protecTon: Instrument memory access

EPC_begin EPC_end enclave_begin enclave_end

QEMU’s translaTon rouTne

… Case (Load | Store) { } …

Virtual address space

• 2. Prohibit others enclaves’

EPC to current enclave’s EPC

• 1. Prohibit access

from host to EPC

InstrucBon Support

17

• OpenSGX supports most instrucTons in the specificaTon

– Except for debugging related instrucTons (e.g., EDBGRD) – Instead, it offers rich environment for debugging since it is a “so_ware emulator” (e.g., GDB stub)

• Provides simple C APIs which wraps assembly code

– User-level instrucTons (ENCLU) : accessible to user-level APIs – Super-level instrucTons (ENCLS) : Requires system support

APNet 2017

OS EmulaBon Layer

18

• Emulate OS to execute the privileged SGX instrucTons
• OS-neutral interface for:

– Bootstrapping (EPC allocaTon) – Enclave iniTalizaTon & page translaTon – Dynamic EPC page allocaTon

System call DescripBon

sys_sgx_init() Allocate EPC memory region sys_init_enclave() Create an enclave, Add and measure EPC pages sys_add_epc() Allocates a new EPC page to the running enclave sys_stat_enclave() Obtains the enclave performance staTsTcs

APNet 2017

Narrow interface for SGX user lib: Trampoline and Stub

…

“A strict and narrow interface to handle enclave-host communicaTon using shared data/code”

19

Enclave

Code Heap Lib

Emulated OS Wrapper

Trampoline

(Shared)

… if (fcode == FUNC_MALLOC) alloc_tramp(); …

fcode mcode argument1 heap_end

Stub : Shared data to specify the funcBon code and arguments Trampoline : Shared code to call user-level APIs in the wrapper

Heap

… malloc(100); … malloc(){ … sgx_exit(tram); … }

<SpecificaBon> fcode : FUNC_MALLOC mcode : EAUG size: 100

Stub

FULL!

Trampoline and Stub Interface

Stub

…

“A strict and narrow interface to handle enclave-host communicaTon using shared data/code”

20

Enclave

Code

…

malloc(100);

…

Heap Lib

malloc(){ … sgx_exit(tram); … }

Emulated OS

int sys_add_epc() { encls(EAUG, …); …

Trampoline

(Shared)

Call EAUG heap_end

ERESUME EEXIT

heap_end+4K FUNC_MALLOC EAUG 100

… if (fcode == FUNC_MALLOC) alloc_tramp(); …

Wrapper

alloc_tramp() { … sys_add_epc(); … }

User-level APIs to request system calls

System Call

OpenSGX: Usage Example

21

• Similar to building a C program

– Compile (Similar to gcc) – Sign (Using programmer’s key) – ExecuTon (Compiled enclave binary is loaded and executed)

APNet 2017

void enclave_main(){ char *hello = “hello sgx!\n”; sgx_enclave_write(hello, strlen(hello)); sgx_exit(NULL); } $opensgx –c hello.c $ opensgx –s hello.sgx –key sign.key $ opensgx hello.sgx hello.conf hello sgx! Code enclave_main() Data “hello sgx\n” 0x0000 EPC1 0x1000 EPC2 Entry point : SigStruct: …

OpenSGX: Current Status

22

• Available at github, released in May 2015

– 14k LoC – h_ps://github.com/sslab-gatech/opensgx – 11 Contributors (Gatech, KAIST, Two sigma, MITRE, …) – 31 unique cloners, 1,645 Views (January, 2016) – Used in academia: S-NFV [SDN-NFV Security16], Edge funcTons [SEC16],

SGX-enabled VM migraTon [IEEE SERVICES16], System-level OpenSGX [Computers & Security17], …

• Our current community

APNet 2017

Our work

• 1. OpenSGX [NDSS16]: Open-source emulator plaaorm

for SGX research

• 2. What impact does SGX have on networking?
• A first Step Towards Leveraging Commodity Trusted execuTon

Environments for Network ApplicaTons [HotNets15] -

• Enhancing Security and Privacy of Tor’s Ecosystem by using

Trusted ExecuTon Environment [NSDI17]

• SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure

Middlebox Module [APNet17]

23

Tor anonymity network

24

• Tor: the most popular anonymity network for Internet users

– Helps users to defend against traffic analysis and keep user’s privacy

(e.g., what sites you visit, IP address) [from Tor project, www.torproject.org] – Freely available as an open source – 1.8 million users on a daily basis

