-
SERVAS! Secure Enclaves via RISC-V Authenticryption Shield
Authors:
Stefan Steinegger,
David Schrammel,
Samuel Weiser,
Pascal Nasahl,
Stefan Mangard
Abstract:
Isolation is a long-standing challenge of software security. Traditional privilege rings and virtual memory are more and more augmented with concepts such as capabilities, protection keys, and powerful enclaves. At the same time, we are evidencing an increased need for physical protection, shifting towards full memory encryption schemes. This results in a complex interplay of various security mech…
▽ More
Isolation is a long-standing challenge of software security. Traditional privilege rings and virtual memory are more and more augmented with concepts such as capabilities, protection keys, and powerful enclaves. At the same time, we are evidencing an increased need for physical protection, shifting towards full memory encryption schemes. This results in a complex interplay of various security mechanisms, increasing the burden for system architects and security analysts.
In this work, we tackle the isolation challenge with a new isolation primitive called authenticryption shield that unifies both traditional and advanced isolation policies while offering the potential for future extensibility. At the core, we build upon an authenticated memory encryption scheme that gives cryptographic isolation guarantees and, thus, streamlines the security reasoning. We showcase the versatility of our approach by designing and prototy** SERVAS -- an innovative enclave architecture for RISC-V. Unlike current enclave systems, SERVAS facilitates efficient and secure enclave memory sharing. While the memory encryption constitutes the main overhead, entering or exiting a SERVAS enclave requires only 3.5x of a simple syscall, instead of 71x for Intel SGX.
△ Less
Submitted 7 May, 2021;
originally announced May 2021.
-
Practical Enclave Malware with Intel SGX
Authors:
Michael Schwarz,
Samuel Weiser,
Daniel Gruss
Abstract:
Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave m…
▽ More
Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.
△ Less
Submitted 8 February, 2019;
originally announced February 2019.
-
KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks
Authors:
Michael Schwarz,
Moritz Lipp,
Daniel Gruss,
Samuel Weiser,
Clémentine Maurice,
Raphael Spreitzer,
Stefan Mangard
Abstract:
Besides cryptographic secrets, side-channel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and sentences. Previously proposed countermeasures fail to prevent keystroke timing attacks as they do not protect keystroke processing among the entire software stack.
We close…
▽ More
Besides cryptographic secrets, side-channel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and sentences. Previously proposed countermeasures fail to prevent keystroke timing attacks as they do not protect keystroke processing among the entire software stack.
We close this gap with KeyDrown, a new defense mechanism against keystroke timing attacks. KeyDrown injects a large number of fake keystrokes in the kernel to prevent interrupt-based attacks and Prime+Probe attacks on the kernel. All keystrokes, including fake keystrokes, are carefully propagated through the shared library in order to hide any cache activity and thus to prevent Flush+Reload attacks. Finally, we provide additional protection against Prime+Probe for password input in user space programs. We show that attackers cannot distinguish fake keystrokes from real keystrokes anymore and we evaluate KeyDrown on a commodity notebook as well as on two Android smartphones. We show that KeyDrown eliminates any advantage an attacker can gain from using interrupt or cache side-channel information.
△ Less
Submitted 20 June, 2017;
originally announced June 2017.
-
Malware Guard Extension: Using SGX to Conceal Cache Attacks
Authors:
Michael Schwarz,
Samuel Weiser,
Daniel Gruss,
Clémentine Maurice,
Stefan Mangard
Abstract:
In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Int…
▽ More
In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers.
In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.
△ Less
Submitted 22 May, 2019; v1 submitted 28 February, 2017;
originally announced February 2017.
-
SGXIO: Generic Trusted I/O Path for Intel SGX
Authors:
Samuel Weiser,
Mario Werner
Abstract:
Application security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel introduced SGX, which allows to protect application code against a subverted or malicious OS by running it in a hardware-protected enclave. However, SG…
▽ More
Application security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel introduced SGX, which allows to protect application code against a subverted or malicious OS by running it in a hardware-protected enclave. However, SGX lacks support for generic trusted I/O paths to protect user input and output between enclaves and I/O devices.
This work presents SGXIO, a generic trusted path architecture for SGX, allowing user applications to run securely on top of an untrusted OS, while at the same time supporting trusted paths to generic I/O devices. To achieve this, SGXIO combines the benefits of SGX's easy programming model with traditional hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure debug enclaves to behave like secure production enclaves. SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise. It is compatible to unmodified operating systems and works on a modern commodity notebook out of the box. Hence, SGXIO is particularly promising for the broad x86 community to which SGX is readily available.
△ Less
Submitted 4 January, 2017;
originally announced January 2017.
