towards an open source formally verified secure processor
play

Towards an Open-Source, Formally-Verified Secure Processor Srini - PowerPoint PPT Presentation

Sep 07, 2023 •514 likes •959 views

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

  1. Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology

  2. Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2

  3. Performance Dictates Microarchitectural Optimization Isolation Breaks Because of Shared Microarchitectural State! 3

  4. Building a Transmitter Domain of Victim Attacker Transmitter Receiver Access Channel Secret Secret Pre-existing (RSA conditional execution example) Written by attacker (Meltdown) Synthesized out of existing victim code by attacker (Spectre) 4

  5. Side Channels Gone Wild! • Real systems: large, complex, cyberphysical (not secure) sharing! sharing! • Introducing a spy: CPU DRAM Ctrl. DRAM L1 $ Thread L2 $ OS L3 $ App Main Chipset users! sharing! board Hypervisor, Bios Disk Network admins! vendors! admins! users! 5

  6. Philosophy Build enclaves on an enclave platform, not just processes 6

  7. Enclaves strengthen the process abstraction • Processes guarantee isolation of memory • Enclaves provide a stronger guarantee – No other program can infer anything private from the enclave program through its use of shared resources or shared microarchitectural state • Largely decouple performance considerations from security • Minimally invasive hardware changes • Provable security under chosen threat model 7

  8. A Typical Computer Trusted Computing Base Software… ! … Running on hardware ! TRUSTED ! (Ring 3) ! CPU ! App ! App ! Secure App ! DRAM Ctrl. ! ! L1 $ ! DRAM ! Thread ! L2 $ ! Privelege ! TRUSTED ! L3 $ ! OS Kernel (Ring 0) ! Hypervisor (Ring 0, VMX root) ! Main ! Chipset ! board ! BIOS (SMM) ! Disk ! Network !

  9. Single-Chip Secure Processor: Shrink the TCB • From Edward Suh’s ICS 2003 Talk Trusted Protect Protected Environment Software I/O Identify Memory • Enclave assumes trusted hardware + trusted software “monitor” • Operating system is untrusted 9

  10. Enclave Lifecycle (simplified) Enclave Untrusted binary image software (OS) Load enclave � � � Create enclave, Seal Grant resources enclave Enclave Enclave Enclave Enclave Enclave binary binary image image Enclave has a Enclave can no measurement for longer be modified 10 attestation from outside

  11. Enclave Lifecycle (simplified) Enclave Untrusted binary image software (OS) Platform erases (flushes) Load � sensitive state Enter enclave � � � enclave Create enclave, Seal Grant resources enclave (enclave executes in a strongly isolated environment) � Exit enclave 11

  12. Strong Isolation Goal • Any attack by a privileged attacker on the same machine as the victim that can extract a secret inside the victim enclave, could also have been run successfully by an attacker on a different machine than the victim. – No protection against an enclave leaking its own secrets through its public API. • Three strategies for isolation: Spatial isolation, temporal isolation and cryptography 12

  13. Sanctum Design Victor Costan, Ilia Lebedev Sanctum: Minimal Hardware Extensions for Strong Software Isolation

  14. Software Stack Measurement Root Machine Security Monitor Hypervisor Hypervisor Enclave multiplexing Operating System Supervisor Enclave management Host Application Enclave Enclave setup User Enclave syscall shims Sanctum-aware runtime Non-sensitive code and data Sensitive code and data

  15. Software Stack Measurement Root Machine Security Monitor Hypervisor Hypervisor Enclave multiplexing Operating System Supervisor Enclave management Host Application Enclave Enclave setup User Enclave syscall shims Sanctum-aware runtime Non-sensitive code and data Sensitive code and data

  16. Target: multi-core processor (no hyperthreading, no speculation) Core Core DDR3 L2 Cache L2 Cache QPI Link Channel CBox CBox QPI Ring to L3 Cache L3 Cache Packetizer QPI L3 Cache Slice Slice Home Memory Agent Controller L3 Cache L3 Cache UBox Ring to Slice Slice PCIe I/O Controller CBox CBox L2 Cache L2 Cache PCIe Lanes Core Core

  17. Microarchitectural State Isolation in Sanctum Enclaves • Resources exclusively granted to an enclave, and scheduled at the granularity of process context switches are isolated temporally – Register files, branch predictors, private caches, and private TLBs • Resources shared between processes on- demand, with arbitrarily small granularity are isolated spatially by partitioning – Shared caches and shared TLBs 17