* from Onionview, h6ps://onionview.codeplex.com/

APNet 2017

The geographic locaTon of Tor relays *

Tor network: Threat model

25

• Tor’s Threat model

– Tor is a volunteer-based network: Tor relays are not trusted

Can observe some fracBon of network traffic Can run a Tor relays of his own Can compromise some fracBon of Tor relays Entry Middle Exit Tor client DesTnaTon Plain-text TLS channel TLS channel TLS channel

• 3-hop onion rouTng: a single Tor enTty cannot know both

client and server

Processing Unit : Cell (512 Bytes)

APNet 2017

LimitaBons of Tor

26

Entry Middle Exit Tor clients DesTnaTon

Plain-text TLS channel TLS channel TLS channel

ALackers can modify the behavior

Give false informaTon to others Modify or inject the cell

Bandwidth 20MB/s 150MB/s

Inflated!

Processing Unit: Cell (512 Bytes)

InformaBon visible to aLackers

Cell: header DemulTplex and idenTfy a circuit

Cell Cell

APNet 2017

SGX-Tor: Leveraging Intel SGX on Tor

27

Intel SGX Improved trust model OperaBonal privacy PracBcality Tor network

Middle

Improved trust model OperaBonal privacy PracBcality

• Spells out what users

trust in pracTce

• Provides ulTmate

privacy

• Protects sensiTve data

and Tor operaTons

• Prevents modificaTons
• n Tor relays
• The chance of having

more hardware resources donated

• Incrementally

deployable

• CompaTbility

SGX-Tor

APNet 2017

User process (Tor applicaBon)

SGX-Tor: Design and ImplementaBon

28

Enclave memory SSL Library ALestaBon Module Sealing Module

Seals/unseals private data Integrity check

Tor code/data (Core)

• Circuit Establishment - Hidden service - VoTng
• EncrypTon/DecrypTon - Cell/Consensus creaTon

Crypto/TLS operaTons

Securely obtains the entropy and Tme value Encrypts and stores the sensiTve data outside the enclave Validates the enclave hash of the Tor program

APNet 2017

User process (Tor applicaBon)

SGX-Tor: Design and ImplementaBon

29

Enclave memory SSL Library ALestaBon Module Sealing Module

Seals/unseals private data Integrity check

Tor code/data (Core)

• Circuit Establishment - Hidden service - VoTng
• EncrypTon/DecrypTon - Cell/Consensus creaTon

Crypto/TLS operaTons System Call Enclave CreaTon

Trusted Untrusted

Enclave iniTalizaTon

Standard Library (glibc) Tor code/data (Untrusted) SGX RunBme Library Applica0on ECALL OCALL

Request system services

OCALL/ECALL Wrapper

User process (Tor applicaBon)

SGX-Tor: Design and ImplementaBon

30

Enclave memory SSL Library ALestaBon Module Sealing Module

Seals/unseals private data Integrity check

Tor code/data (Core)

• Circuit Establishment - Hidden service - VoTng
• EncrypTon/DecrypTon - Cell/Consensus creaTon

Crypto/TLS operaTons System Call Enclave CreaTon

Trusted Untrusted

Enclave iniTalizaTon

Standard Library (glibc) Tor code/data (Untrusted) SGX RunBme Library Applica0on ECALL OCALL

Request system services

OCALL/ECALL Wrapper Narrow interface

Sanity checking

• 1. Argument length
• 2. Address range

ALacks defeated by using SGX-Tor

31

Replay Cell counBng

Directory authoriBes Malicious relay (modified Tor)

• 1. BW scanning
• 2. Detect

scanning

• 3. Report fake BW
• 4. Create

consensus document AdverTsed BW Inflated!

• 2. Bandwidth inflaBon
• 1. Tagging aLack

APNet 2017

Entry Middle Exit Tor clients DesTnaTon

Plain-text TLS channel TLS channel TLS channel

ALacks defeated by using SGX-Tor

32

Replay Cell counBng

Directory authoriBes Malicious relay (modified Tor)

• 1. BW scanning
• 2. Detect

scanning

• 3. Report fake BW
• 4. Create

consensus document AdverTsed BW Inflated!

• 2. Bandwidth inflaBon
• 1. Tagging aLack

APNet 2017

Entry Middle Exit Tor clients DesTnaTon

Plain-text TLS channel TLS channel TLS channel ALract more clients!

ALacks defeated by using SGX-Tor (Cont.)

