using Intel SGX Sergey Gorbunov University of Waterloo Joint work - - PowerPoint PPT Presentation

using intel sgx
SMART_READER_LITE
LIVE PREVIEW

using Intel SGX Sergey Gorbunov University of Waterloo Joint work - - PowerPoint PPT Presentation

Dec 04, 2023 1.36k likes •1.79k views

Iron: Functional encryption using Intel SGX Sergey Gorbunov University of Waterloo Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh. Motivation DNA_A DB = Database of DNA sequences DNA_B DB DB DB Challenges: 1. Ensure

slide-1
SLIDE 1

Iron: Functional encryption using Intel SGX

Sergey Gorbunov University of Waterloo

Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh.

slide-2
SLIDE 2

Motivation

2

DNA_A DNA_B DB = Database of DNA sequences

Challenges:

  • 1. Ensure privacy of users’ DNA sequences in the DB.
  • 2. Selectively enable services (i.e. computations) over private data in DB

DB DB DB

slide-3
SLIDE 3

FE to the Rescue

3

ct = Enc(mpk, DB) CT CT CT CT CT CT F1 F2 skF1 skF2 skF1 F1(DB) skF2 F2(DB) skF3 F3(DB) mpk, msk

slide-4
SLIDE 4

FE Definition

  • (mpk, msk) ← Setup(1n)

Authority (NIH)

  • ct ← Enc(mpk, X)

Data Owner (may not be NIH)

  • skF ← Keygen(msk, F)

Authority

  • F(X) ← Dec(skF, ct)

Service / Data User

4

[Boneh, Sahai, Waters 11]

slide-5
SLIDE 5

FE Security - Informal

  • Indistinguishability (IND):

Adversary given access to (skF1, skF2, …, skFq), cannot distinguish between Enc(mpk, X0) and Enc(mpk, X1) where Fi(X0) = Fi(X1) for all i.

  • Simulation (SIM):

Adversary given (skF1, skF2, …, skFq) and Enc(mpk, X), learns only F1(X), F2(X), …, Fq(X)

5

slide-6
SLIDE 6

FE Security – semi-formal

6

FE scheme

F1, F2, … SKF1, SKF2, …

Adv

(X, st)

MPK

𝑑≈

MPK st

(X, st) Real World

Ideal eal World ld

Sim Adv

X

st

ct F1(X), F2(X), … ct F1, F2, … SKF1, SKF2, …

[BSW11,O’N10]

slide-7
SLIDE 7

Previous Results

7

  • FE for Boolean formulas/inner products [GPSW06, LOSTW10, AFV11,

ABDP15, BJK15, ALS16, KLM+16, BCFG17, …]  Various standard assumptions: LWE, pairings, etc.  Somewhat efficient

  • General functions/circuits [GGHRSW14, ABSV15, Wat16, BKS16,

BNPW16, …] х Non-standard assumptions (multi-linear maps, obfuscation) х Very inefficient [ACLL’15]

slide-8
SLIDE 8

8

Can we build an efficient, provably-secure FE scheme for arbitrary functions from a plausible assumption?

slide-9
SLIDE 9

Our Results

Thm: We present efficient, provably-secure FE for arbitrary functions assuming existence of secure hardware (Intel SGX) modules.

 We model and argue the security under strong simulation notion.  No restriction on the complexity of functions: need to be written in C/C++.  We demonstrate practical efficiency with a prototype implementation and benchmark against known crypto FE constructions.

slide-10
SLIDE 10

Outline

 Motivation and our results

  • Background on secure hardware (Intel SGX)
  • Construction overview
  • Proof insights
  • Implementation details and performance
slide-11
SLIDE 11

Intel SGX Overview

11

User program/data

CPU Memory

User program/data

(steady state, post-setup)

Container:

  • Program code
  • Stack
  • Libraries
  • Internal states
  • Data pages

Untrusted Host Goal: provide secure execution environment on an untrusted remote host, assuming only security

  • f a processor enabled with a set of encryption routines (Intel SGX).

Standard CPU Logic + Hardware Module + Encryption Routines (SGX) Only the CPU is tamper safe from the adversary

slide-12
SLIDE 12

Intel SGX Overview

12

 Encrypted user-level memory container

  • User-level = cannot do syscalls, IO, network communication, etc.

