Abstract
Hardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications satisfy confidentiality remains challenging. We present a methodology for designing such applications in a way that enables certifying their confidentiality. Our methodology consists of forcing the application to communicate with the external world through a narrow interface, compiling it with runtime checks that aid verification, and linking it with a small runtime that implements the narrow interface. The runtime includes services such as secure communication channels and memory management. We formalize this restriction on the application as Information Release Confinement (IRC), and we show that it allows us to decompose the task of proving confidentiality into (a) one-time, human-assisted functional verification of the runtime to ensure that it does not leak secrets, (b) automatic verification of the application's machine code to ensure that it satisfies IRC and does not directly read or corrupt the runtime's internal state. We present /CONFIDENTIAL: a verifier for IRC that is modular, automatic, and keeps our compiler out of the trusted computing base. Our evaluation suggests that the methodology scales to real-world applications.
- https://slashconfidential.github.io.Google Scholar
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005. Google Scholar
Digital Library
- ARM Security Technology - Building a Secure System using Trust-Zone Technology. ARM Technical White Paper.Google Scholar
- M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In FMCO, 2005. Google Scholar
Digital Library
- C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanovi´c, T. King, A. Reynolds, and C. Tinelli. CVC4. In CAV, 2011. Google Scholar
Digital Library
- S. Bauer, P. Cuoq, and J. Regehr. Deniable backdoors using compiler bugs. International Journal of PoC||GTFO, 0x08:7–9, June 2015.Google Scholar
- D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, MITRE Corp., 1975.Google Scholar
- K. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, 1977.Google Scholar
- J. Black, J. Rogaway, and T. Shrimpton. Encryption-scheme security in the presence of key-dependent messages. In SAC, 2002. Google Scholar
Digital Library
- D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In CAV, 2011. Google Scholar
Digital Library
- X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS, 2008. Google Scholar
Digital Library
- M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157–1210, Sept. 2010. Google Scholar
Digital Library
- J. Criswell, N. Dautenhahn, and V. Adve. Virtual ghost: Protecting applications from hostile operating systems. In ASPLOS, 2014. Google Scholar
Digital Library
- L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google Scholar
Digital Library
- R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, 2005.Google Scholar
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976. Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504–513, 1977. Google Scholar
Digital Library
- U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: software guards for system address spaces. In OSDI, 2006. Google Scholar
Digital Library
- A. Fontaine, P. Chifflier, and T. Coudray. Picon : Control flow integrity on llvm ir. In SSTIC, 2015.Google Scholar
- O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. InkTag: Secure applications on an untrusted operating system. In ASPLOS, 2013. Google Scholar
Digital Library
- Intel Software Guard Extensions Programming Reference. Available at https://software.intel.com/sites/default/ files/329298-001.pdf, 2014.Google Scholar
- B. Lampson. A note on the confinment problem. Communications of the ACM, 16(10), 1976. Google Scholar
Digital Library
- V. Le, M. Afshari, and Z. Su. Compiler validation via equivalence modulo inputs. In PLDI, 2014. Google Scholar
Digital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In ASPLOS, 2000. Google Scholar
Digital Library
- C. Liu, A. Harris, M. Maas, M. Hicks, M. Tiwari, and E. Shi. Ghostrider: A hardware-software system for memory trace oblivious computation. In ASPLOS, 2015. Google Scholar
Digital Library
- N. P. Lopes, D. Menendez, S. Nagarakatte, and J. Regehr. Provably correct peephole optimizations with Alive. In PLDI, 2015. Google Scholar
Digital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Usenix Security, 2008. Google Scholar
Digital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In HASP, 2013. Google Scholar
Digital Library
- R. Morisset, P. Pawan, and F. Z. Nardelli. Compiler testing via a theory of sound optimisations in the C11/C++11 memory model. In PLDI, 2013. Google Scholar
Digital Library
- G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. RockSalt: better, faster, stronger SFI for the x86. In PLDI, 2012. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP, 1997. Google Scholar
Digital Library
- G. C. Necula. Translation validation for an optimizing compiler. In PLDI, 2000. Google Scholar
Digital Library
- B. Niu and G. Tan. Modular control flow integrity. In PLDI, 2014. Google Scholar
Digital Library
- J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost trustworthy extensible networked devices with a zerosoftware trusted computing base. In USENIX Security, 2013. Google Scholar
Digital Library
- A. Pnueli, M. Siegel, and E. Singerman. Translation validation. In TACAS, 1998. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5– 19, 2003. Google Scholar
Digital Library
- J. H. Saltzer and M. D. Schroeder. Formal verification of a realistic compiler. Proceedings of the IEEE, 63(9):1278–1308, 1975.Google Scholar
Cross Ref
- F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: trustworthy data analytics in the cloud using SGX. In S&P, 2015. Google Scholar
Digital Library
- D. Sehr, R. Muth, C. L. Biffle, V. Khimenko, E. Pasko, B. Yee, K. Schimpf, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In Usenix Security, 2010. Google Scholar
Digital Library
- R. Sinha, S. Rajamani, S. Seshia, and K. Vaswani. Moat: Verifying confidentiality of enclave programs. In CCS, 2015. Google Scholar
Digital Library
- M. Stepp, R. Tate, and S. Lerner. Equality-based translation validator for LLVM. In CAV, 2011. Google Scholar
Digital Library
- J.-B. Tristan, P. Govereau, and G. Morrisett. Evaluating value-graph translation validation for LLVM. In PLDI, 2011. Google Scholar
Digital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167–187, Jan. 1996. Google Scholar
Digital Library
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google Scholar
Digital Library
- J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In VEE, 2008. Google Scholar
Digital Library
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in C compilers. In PLDI, 2011. Google Scholar
Digital Library
- B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In S&P, 2009. Google Scholar
Digital Library
- B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In CCS, 2011. Google Scholar
Digital Library
- L. Zhao, G. Li, B. D. Sutter, and J. Regehr. Armor: Fully verified software fault isolation. In EMSOFT, 2011. Google Scholar
Digital Library
Index Terms
A design and verification methodology for secure isolated regions
Recommendations
A Formal Foundation for Secure Remote Execution of Enclaves
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityRecent proposals for trusted hardware platforms, such as Intel SGX and the MIT Sanctum processor, offer compelling security features but lack formal guarantees. We introduce a verification methodology based on a trusted abstract platform (TAP), a ...
Moat: Verifying Confidentiality of Enclave Programs
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecuritySecurity-critical applications constantly face threats from exploits in lower computing layers such as the operating system, virtual machine monitors, or even attacks from malicious administrators. To help protect application secrets from such attacks, ...
A design and verification methodology for secure isolated regions
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationHardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications ...







Comments