33

• access sensiBve data - modify the code

ALackers cannot

ALacks defeated/miBgated by SGX-Tor

• Circuit demulTplexing [S&P06]
• Bandwidth inflaTon [PETS07, S&P13]
• Tagging a_ack [TON12, CCS12, S&P13]

…

Entry Middle Exit Tor clients DesTnaTon

Plain-text TLS channel TLS channel TLS channel

Enclave

Circuit establishment Cell creaTon EncrypTon/ DecrypTon Onion/SSL key creaTon

Enclave Enclave Enclave

Cell Circuit descriptor Private keys

SGX-Tor is an open source: h_ps://github.com/KAIST-INA/SGX-Tor

Performance evaluaBon

34

• SGX-Tor performance : WAN seƒng

– Establish a private Tor network – For the realisTc scenario, we consider the “locality of relays” (Asia, EU, U.S. West, U.S. East)

0.2 0.4 0.6 0.8 1 250 500 750 1000 CummulaTve Prob.

Time-to-first-byte (ms)

10MB 100MB 30 60 90 120 HTTPS HTTP HTTPS HTTP

Throughput (Mbps)

File Size (MB)

client server Entry (KAIST) Middle (Cloud)

• 1. EU 2.U.S. West
• 3. U.S. East

Exit (Gatech)

<EvaluaBon environment>

: SGX-Tor : Original Tor

11.9% degradaTon 3.9% addiTonal latency

Enclave Enclave

Our Early Lessons on SGX research

• Performance overheads caused by using SGX

– EPC Paging (limited memory space : < 200MB) – Context switch (for each OCALL)

• While building SGX-based system, we should

– Reduce enclave size as much as possible – Minimize copying already encrypted data to EPC (e.g., SSL-encrypted packet) – Seal large data structures that are used infrequently

35 APNet 2017

Our Early Lessons on SGX research (Cont.)

• Security issues while building SGX systems

– Narrowing interface to reduce a_ack surface and sanity checking for input/output arguments – New a_ack scenarios caused by assuming malicious system sodware (e.g., bandwidth inflaTon by OS in SGX-Tor)

• As a result of our experience, we release SGX-

ported OpenSSL as an open source

– h_ps://github.com/sparkly9399/SGX-OpenSSL

36 APNet 2017

Conclusion

• We design and implement OpenSGX, fully

funcTonal and instrucTon-compaTble SGX emulator

• CommodiTzaTon of TEE brings new
• pportuniTes for network applicaTons
• Ongoing work: Apply SGX to Network FuncTon

VirtualizaTon

– Building a secure middlebox by leveraging SGX – Will be presented in APNet 2017 (SGX-Box)

37 APNet 2017

38 APNet 2017

Our Early Lessons on SGX

39

• MisconcepBons on SGX

– SGX for desktop-like environment : Needs secure I/O channel (integraTon with hardware technology such as Intel IPT) – Need EPID support for remote a_estaTon

• Malicious use of Intel SGX

– Malware might be possible by abusing the isolaTon property – Fails on tradiTonal signature-based AV programs

APNet 2017

Comparison: Intel SGX vs OpenSGX

40

Intel SGX OpenSGX Type Hardware Sodware Emulator InstrucTons 16 ENCLS, 8 ENCLU 13 ENCLS, 8 ENCLU (Except debugging) Data structures Specified ○ Paging Page table Direct mapping System sodware Not specified User level emulaTon User level APIs SDK is available (Only for Windows) ○

Enclave

Defense against Iago aLacks

41

• Iago a_acks [ASPLOS’13] : Malicious OS tries to

subvert trusted applicaTon by incorrect behavior

ex) adds incorrect EPC page for heap

… malloc(); … ApplicaTon In-enclave Lib

Emulated OS Wrapper

Stub

heap_end cur_heap_ptr

void *malloc(int size){ if(cur_heap_ptr == heap_end) { stub->mcode = EAUG; exit(trampoline); }

Trampoline

malloc_tramp() { sys_add_epc(); } enclu(EACCEPT, …); int sys_add_epc() { … }

Bad EPC page Detect!