 Physically encrypted pages of program code and data in memory  Key is protected on the CPU and cannot be extracted, encrypts/decrypts container pages before execution

slide-13
SLIDE 13

13

Intel SGX Overview

Property 1: Attestation

  • A party can verify that it is communicating with a program running in the

encrypted container on a platform associated with a key pair (pk, sk)

  • Verification wrt a public “measurement” of the program (hash)
  • Lo

Local al attestatio ion: two containers running on the same node can attest each other

  • Remote attestatio

ion: a remote user can attest that a specific program is running inside a secure container

slide-14
SLIDE 14

14

Intel SGX Overview

ProofP = Sign(sk, H(P))

User program P

CPU Memory

User program/data User program/data

pk ProofP ProofP Attest(pk, P, ProofP) pk, sk

slide-15
SLIDE 15

15

Intel SGX Overview

Property 2: Isolated execution

  • Confidentiality: “black-box” execution of a program

 Internal state of the program is hidden from adversary

  • Integrity:

 Adversary cannot change execution state/data/program,  Cannot modify the output of the program on a given input

slide-16
SLIDE 16

16

Intel SGX Overview

ProofP(X) = Sign(sk, P(X))

User program P

CPU Memory

User program/data

pk Input X Verify(pk, P(X), ProofP(X)) pk, sk P(X), ProofP(X)

slide-17
SLIDE 17

SGX Formal Algorithms

17

  • Setup(1n) → (sk, pk)
  • Loadsk(P) → ProofP
  • Attest(pk, P, ProofP ) → 0/1
  • Runsk (X)

→ (P(X), ProofP(X))

  • Verify(pk, P(X), ProofP(X)) → 0/1
slide-18
SLIDE 18

SGX Initialization and Runtime

18

P(X), ProofP(X)

User program P

CPU Memory pk pk, sk ProofP

Goal: secure verifiable computation outsourcing of a program P on input X.

Load(P) P, X Attest(pk, P, ProofP)

  • Sec. channel

X P(X), ProofP(X) Verify(pk, P(X), ProofP(X))

slide-19
SLIDE 19

SGX – The Good

  • Shielded execution of unmodified Windows apps [BPH14]
  • Secure MapReduce computations [SCF+15, DSC+15, OCF+15]
  • Secure Linux containers [ATG+16, STT+17]
  • An authenticated data feed for smart contracts [ZCC+16]
  • Secure distributed data analytics (Spark SQL) [ZDB+17]

19

Becoming a building block for many secure applications!

  • Other CPU manufacturers have their own version of SGX (AMD SEV)
  • Easy to use, develop, integrate, etc.
slide-20
SLIDE 20

SGX – The Ugly

  • Programs running inside encrypted containers are subject to side-

channel attacks:

  • Page-fault attacks [XCP15]
  • Synchronization bugs [WKPK16]
  • Branch shadowing [SLK+17]
  • Cache attacks [BMD+17, SWG+17]
  • Lots of academic work providing stronger security guarantees and

mitigating SGX side-channels [CLD16, SLKP16, LSG+16, WKPK16, SLK+17, SGF17].

20

slide-21
SLIDE 21

SGX – The Ugly Cont.

  • Intel is trusted for the HW implementation
  • Cannot change the working function inside the encrypted container

after it is loaded/attested

  • Small working memory (~90MB)
  • No system calls/IO/network communication

21

slide-22
SLIDE 22

System vs Model vs Proof

22

IPSec Disk encryption

slide-23
SLIDE 23

Outline

 Motivation and our results  Background on secure hardware (Intel SGX)

  • Construction overview
  • Proof insights
  • Implementation details and performance
slide-24
SLIDE 24

Our Construction

24

(simplified)

Building blocks:

  • SGX (on data user node)
  • public-key encryption (p.setup, p.enc, p.dec)
  • signature scheme (s.setup, s.sign, s.verify)
slide-25
SLIDE 25

Our Construction

25

Data User Authority Data Owner

Setup(1k) → (mpk, msk) 1) s.setup(1k) → (vks, sks) 2) p.setup(1k) → (pkp, skp) 3) mpk = (pkp, vks), msk = (skp, sks) Enc(mpk, X) → ct 1) p.enc(pkp, X) → ct

Dec(skF, ct) → F(X) (next slide)

SGX

Keygen(msk, F) → skF 1) s.sign(sks, F) → skF

(simplified)

F mpk

slide-26
SLIDE 26

26

Dec(skF, ct) → F(X):

Data User Authority

F

SGX Encrypted Container

msk = (skp, sks)

  • Verify skF
  • Decrypt X
  • Output F(X)

ct, mpk = (pkp, pks)

Attest

  • Sec. channel

skp 1) Enc. container cannot talk

  • ver network?

2) Which function to attest in enc. container?

Problems:

slide-27
SLIDE 27

27

Dec(skF, ct) → F(X):

Data User Authority

F

SGX Encrypted Container

msk = (skp, sks)

  • Verify skF
  • Decrypt X
  • Output F(X)

ct, mpk = (pkp, pks)

Attest

  • Sec. channel

skp 1) Enc. container cannot talk

  • ver network?