  18. Operating System Manages Page Tables Address Physical Virtual Translation Address Space Address Space Virtual Physical Mapping Address Address System bus Page Software DRAM Tables

  19. Practical Software Attack on SGX “Simulators” • Microsoft Research, IEEE S&P 2015: Exploit no-noise side channel due to page faults 19

  20. Page Table Isolation Physical Memory Enclave B Virtual Enclave A Virtual OS region Address Space Address Space OS page tables Host application Host application space Enclave A region space Enclave A page tables EVRANGE A EVRANGE B Enclave B region Enclave B page tables Host application Host application space space OS region Enclave A region

  21. Partitioning to Prevent Timing Attacks Memory Address Address Tag Set Index Line Offset n-1…s+l s+l-1…l l-1…0 Enclave Set 0, Way 0 Set 0, Way 1 … Set 0, Way W-1 Set 1, Way 0 Set 1, Way 1 … Set 1, Way W-1 ⋮ ⋮ ⋱ ⋮ OS Set i, Way 0 Set i, Way 1 … Set i, Way W-1 ⋮ ⋮ ⋱ ⋮ Set S-1, Way 0 Set S-1, Way 1 … Set S-1, Way W-1 21

  22. Page Coloring Address bits covering the maximum addressable physical space of 2 MB Address bits used by 256 KB of DRAM Cache Set Index DRAM Stripe DRAM Region Cache Index Index Line O ff set 20 18 17 15 14 12 11 6 5 0 Cache Tag Page O ff set Physical page number (PPN)

  23. Normal DRAM Sanctum DRAM page colors page colors / regions 0 0 Page Colors LLC set colors = DRAM Regions MEMTOP MEMTOP Region 0 Region 1 Region 2 Region 3 Region 4 Region 5 Region 6 Region 7

  24. Normal DRAM Sanctum DRAM Page Colors page colors page colors / regions 0 0 = LLC set colors DRAM Regions A little bit-shifting gets us a large contiguous DRAM region MEMTOP MEMTOP Region 0 Region 1 Region 2 Region 3 Region 4 Region 5 Region 6 Region 7

  25. Sanctum Secure Processor No Speculation, No Hyperthreading RISCV Rocket Core, Changes required by Sanctum (+ ~2% of core) Also requires 9 new config registers

  26. Formally Verifying Enclaves Pramod Subramanyan, Rohit Sinha, Ilia Lebedev, Sanjit Seshia A Formal Foundation for Secure Remote Execution of Enclaves

  27. Rigorously modeling the adversary Adversary := set of ops an attacker can use to tamper with or observe enclave state. Any combination of these can be used at any time. Threat model := ∪ (observation function, tamper function, model initial state) 27

  28. Abstract Enclaves An entity that can perform a well-defined set of TAP actions, and has these properties: Measurement := Different enclaves have different measurements (also inverse) Integrity := Modelled attacker cannot affect enclave state Confidentiality := Modelled attacker cannot observe enclave state 28

  29. Proving Statements with the TAP There is no “processor”. There aren’t cores. The proof describes a CFG with “forks”. Proof searches this graph for a path that violates an invariant. Do an attacker action Init Check operations invariants Do a victim action Threat model = TAP API + space of attacker actions 29

  30. Refinement Proofs • SGX refines TAP, i.e., every operation is SGX is an operation in TAP • Caveat: For a limited observation function • Sanctum refines TAP for a more powerful observation function 30

  31. Sanctum Status and Current Limitations • We have built an open-source Sanctum based on the RISC-V ISA – Low performance and area overhead to support enclaves – Ongoing formal verification effort • Sanctum is an academic, lightweight processor • Apply its design philosophy to speculative out-of-order (OOO) processors, which need to protect against Spectre-style attacks 31

  32. MI6 Design Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang, Arvind MI6: Secure Enclaves in a Speculative Out-of-Order Processor

  33. RiscyOO Processor ROB Commit ALU pipeline Reg Reg Issue Exec Fetch ALU IQ Bypass Read Write Physical Reg File MEM pipeline Rename Rename Reg Addr Update Issue MEM IQ Table Read Calc LSQ Speculation L1 D TLB Manager Load-Store Unit Epoch Deq LSQ (LQ + SQ) Manager Resp Issue Resp Issue Store Scoreboard Ld Ld St St Buffer Front-end L1 D$ 33 Last Level Cache

  34. RiscyOO Processor ROB Commit ALU pipeline Reg Reg Issue Exec Fetch ALU IQ Bypass Read Write Not speculating during entire program results in Physical Reg File MEM pipeline Rename average 3X slowdown! Rename Reg Addr Update Issue MEM IQ Table Read Calc LSQ Speculation L1 D TLB Manager Load-Store Unit Epoch Deq LSQ (LQ + SQ) Manager Resp Issue Resp Issue Store Scoreboard Ld Ld St St Buffer Front-end L1 D$ 34 Last Level Cache

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands 2 School of Computer Science Open University The Netherlands

778 views • 62 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

836 views • 81 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D

THEIA GPU Open Source multicore programmable GPU Problem Statement Develop an open source 3D Graphic Processor (GPU). Develop a high level language to program the GPU. Provide all of the necessary tools, test-bench and regressions.