Memory State of OpenSGX Program

42

SGX OS EmulaBon QEMU SGX

User process (single address space)

ENCLS (e.g., EINIT)

Package Info

Entry point Measurement Key …

SGX Lib

Trampoline Stub

Wrapper

Lib Stack Heap

Enclave Program

Code Data

EPC EPC EPC EPC EPC

… …

Privilege boundary System calls boundary

ENCLU (e.g., EENTER) ENCLU (e.g., EEXIT) System call (e.g., sys_sgxinit())

Conclusion

43

• We design and implement OpenSGX, fully funcTonal

and instrucTon-compaTble SGX emulator

• As a showcasing applicaTon, we develop SGX-enabled

Tor to enhance the security and privacy

• OpenSGX offers opportunity to leverage all

components of SGX for the research

– Hardware semanTcs (e.g., encrypTon scheme of MEE) – System sodware, enclave loader and user-level APIs – Redesigning unforeseen security applicaTons (e.g., Tor)

APNet 2017

Trend: CommodiBzaBon of TEE

44

• Trusted ExecuTon Environment (TEE): Hardware technology for trusted

compuTng

OS (untrusted) ApplicaTon (untrusted)

Secure container Integrity checking à Prevents behavior modificaTon Modified Tor code

• Intel SGX: a promising TEE technology for generic applicaTons

– NaTve performance in the secure mode – Available on Intel Skylake and Kaby lake CPU Cannot access data, flow control X à Protects the secrecy of the program

edit

Original

APNet 2017

Tor network: Threat model (Cont.)

45

Directory authoriBes

• Careful admission
• Behavior monitoring

Tor client DesTnaTon Anonymity Broken!

APNet 2017

Tor network: Threat model (Cont.)

46

Tor client DesTnaTon Anonymity Broken!

…

• Having a large

number of relays Out-of-scope: network-level adversary (controls a large fracTon of network)

• 1. Currently runs ~10,000 relays
• 2. Large-scale traffic correlaTon is believed to be verify difficult in pracTce

APNet 2017

Directory authoriBes

• Careful admission
• Behavior monitoring

Tor network: Threat model (Cont.)

47

Out-of-scope : network-level adversary who can controls a large fracBon of Tor network

• 1. Currently runs ~10000 relays
• 2. Large-scale traffic correlaBon are believed to be verify difficult in pracBce

However, Tor is still vulnerable to many types

• f attacks under its traditional threat model

APNet 2017

Tor client DesTnaTon Anonymity Broken!

…

• Having a large

number of relays

Directory authoriBes

LimitaBons of Tor

48

Problem 1. Tor relays are semi-trusted

– AuthoriTes cannot fully verify the behaviors of them

Problem 2. Even aLackers control a few Tor relays, they can

– Access internal informaTon (circuit idenTfier, cell header, …)

– Modify the behavior of relays (DDoS, packet tampering, …)

Modifying the behavior Accessing internal informaBon

• Malicious circuit creaTon

[Security09, CCS11]

• Sniper a_ack [NDSS15]
• Bad apple a_ack

[LEET11]

• HarvesTng hidden service

descriptors [S&P13]

• Circuit demulTplexing [S&P06]
• Website fingerprinTng

[Security15]

Both <Low-resource aLacks>

• tagging a_ack [ICC08, TON12,

CCS12, S&P13]

• Bandwidth inflaTon [PETS07,

S&P13]

• Controlling HSDir [S&P13]

LimitaBons of Tor (Cont.)

49

To address the problems on Tor, 1) Fundamental trust bootstrapping mechanism 2) Advanced trust model to verify untrusted remote parTes are required

APNet 2017

Entry Middle Exit Tor clients DesTnaTon

Plain-text TLS channel TLS channel TLS channel

SGX-Tor: Leveraging Intel SGX on Tor

50

Intel SGX Improved trust model OperaBonal privacy PracBcality Tor network

Middle

Improved trust model OperaBonal privacy PracBcality

• Spells out what users

trust in pracTce

• Provides ulTmate

privacy

• Protects sensiTve data

and Tor operaTons

• Prevents modificaTons
• n Tor relays
• The chance of having

more hardware resources donated

• Incrementally

deployable

• CompaTbility

SGX-Tor

APNet 2017

à Reduces the power of an a_acker who currently gets the sensiTve informaTon by running Tor relays à Raises the bar for Tor adversary to a tradiTonal network- level adversary (only passively see the TLS bytestream)

SGX-Tor: Threat Model

51

• Only trusts the underlying SGX hardware & Tor code itself
• Do not address network-level adversaries : who can perform large-

scale traffic analysis

• Out of scope :VulnerabiliTes in Tor codes, SGX side channel a_acks

à MiTgated by recent SGX research: Moat [CCS16], SGX-Shield [NDSS17], T-SGX [NDSS17]

OS (untrusted) ApplicaTon (untrusted) Enclave CPU

Powerful network-level adversary : out-of-scope TCB : Enclave + CPU package

<SGX Threat model> <Tor Threat model>

New funcBonality: AutomaBc admission

52

• Integrity verificaBon of relays (Directory authority à Onion Router)

– AutomaTcally admits “unmodified” and “SGX-enabled” relays – Improved trust model: current implicit trust model turns into the explicit trust model

Directory authority Tor relays Expected hash Admit (match success) A_estaTon fail (not SGX-enabled) A_estaTon fail (bad hash)

Enclave Enclave

Remote A_estaTon

Enclave

Nickname: OR1 Nickname: OR2 Nickname: OR3 Consensus document (modified)

name: OR1 BW: 20MB/s fingerprint: ….