-
Spin-orbit coupling in ferromagnetic Nickel
Authors:
J. Bünemann,
F. Gebhard,
T. Ohm,
S. Weiser,
W. Weber
Abstract:
We use the Gutzwiller variational theory to investigate the electronic and the magnetic properties of fcc-Nickel. Our particular focus is on the effects of the spin-orbit coupling. Unlike standard relativistic band-structure theories, we reproduce the experimental magnetic moment direction and we explain the change of the Fermi-surface topology that occurs when the magnetic moment direction is r…
▽ More
We use the Gutzwiller variational theory to investigate the electronic and the magnetic properties of fcc-Nickel. Our particular focus is on the effects of the spin-orbit coupling. Unlike standard relativistic band-structure theories, we reproduce the experimental magnetic moment direction and we explain the change of the Fermi-surface topology that occurs when the magnetic moment direction is rotated by an external magnetic field. The Fermi surface in our calculation deviates from early de-Haas--van-Alphen (dHvA) results. We attribute these discrepancies to an incorrect interpretation of the raw dHvA data.
△ Less
Submitted 14 April, 2008;
originally announced April 2008.
-
Gutzwiller-Correlated Wave Functions: Application to Ferromagnetic Nickel
Authors:
Joerg Buenemann,
Florian Gebhard,
Torsten Ohm,
Stefan Weiser,
Werner Weber
Abstract:
Ferromagnetic Nickel is the most celebrated iron group metal with pronounced discrepancies between the experimental electronic properties and predictions of density functional theories. In this work, we show in detail that the recently developed multi-band Gutzwiller theory provides a very good description of the quasi-particle band structure of nickel. We obtain the correct exchange splittings…
▽ More
Ferromagnetic Nickel is the most celebrated iron group metal with pronounced discrepancies between the experimental electronic properties and predictions of density functional theories. In this work, we show in detail that the recently developed multi-band Gutzwiller theory provides a very good description of the quasi-particle band structure of nickel. We obtain the correct exchange splittings and we reproduce the experimental Fermi-surface topology. The correct (111)-direction of the magnetic easy axis and the right order of magnitude of the magnetic anisotropy are found. Our theory also reproduces the experimentally observed change of the Fermi-surface topology when the magnetic moment is oriented along the (001)-axis. In addition to the numerical study, we give an analytical derivation for a much larger class of variational wave-functions than in previous investigations. In particular, we cover cases of superconductivity in multi-band lattice systems.
△ Less
Submitted 14 March, 2005;
originally announced March 2005.
-
Atomic correlations in itinerant ferromagnets: quasi-particle bands of nickel
Authors:
J. Buenemann,
F. Gebhard,
T. Ohm,
R. Umstaetter,
S. Weiser,
W. Weber,
R. Claessen,
D. Ehm,
A. Harasawa,
A. Kakizaki,
A. Kimura,
G. Nicolay,
S. Shin,
V. N. Strocov
Abstract:
We measure the band structure of nickel along various high-symmetry lines of the bulk Brillouin zone with angle-resolved photoelectron spectroscopy. The Gutzwiller theory for a nine-band Hubbard model whose tight-binding parameters are obtained from non-magnetic density-functional theory resolves most of the long-standing discrepancies between experiment and theory on nickel. Thereby we support…
▽ More
We measure the band structure of nickel along various high-symmetry lines of the bulk Brillouin zone with angle-resolved photoelectron spectroscopy. The Gutzwiller theory for a nine-band Hubbard model whose tight-binding parameters are obtained from non-magnetic density-functional theory resolves most of the long-standing discrepancies between experiment and theory on nickel. Thereby we support the view of itinerant ferromagnetism as induced by atomic correlations.
△ Less
Submitted 5 April, 2002;
originally announced April 2002.
-
Total Energy Studies for Ferromagnetic Nickel: What is the Optimum Combination of the Multi-band Gutzwiller Method and Density Functional Theory?
Authors:
T. Ohm,
S. Weiser,
R. Umstätter,
W. Weber,
J. Bünemann
Abstract:
The multi-band Gutzwiller method, combined with calculations based on density functional theory, is employed to study total energy curves of the ferromagnetic ground state of Ni. A new method is presented which allows flow of charge between d and s, p type orbitals in an approximate way. Further it is emphasized that the missing repulsive contribution to the total energy at large magnetic moment…
▽ More
The multi-band Gutzwiller method, combined with calculations based on density functional theory, is employed to study total energy curves of the ferromagnetic ground state of Ni. A new method is presented which allows flow of charge between d and s, p type orbitals in an approximate way. Further it is emphasized that the missing repulsive contribution to the total energy at large magnetic moments can be estimated from an analysis of specific DFT calculations.
△ Less
Submitted 22 October, 2001;
originally announced October 2001.