the Security of TEEs Master-Thesis of Fritz Alder In cooperation - - PowerPoint PPT Presentation

Fachbereich Informatik | Security Engineering Group | Prof. Katzenbeisser | 1

Master-Thesis of Fritz Alder In cooperation with Aalto University, Finland

TEE² – Combining Trusted Hardware to Enhance the Security of TEEs

Supervisor: Prof. Katzenbeisser Supervisor at Aalto University: Dr. Andrew Paverd and Prof. Asokan

2

Motivation

• Trusted Execution Environments (TEEs) provide isolated execution of

security sensitive pieces of code that can be attested by remote parties.

➢ TEEs have the potential to ensure security in cloud computing environments

• Real-world TEEs and their implementations are prone to attacks and bugs

➢ Trust in real-world TEEs is difficult to achieve, possibly slowing down adoption

➢ Can we combine multiple TEEs to achieve security even if all but one TEE is compromised?

3

Trusted Execution Environment (TEE)

TEE REE TA1

Physical host

• Separated from

Rich Execution Environment (REE)

• Executes Trusted

Applications (TAs)

• Provides:
• Code integrity
• Isolated execution
• Sealed data
• TEE attestation
• Code integrity verified by TEE (e.g. with certificates)
• No direct access to TAs from REE
• Access only through predefined call-gates

TA1 execute

4

Trusted Execution Environment (TEE)

1

Remote attestation Sealed storage

TEE REE TA1

Physical host

No access from REE

TA2

No access from other TAs

2

• Separated from

Rich Execution Environment (REE)

• Executes Trusted

Applications (TAs)

• Provides:
• Code integrity
• Isolated execution
• Sealed data
• TEE attestation

5

System model – Ideal TEE

• Similar to Honest but Curious

cloud provider model:

• User communicates with TEE
• Adversary has full control of host
• Adversary has no interest in DoS
• Adversary goal: Undermine any
• f the four TEE properties

TEE Host

Secure channel Access to host User Adversary

• Code integrity
• Isolated execution
• Sealed data
• TEE attestation

6

Real-world TEE adversaries

Weak attacker

• Compromises TEE confidentiality

➢ Can read run-time secrets and sealed data ➢ But: Can not fake attestations or impact TEE integrity Strong attacker

• Compromises TEE confidentiality

and integrity

• Has access to architectural secrets
• r can influence TEE integrity

➢ Can fully impersonate the TEE

W S

7

Combined TEE – Design

• User communicates with two

unique TEEs

• Adversary has full control over

both untrusted hosts

• Adversary can choose to

compromise any TEE

• User stays unware of choice
• Combined TEE remains secure

as long as at least one TEE is uncompromised

Combined TEE

Secure channel to both TEEs

TEE Host

Access to all hosts User Adversary

TEE Host

Can compromise

• ne TEE by

choice

8

Random Number Generation

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE TEE

request response + attestation combine responses + attestations

9

Random Number Generation – weak adversary

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE TEE

request response + attestation combine responses + attestations

W

10

Random Number Generation – weak adversary

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE

request response + attestation combine responses + attestations

W

TEE

11

Random Number Generation–strong adversary

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE

request response + attestation combine responses + attestations

S

TEE

12

Random Number Generation–strong adversary

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE

request response + attestation combine responses + attestations

S

TEE

request true random request calculated response

13

Random Number Generation–strong adversary

Goal: 1. Generate a random string.. 2. ...that is unknown by an attacker 3. ...and can be attested by remote parties as being actually randomly generated

TEE TEE

request commitment bind to commitment combine responses + attestations reveal Check commitments

14

Random Number Generation–strong adversary

TEE TEE

bind to commitment chain reveal

TEE TEE

combine request commitment

15

Random Number Generation–strong adversary

TEE

request commitment bind to commitment chain reveal combine

TEE TEE TEE

S S S

TEE

16

Protocol Design

• Combined TEE protocols differ from Ideal TEE

protocols

• No TEE can have knowledge of or control over

any part of a secret

• Instead, protocols need to protect against

compromised TEEs

• Defined a range of utility, one-party, and two-

party protocols

• Key Exchange
• Messaging
• Random Number Generation

TEE TEE

S

• ElGamal operations
• Signing
• Store-and-forward
• Oblivious Transfer

17

ElGamal operations – key generation

Goal: 1. Operate on private keys held by the TEEs... 2. ...that are attestable 3. ...and can not be learned during decryption 4. ...but can be used for confidential messages to the user

TEE TEE

request key generation combine public keys return public keys private key private key responses + attestations

18

ElGamal operations – decryption

Goal: 1. Operate on private keys held by the TEEs... 2. ...that are attestable 3. ...and can not be learned during decryption 4. ...but can be used for confidential messages to the user

TEE TEE

request decryption combine shares return decryption shares Ciphertext C private key private key

19

ElGamal operations – decryption

Goal: 1. Operate on private keys held by the TEEs... 2. ...that are attestable 3. ...and can not be learned during decryption 4. ...but can be used for confidential messages to the user