411 views • 18 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless Ticketing Standard Calypso deployement 125 cities & regions 25 countries 150 million transportation smart cards 490 000 readers Challenges

287 views • 16 slides
Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu Problem Definition Verifying hyperproperties about the Keystone Security monitor Secure Remote Execution (SRE) : a 2-safety hyperproperty

446 views • 10 slides
The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
Outline of Program Universal Designers & Consultants, Inc. 1. Tools UDConsultants.com

Outline of Program Universal Designers & Consultants, Inc. 1. Tools UDConsultants.com

8/19/2015 Accessibility Survey Techniques John Salmen, AIA Andrew Yarrish, AIA Universal Designers & Consultants, Inc. www.UDConsultants.com Outline of Program Universal Designers & Consultants, Inc. 1. Tools UDConsultants.com

437 views • 33 slides
= Languages Accepted by NPDAs Accept (Grammars) NPDAs Context-Free Languages 1 Proof - Step

= Languages Accepted by NPDAs Accept (Grammars) NPDAs Context-Free Languages 1 Proof - Step

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301 - Lecture 13 Deterministic Finite and Nondeterministic Automata Equivalence of NFA and DFA Converting NPDAs to Grammars Regular

485 views • 15 slides
What is Gifted? Characteristics & Identification Cynthi hia G a Galindo Instr tructi

What is Gifted? Characteristics & Identification Cynthi hia G a Galindo Instr tructi

Slide 1 What is Gifted? Characteristics & Identification Cynthi hia G a Galindo Instr tructi tional O Offi fficerAdvanced A Academi mic S c Service ces Slide 2 Sources of GT Information in KISD Klein ISD GT Website

492 views • 14 slides
MATH 20: PROBABILITY Markov Chain Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Random

MATH 20: PROBABILITY Markov Chain Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Random

MATH 20: PROBABILITY Markov Chain Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Random Walk 4 1 3 5 2 A ra walk is a mathematical object, known as a stochastic or random process, random that describes a path that

572 views • 30 slides
Affine variety codes are better than their reputation Olav Geil Aalborg University (joint with

Affine variety codes are better than their reputation Olav Geil Aalborg University (joint with

Affine variety codes are better than their reputation Olav Geil Aalborg University (joint with Stefano Martin) Special Semester on Applications of Algebra and Number Theory Algebraic Curves over Finite Fields RICAM November 2013 Olav Geil,

469 views • 27 slides
Lecture 3: Multivariate Regression Homework review Question C2.4 ask you to estimate a simple

Lecture 3: Multivariate Regression Homework review Question C2.4 ask you to estimate a simple

Lecture 3: Multivariate Regression Homework review Question C2.4 ask you to estimate a simple bivariate regression using IQ to predict wages. In Stata this looks like . reg wage IQ not . reg IQ wage What does the latter command

534 views • 30 slides
IEEE-SA P2020 Kick-Off Meeting 20 September 2016, AutoWorld, Brussels, Belgium Agenda Call

IEEE-SA P2020 Kick-Off Meeting 20 September 2016, AutoWorld, Brussels, Belgium Agenda Call

IEEE-SA P2020 Kick-Off Meeting 20 September 2016, AutoWorld, Brussels, Belgium Agenda Call to Order & Introductions Robert Stead Scope and Purpose of Working Group Robert Stead IEEE Patent Policy Michael Kipness

524 views • 37 slides
A Quantum Quench of the Sachdev-Ye-Kitaev Model Julia Steinberg Harvard University

A Quantum Quench of the Sachdev-Ye-Kitaev Model Julia Steinberg Harvard University

A Quantum Quench of the Sachdev-Ye-Kitaev Model Julia Steinberg Harvard University arXiv:1703.07793 [cond-mat.str-el] Chaos, Topology, and Dualities in Condensed Matter Theory UIUC November 4, 2017 Collaborators Valentin Kasper Subir

590 views • 22 slides

More recommend