partitioning system software for hardware enclaves
play

Partitioning System Software for Hardware Enclaves Chia-Che Tsai - PowerPoint PPT Presentation

May 20, 2023 •190 likes •330 views

Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection

  1. Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna

  2. Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection (in both data & 2. How to declassify data? control planes) Language Runtime Libraries IO Devices (less trustworthy) Operating System

  3. Attack Surface vs TCB? Large attack surface Small attack surface Small TCB Large TCB System API System API Redirection Layer Guest OS Hypervisor interface Untrusted Host OS Untrusted Host OS Library OS / Unikernel Shim Layer (Graphene, SGX-LKL) (SCONE)

  4. Danger in A Partition Interface Iago attacks [ASPLOS 2013] Enclave Untrusted OS exploits semantic vulnerabilities misplaced in legacy applications Ex: Assuming PID and time are reliable source of entropy Legacy Application Pervasive threats in libraries, runtimes, even hypervisor. gettimeofday() getpid() Integral to design of systems Untrusted OS

  5. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  6. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) fork Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  7. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) IPC fork (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  8. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Async IPC fork IO (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  9. Graphene Open-Source Project h t t p s : / / g r a p h e n e p r o j e c t . i o / I N V I SI BLE T HI N G S LA B

  10. The Graphene Architecture 140 / 318 fork exec Virtual File System Signal SYS V IPC system calls Threading ELF Proc Chroot Pipe (core features) loader FS Socket Migration (Passthru) FS Namespace 63 KLOC Remote Procedure Call Virtual Memory Graphene LibOS Source code Graphene Host ABI (40 Calls ) With portable & secure semantics 1.4 MB Library size Container Port Non-Linux Platform Ports SGX Port + Shield Not just for enclaves

  11. Partition for Manage Languages Java App Target Partitioning across Sensitive system stack and components Execution is difficult Ideally you want to Example: Hadoop isolate out Language Runtime a minimum partition 6.3 MLoC Libraries 2.3 MLoC Operating System 0.9 MLoC

  12. Civet: Partitioned Java Software Stack Joint work with Raluca Ada Popa, Jeongseok Son (Berkeley), Don Porter, Bhushan Jan (UNC) Trusted JAR Partitioned Enclave (Contains only needed classes) JVM Mapper Partition Mapper Reducer Tool Reducer Load & Verify Defense RPC RPC Hadoop library Interface (6.3 MLoC) Mapper Reducer classes Untrusted JAR (Synthesized RPC interfaces) Job Job

  13. Conclusion System partitioning is a critical challenge: OS-level: Graphene library OS Emulating legacy system API on minimal secure abstractions Runtime-level: Civet framework for Java Static cross-stack partitioning + language defense & optimization h t t p s : / / g r a p h e n e p r o j e c t . i o s u p p o r t @ g r a p h e n e - p r o j e c t . i o

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System partitioning System level partitioning problem Assignment of operations to hardware or software Assignment of an operation to HW or SW determines

445 views • 18 slides
Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer Engineering 4 - 1 Institute of Technology and Networks Laboratory System Design specification system synthesis estimation SW-compilation instruction

1.35k views • 40 slides
Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and

Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and

Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and Ludovic Apvrille daniela.genius@lip6.fr Paris Sorbonne University ERTS 2020 Context and Problematic Basic Concepts Contribution Case Study

507 views • 25 slides
Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms

1.06k views • 18 slides
The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen University of Amsterdam 29th June 2016 Introduction 2/18 What is Intel SGX? Intel Software Guard Extension (SGX) A vault (enclave) to

353 views • 19 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Hardware and Software Upgrade for the Solution Measurement and Monitor System at Rokkasho Reprocessing Plant R.Plenteda, A.Alessandrello, M.Frankl, W.Deringer, M.Lang, M.Cronholm, K.Baird, D.Breban, C.Creusot International Atomic Energy Agency

705 views • 17 slides
Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing

Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing

Massachusetts State Lottery Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing host system was installed in 1997 Integrated system that requires specific terminal hardware Existing hardware

308 views • 19 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter

Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter

Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter 5 Prof. Dr.- -Ing. Jrgen Teich Ing. Jrgen Teich Prof. Dr. Lehrstuhl fr Hardware- -Software Software- -Co Co- -Design Design

527 views • 51 slides
Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada

Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada

Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada Popa, Joseph E. Gonzalez, Ion Stoica (UC Berkeley) EuroSys 2020 April 28, 2020 The need for coopetitive analytics Analytics can extract value

733 views • 20 slides
Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages Compiling and running 1 Computer Basics A computer system consists of both hardware and software . Hardware - the physical components.

