Computer Science > Cryptography and Security
[Submitted on 20 Oct 2020 (v1), revised 18 Feb 2021 (this version, v2), latest version 15 Nov 2021 (v3)]
Title:PIE: A Platform-wide TEE
View PDFAbstract:While modern computing architectures rely on specialized hardware such as accelerators to provide performance and functionality, trusted execution environments (TEEs), one of the most promising recent developments in security, can only protect code confined in the CPU, limiting TEEs potential and applicability to a handful of applications. We observe that the TEEs' hardware trusted computing base (TCB) is fixed at design time, forcing users to rely on (mostly untrustworthy) software to allow peripherals into the TEE. Based on this observation, we propose PIE, a secure platform design with a configurable hardware and software TCB, which allows us to support specialized hardware while ensuring the least privilege principle. We introduce two new security properties relevant to such systems: platform-wide attestation and platform awareness. Platform-wide attestation allows to remotely verify the platform's current state, including the state of specialized hardware devices and how they are connected with each other, whereas platform awareness defines how the enclave reacts upon a change in connected devices. Together, these allow to attest to the hardware configuration of a system and check that only the trusted hardware with the right version of its firmware is part of the TCB (platform-wide attestation) and will stay part of the TCB for the whole execution (platform awareness). Finally, we present a prototype of PIE based on RISC-V's Keystone to show that such systems are feasible with only around 600 lines added to the software TCB, without compromising performance.
Submission history
From: Moritz Schneider [view email][v1] Tue, 20 Oct 2020 16:27:23 UTC (1,836 KB)
[v2] Thu, 18 Feb 2021 10:06:10 UTC (994 KB)
[v3] Mon, 15 Nov 2021 13:58:42 UTC (1,086 KB)
Bibliographic and Citation Tools
Bibliographic Explorer (What is the Explorer?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)
Code, Data and Media Associated with this Article
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)
Demos
Recommenders and Search Tools
Influence Flower (What are Influence Flowers?)
Connected Papers (What is Connected Papers?)
CORE Recommender (What is CORE?)
arXivLabs: experimental projects with community collaborators
arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.
Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.
Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.