IO S H I M

slide-28
SLIDE 28

28

Dec(skF, ct) → F(X):

2) Which function to attest in enc. container? Define: P(mpk, ct, skF): 1) Establish secure channel 2) Verify skF 3) Decrypt X 4) Output F(X) Load and attest P

Data User Authority

F

SGX Encrypted Container

msk = (skp, sks)

  • Verify skF
  • Decrypt X
  • Output F(X)

ct, mpk = (pkp, pks)

Attest

  • Sec. channel

skp

IO S H I M

slide-29
SLIDE 29

Data User

Dec(skF, ct) → F(X):

2) Which function to attest in enc. container?

Authority

F

msk = (skp, sks)

P(mpk, ct, skF):

  • Establishes secure

channel

  • Verifies skF
  • Decrypt X
  • Launches enclave F’
  • Local attests enclave F’

ct, mpk = (pkp, pks)

Attest P

  • Sec. channel

skp

IO S H I M

F’:

  • Establish sec.

channel

  • Compute

F(X)

  • sec. channel

X Attest F’

slide-30
SLIDE 30

Q & A

Q: Adversary controls the IO Shim layer. Can she/he modify: 1. The secret key skF 2. Program loaded P

  • 3. The encryption of the secret key skpand observe output F(X) to learn

information about skp? A: 1. No, follows by security of signature scheme 2. No, follows by attestation property of SGX 3. Channel must be protected with CCA2 properties.

slide-31
SLIDE 31

Q & A

Q: How does the proof work?

Data User Authority

f

SGX Encrypted Container

msk = (skp, sks)

  • skF skp
  • F(X)

ct, mpk = (pkp, pks)

Attest

  • Sec. channel

skp

IO S H I M

F(X) Need to simulate!

slide-32
SLIDE 32

Q & A

Q: How does the proof work?

Data User Authority

f

SGX Encrypted Container

msk = (skp, sks)

  • skF skp
  • F(X)

ct, mpk = (pkp, pks)

Attest

  • Sec. channel

F(X), skp

IO S H I M

A:

  • In simulation, F(X)

comes from the authority via sec. channel (enc(0) in the real game) F(X)

  • Indistinguishability of

enc(0) and enc(F(X)) follows by sec. channel (not readily. need to use dual-encryption tech.)

slide-33
SLIDE 33

Q & A

A: An arbitrary C/C++ program code that is given to the authority. Authority can inspect the code, compile into sgx-enabled executable and sign the

  • executable. skF = (executable, signature of the executable).

Q: What is “function description” and how does authority validate it?

slide-34
SLIDE 34

Q & A

A: Yes, while inspecting the code of a function F, the authority can ensure that it side-channel free or augment it into such form before compiling. Program P needs to be built side-channel free once and for all. (Side-channel free: e.g., constant time.) Q: SGX is vulnerable to side-channels?

slide-35
SLIDE 35

Q & A

A: SGX has a mechanism to “seal” enclave secrets on persistent storage with a hardware-derived key. Q: What happens if the data user restarts the node?

slide-36
SLIDE 36

Outline

 Motivation and our results  Background on secure hardware (Intel SGX)  Construction overview  Proof insights

  • Implementation details and performance
slide-37
SLIDE 37

Implementation

37

Intel i5, 16 GB RAM, Intel SGX SDK 1.6 for Windows Crypto Algorithms:

  • PKE

ElGamal (MSR_ECClib.lib) + AES-GCM

  • Signature

ECDSA (sgx_tcrypto.lib)

Supported functions

  • Any function that can be loaded into an enclave
  • And resist side-channels
slide-38
SLIDE 38

Implementation

  • IBE

: ct ← Enc(ID, X) X ← Dec(skID, ct)

  • Order(X, Y)

: Output 1 if x > y, else 0

  • 3-DNF(X,Y,Z)

: Output (x1∧ y1 ∧ z1) ∨ ⋯ ∨ (xn∧ yn ∧ zn)

  • SimpLinReg({ai, bi}) : Output the best-fit (α, β) such that bi = α + β ai

38

We implement oblivious IBE, ORE, 3-DNF, simple linear regression

n-bit vectors By implementing data comparisons in registers, constant time, code-independent accesses [OSF+16]

slide-39
SLIDE 39

Evaluation

  • FE.Decrypt:

39

  • FE.Setup

: 130 ms (60 ms for KMEnclave creation)

  • FE.KeyGen

: 10 ms

slide-40
SLIDE 40

Evaluation

40

slide-41
SLIDE 41

Thank you!

41