Jo Van Bulck

SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control

Protected module architectures such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGXs strengthened adversary model also gives rise to to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity. This paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from user space. We contribute and evaluate an improved approach to single-step enclaved execution at instruction-level granularity, and we show how SGX-Step enables several new or improved attacks. Finally, we discuss its implications for the design of effective defense mechanisms.

An Implementation of a High Assurance Smart Meter Using Protected Module Architectures

Due to ongoing changes in the power grid towards decentralised and highly volatile energy production, smart electricity meters are required to provide fine-grained measurement and timely remote access to consumption and production data. This enables flexible tariffing and dynamic load optimisation. As the power grid forms part of the critical infrastructure of our society, increasing the resilience of the grid’s software components against failures and attacks is vitally important.

Towards availability and real-time guarantees for protected module architectures

Protected Module Architectures are a new brand of security architectures whose main objective is to support the secure isolated execution of software modules with a minimal Trusted Computing Base (TCB) -- several prototypes for embedded systems (and also the Intel Software Guard eXtensions for higher-end systems) ensure isolation with a hardware-only TCB. However, while these architectures offer strong confidentiality and integrity guarantees for software modules, they offer no availability (let alone real-time) guarantees. This paper reports on our work-in-progress towards extending a protected module architecture for small microprocessors with availability and real-time guarantees. Our objective is to maintain the existing security guarantees with a hardware-only TCB, but to also guarantee availability (and even real-time properties) if one can also trust the scheduler. The scheduler, as any software on the platform, remains untrusted for confidentiality and integrity -- but it is sufficient to trust the scheduler module to get availability guarantees even on a partially compromised platform.

Secure Resource Sharing for Embedded Protected Module Architectures

Low-end embedded devices and the Internet of Things IoT are becoming increasingly important for our lives. They are being used in domains such as infrastructure management, and medical and healthcare systems, where business interests and our security and privacy are at stake. Yet, security mechanisms have been appallingly neglected on many IoT platforms. In this paper we present a secure access control mechanism for extremely lightweight embedded microcontrollers. Being based on Sancus, a hardware-only Trusted Computing Base and Protected Module Architecture for the embedded domain, our mechanism allows for multiple software modules on an IoT-node to securely share resources. We implement and evaluate our approach for two application scenarios, a shared memory system and a shared flash drive. Our implementation is based on a Sancus-enabled TI MSP430 microcontroller. We show that our mechanism can give high security guarantees at small runtime overheads and a moderately increased size of the Trusted Computing Base.

Sancus 2.0: A Low-Cost Security Architecture for IoT Devices

The Sancus security architecture for networked embedded devices was proposed in 2013 at the USENIX Security conference. It supports remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised and can provide a secure communication channel between software modules and software providers. Software modules can securely maintain local state and can securely interact with other software modules that they choose to trust. Over the past three years, significant experience has been gained with applications of Sancus, and several extensions of the architecture have been investigated—both by the original designers as well as by independent researchers. Informed by these additional research results, this journal version of the Sancus paper describes an improved design and implementation, supporting additional security guarantees (such as confidential deployment) and a more efficient cryptographic core. We describe the design of Sancus 2.0 (without relying on any prior knowledge of Sancus) and develop and evaluate a prototype FPGA implementation. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We report on our experience using Sancus in a variety of application scenarios and discuss some important avenues of ongoing and future work.

Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution

Enclaved execution environments, such as Intel SGX, enable secure, hardware-enforced isolated execution of critical application components without having to trust the underlying operating system or hypervisor. A recent line of research, however, explores innovative controlled-channel attacks mounted by untrusted system software to partially compromise the confidentiality of enclave programs. Apart from exploiting relatively well-known side-channels like the CPU cache and branch predictor, these attacks have so far focused on tracking side-effects from enclaved address translations via the paging unit.

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

Vehicular communication networks have been subject to a growing number of attacks that put the safety of passengers at risk. This resulted in millions of vehicles being recalled and lawsuits against car manufacturers. While recent standardization efforts address security, no practical solutions are implemented in current cars. This paper presents VulCAN, a generic design for efficient vehicle message authentication, plus software component attestation and isolation using lightweight trusted computing technology. Specifically, we advance the state-of-the-art by not only protecting against network attackers, but also against substantially stronger adversaries capable of arbitrary code execution on participating electronic control units. We demonstrate the feasibility and practicality of VulCAN by implementing and evaluating two previously proposed, industry standard-compliant message authentication protocols on top of Sancus, an open-source embedded protected module architecture. Our results are promising, showing that strong, hardware-enforced security guarantees can be met with a minimal trusted computing base without violating real-time deadlines under benign conditions.

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic

Recent research on transient execution vulnerabilities shows that current processors exceed our levels of understanding. The prominent Meltdown and Spectre attacks abruptly revealed fundamental design flaws in CPU pipeline behavior and exception handling logic, urging the research community to systematically study attack surface from microarchitectural interactions. We present Nemesis, a previously overlooked side-channel attack vector that abuses the CPUs interrupt mechanism to leak microarchitectural instruction timings from enclaved execution environments such as Intel SGX, Sancus, and TrustLite. At its core, Nemesis abuses the same subtle microarchitectural behavior that enables Meltdown, i.e., exceptions and interrupts are delayed until instruction retirement. We show that by measuring the latency of a carefully timed interrupt, an attacker controlling the system software is able to infer instruction-granular execution state from hardware-enforced enclaves. In contrast to speculative execution vulnerabilities, our novel attack vector is applicable to the whole computing spectrum, from small embedded sensor nodes to high-end commodity x86 hardware. We present practical interrupt timing attacks against the open-source Sancus embedded research processor, and we show that interrupt latency reveals microarchitectural instruction timings from off-the-shelf Intel SGX enclaves. Finally, we discuss challenges for mitigating Nemesis-type attacks at the hardware and software levels.