NOTE: Tor uses the same binary for directory authoriTes, Tor relays, and client proxies

APNet 2017

Incremental deployability

53

• SGX-Tor’s basic assumpBon: “All relays and authoriTes are SGX-enabled”
• SGX-Tor supports interoperability

– Allows admission of non-SGX relays without remote a_estaTon – SGX-enabled clients can get the list of SGX-Tor relays from SGX-enabled authoriTes

Entry Middle Exit

Tor client DesTnaTon

Enclave Enclave Enclave Enclave … Enclave Enclave

Directory authoriTes Remote A_estaTon

Enclave Enclave

APNet 2017

ImplementaBon detail

54

• Engineering efforts

– Support for Windows/Linux (based on Intel SGX SDK) – SGX-ported libraries: OpenSSL, libevent, zlibc – SGX-Tor is an open source: Available at h_ps://github.com/KAIST-INA/SGX-Tor

• Trusted CompuTng Base (TCB) size

– TCB size of Haven: More than 200MB (maximum enclave size : 128MB in Windows) – 3.8x smaller (320K LoC vs 1,228K LoC) than Graphene (open source library OS for SGX)

APNet 2017

EvaluaBon

55

1) What kind of sensiBve data of Tor is protected by SGX-Tor? 2) What is the performance overhead of running SGX-Tor? 3) How compaBble and incrementally deployable is SGX-Tor with the current Tor network?

• Environmental setup

– SGX CPUs: Intel Core i7-6700 (3.4GHz) and Intel Xeon CPU E3-1240 (3.5GHz) – ConfiguraTon: 128MB Enclave Page Cache (EPC) – Running Tor in Windows, Firefox as a Tor browser (in the client proxy) – Establish a private Tor network using chutney

APNet 2017

What is protected by SGX-Tor?

56

Current Tor Network-level adversary SGX-Tor

TCP/IP header Visible Visible Visible TLS-encrypted bytestream Visible Visible Visible Cell Visible Not visible Not visible Circuit ID Visible Not visible Not visible VoTng result Visible Not visible Not visible Consensus document Visible Not visible Not visible Hidden service descriptor Visible Not visible Not visible List of relays Visible Not visible Not visible Private keys Visible Not visible Not visible

APNet 2017

0.2 0.4 0.6 0.8 1 1 2 3

CummulaTve Prob. Hidden Service Throughput

Performance evaluaBon (Cont.)

57

• End-to-end client performance of SGX-Tor (using Tor browser)

– Web latency: VisiTng Alexa Top 50 websites – Hidden service: HTTP file server (downloading 10MB) 0.2 0.4 0.6 0.8 1 50 100 150

CummulaTve Prob. Webpage Loading Time (s)

: SGX-Tor : Original Tor

3.3% degradaTon 7.4% addiTonal latency

SGX-Tor : 13.2s Original : 12.2s SGX-Tor : 1.30Mbps Original : 1.35Mbps

APNet 2017

CompaBbility with vanilla Tor

58

• Long-running: Admit SGX-Tor relays in the vanilla Tor

– Collected results for two weeks

AdverBsed bandwidth * Middle selecBon Probability Network I/O bandwidth per second

: SGX-Tor : Original Tor

Fast Stable

* From h_ps://collector.torproject.org/

Serves Tor traffic well Actually selected by mulTple Tor users Listed in the consensus document

APNet 2017

Conclusion

59

• We design and implement SGX-Tor by leveraging commodity TEE

and demonstrate its viability

– Gives moderate performance overhead – Shows its compaTbility and possibility of incremental deployment

• SGX-Tor enhances the security and privacy of Tor by

– Defending against exisTng a_acks on Tor – Bringing changes to the trust model of Tor – Providing new properTes : automaTc admission

• Available at github! (h_ps://github.com/KAIST-INA/SGX-Tor)

APNet 2017

On-Going Work

• Apply SGX to Network FuncTon VirtualizaTon

– Running middleboxes on actual SGX-enabled CPU – Will be presented in APNet 2017 (SGX-Box)

• Enhancing the security and privacy of

sodware-defined inter-domain rouTng

60 APNet 2017