471 views • 17 slides
BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex

BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex

BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex system into smaller subsystems. Each subsystem can be designed independently. Decomposition scheme has to minimize the interconnections

643 views • 10 slides
Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning

Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning

Nian Ke David R . Cheriton School of Computer Science University of Waterloo Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning techniques Partial Partitioning Hash-Based Partitioning

543 views • 26 slides
Embedded systems: Nios II Software development Nios II system development flow Hardware

Embedded systems: Nios II Software development Nios II system development flow Hardware

Embedded systems: Nios II Software development Nios II system development flow Hardware generation process Platform designer to configure and generate a NIOS II system Software creation process NIOS II software build tools for

360 views • 20 slides
CENG5030 Part 2-4: CNN Inaccurate Speedup-2 - Quantization Bei Yu (Latest update: March 25,

CENG5030 Part 2-4: CNN Inaccurate Speedup-2 - Quantization Bei Yu (Latest update: March 25,

CENG5030 Part 2-4: CNN Inaccurate Speedup-2 - Quantization Bei Yu (Latest update: March 25, 2019) Spring 2019 1 / 9 These slides contain/adapt materials developed by Suyog Gupta et al. (2015). Deep learning with limited numerical

641 views • 61 slides
Stability and Scalability in Global Rou0ng S. K. Han 1 ,

Stability and Scalability in Global Rou0ng S. K. Han 1 ,

Stability and Scalability in Global Rou0ng S. K. Han 1 , K. Jeong 1 , A. B. Kahng 1,2 and J. Lu 2 1 ECE Department, UC San Diego 2 CSE Department,

443 views • 17 slides
1 Last class: Process Creation Today: Process Management 2 Process Description 3

1 Last class: Process Creation Today: Process Management 2 Process Description 3

1 Last class: Process Creation Today: Process Management 2 Process Description 3 Process State What do we need to track about a process? 4 Process Control Block Main Memory (RAM) Process id OS Program Counter Other

888 views • 40 slides
Functions and procedures Rules of Processing Problem statement (short form) ;; Data Definition

Functions and procedures Rules of Processing Problem statement (short form) ;; Data Definition

Functions and procedures Rules of Processing Problem statement (short form) ;; Data Definition ;; Example data: ;; num: 0, -6, 41, 7.2 ;; ;; count-posts: num * num -> num ;; inputs: ;; width, an integer, the number of posts along one

574 views • 39 slides
Towards Scalable Application Checkpointing with Parallel File System Delegation Dulcardo Arteaga

Towards Scalable Application Checkpointing with Parallel File System Delegation Dulcardo Arteaga

Towards Scalable Application Checkpointing with Parallel File System Delegation Dulcardo Arteaga Ming Zhao darte003@fiu.edu ming@cs.fiu.edu School of Computing and Information Sciences Florida International University Miami, FL High

430 views • 38 slides
GHUMVEE: Efficient, Effective and Flexible Replication Stijn Volckaert Computer Systems Lab

GHUMVEE: Efficient, Effective and Flexible Replication Stijn Volckaert Computer Systems Lab

Vakgroep ELIS GHUMVEE: Efficient, Effective and Flexible Replication Stijn Volckaert Computer Systems Lab Ghent University Belgium N-modular Redundancy variant 1 input variant 2 monitor output variant 3 equivalent components 2

450 views • 16 slides
CS 140: Models of parallel programming: Distributed memory and MPI Technology Trends:

CS 140: Models of parallel programming: Distributed memory and MPI Technology Trends:

CS 140: Models of parallel programming: Distributed memory and MPI Technology Trends: Microprocessor Capacity Gordon Moore (Intel co-founder) Moore s Law: # transistors / chip predicted in 1965 that the doubles every 1.5 years transistor

362 views • 22 slides
Object-oriented Packet Caching for ICN Yannis Thomas, George Xylomenos, Christos Tsilopoulos,

Object-oriented Packet Caching for ICN Yannis Thomas, George Xylomenos, Christos Tsilopoulos,

Object-oriented Packet Caching for ICN Yannis Thomas, George Xylomenos, Christos Tsilopoulos, George C. Polyzos Mobile Multimedia Laboratory Department of Informatics School of Information Sciences and Technology Athens University of

522 views • 29 slides

More recommend