TEE

request decryption combine shares return decryption shares Ciphertext C private key private key

TEE S

20

ElGamal operations – decryption

Goal: 1. Operate on private keys held by the TEEs... 2. ...that are attestable 3. ...and can not be learned during decryption 4. ...but can be used for confidential messages to the user

TEE

request decryption combine shares return decryption shares Ciphertext C private key private key

TEE S

y1 = x1 * G ; y2 = x2 * G ; Y = y1 + y2 ; C1 = k*G ; C2 = M + k*x1*G + k*x2*G C = (C1,C2); d1 = -x1 * C1 ; d2 = -x2 * C1 ; M = C2 + d1 + d2

21

Two-party protocols

• Both parties can try to cheat and can compromise N-1 TEEs
• ..but do not collaborate
• Protocols require active participation from both users
• More than a simple attestation verification

TEE TEE

A B

22

Policy based store-and-forward

TEE TEE

request secret Split secret (XOR) store secret reveal secret A B Goal: 1. Secretly share data with user B 2. Only B can reveal the secret 3. B can not reveal the secret if a policy is not matched check policy check policy

Jump to implementation

23

Oblivious transfer – ideal version

A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value of m) 4. No third party should learn any items or choices

TEE

A send L choose m items B

24

Oblivious transfer – Combined TEE

TEE TEE

request m keys establish n keys A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value

• f m)

4. No third party should learn any items or choices A B encrypt L with keys send encrypted L check policy check policy reveal m keys

25

Oblivious transfer – Combined TEE

TEE TEE

A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value

• f m)

4. No third party should learn any items or choices A B check policy check policy establish n keys encrypt L with keys send encrypted L request m keys reveal m keys

26

Oblivious transfer – Combined TEE

TEE TEE

A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value

• f m)

4. No third party should learn any items or choices A B send encrypted L check policy check policy request m keys reveal m keys establish n keys encrypt L with keys

?

27

Oblivious transfer – Combined TEE

TEE TEE

A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value

• f m)

4. No third party should learn any items or choices A B send encrypted L check policy check policy request m keys reveal m keys establish n keys encrypt L with keys

• 1. Involve B
• 2. Shuffle keys

28

Oblivious transfer – Combined TEE

TEE TEE

A has a list L of n items Goals: 1. B can select up to m items 2. B should not learn more than m items 3. A should not learn B‘s choices (except the value

• f m)

4. No third party should learn any items or choices A B send encrypted L check policy check policy request m keys reveal m keys encrypt L with keys Offline phase → Establish n keys slow

29

Verification & Implementation

• Formally verified subset of protocols with the Tamarin Prover
• Key exchange & RNG with weak adversary
• Comparing security properties of Combined TEE protocols to security

properties of Ideal TEE protocols

• Implemented subset of protocols with Intel SGX
• Key exchange, both RNG protocols, and signature generation
• Based on C++ (SGX) and Python (Client)
• Passing JSON strings to exchange requests and responses

30

Evaluation

1 2 3 4 5 6 7 8 9 # of TEEs 0.0 0.1 0.2 0.3 0.4 0.5

Key exchange Randomness strong adversary Randomness weak adversary

31

Future work

• Explore different system models
• Small and Big TEE instead of system of equals
• ARM Trustzone + Intel SGX
• Key management enclave + disk encryption enclave
• System of TEEs for safety and reliability
• E.g. TEEs in a car: Parts may fail frequently
• Port complex applications
• Only cryptographic building blocks so far
• No real-world use case

TEE

TEE TEE TEE TEE

32

Summary

• TEEs have great potential
• 2 types of real-world adversaries exist: Weak and strong attackers
• Combined TEE alleviates impact of compromises
• Range of protocols for arbitrary many cooperating TEEs:

RNG, PK-Encryption, Signing, Store and forward, Oblivious Transfer

• Subset of protocols formally verified with Tamarin prover
• Implementation based on Intel SGX and Python
• Shows a reasonable performance overhead for cryptographic building blocks
• Future work: Port complex applications, explore different TEE² scenarios

(big-small TEE combination, multiple TEEs for safety and reliability, etc)

33

Oblivious transfer – Offline phase

A

Random t1, t2 Random A1,..,An

TEE

Random Q1,..,Qn

TEE

Random R1,..,Rn

B

Random permutation

[𝑢1⊕ A1, 𝑢1 ⊕ A2, … ] [𝑢2⊕ A1, 𝑢2 ⊕ A2, … ] [𝑢1⊕ A1 ⊕ Q1, … ] [𝑢1⊕ A1 ⊕ 𝑆1, … ]

Combine: [𝑢1 ⊕ t2 ⊕ Q1 ⊕ R1, … ] Permute Eliminate 𝑢1 ⊕ t2 →Permuted [Q1 ⊕ R1, …]

Permuted list

But: B should not see keys in plain! → Hide with homomorphic encryption

35

Signing

Goal: 1. Operate on private signing keys held by the TEEs... 2. ...that are attestable and linkable to these TEEs

TEE TEE

request signature return signature Both signatures + attestations require all signatures to verify