skip to main content
research-article

Automatic enforcement of expressive security policies using enclaves

Published:19 October 2016Publication History
Skip Abstract Section

Abstract

Hardware-based enclave protection mechanisms, such as Intel's SGX, ARM's TrustZone, and Apple's Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information security policies.

We present IMPE, a novel calculus that captures the essence of SGX-like enclave mechanisms, and show that a security-type system for IMPE can enforce expressive confidentiality policies (including erasure policies and delimited release policies) against powerful low-level attackers, including attackers that can arbitrarily corrupt non-enclave code, and, under some circumstances, corrupt enclave code. We present a translation from an expressive security-typed calculus (that is not aware of enclaves) to IMPE. The translation automatically places code and data into enclaves to enforce the security policies of the source program.

References

  1. G. Aggarwal, E. Bursztein, C. Jackson, and D. Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Conference on Security, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Apple. iOS security. https://www.apple.com/business/ docs/iOS_Security_Guide.pdf, Sept. 2015.Google ScholarGoogle Scholar
  3. O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 191–205, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. ARM. ARM security technology — building a secure system using TrustZone technology. http: //infocenter.arm.com/help/topic/com.arm. doc.prd29-genc-009492c/PRD29-GENC-009492C_ trustzone_security_whitepaper.pdf, 2009.Google ScholarGoogle Scholar
  5. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, pages 43–59, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Terminationinsensitive noninterference leaks more than just a bit. In Proceedings of the 13th European Symposium on Research in Computer Security, Oct. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. A. Askarov, S. Moore, C. Dimoulas, and S. Chong. Cryptographic enforcement of language-based erasure. In Proceedings of the 28th IEEE Computer Security Foundations Symposium, July 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. E. Boros and P. L. Hammer. Pseudo-boolean optimization. Discrete Applied Mathematics, 123(1-3):155–225, Nov. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. S. Chong and A. C. Myers. Language-based information erasure. In Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pages 241–254, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. S. Chong and A. C. Myers. End-to-end enforcement of erasure and declassification. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, pages 98–111, June 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime through secure deallocation. In USENIX Security, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. E. S. Cohen. Information transmission in computational systems. ACM SIGOPS Operating Systems Review, 11(5):133– 139, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, Mar. 2005.Google ScholarGoogle Scholar
  14. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pages 61–75, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. C. Fournet and J. Planul. Compiling information-flow security to minimal trusted computing bases. In Proceedings of the 20th European Conference on Programming Languages and Systems, pages 216–235, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. GlobalPlatform. Trusted user interface API specification v1.0. http://www.globalplatform.org/ specificationsdevice.asp, 2013.Google ScholarGoogle Scholar
  18. J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 11–20, Apr. 1982.Google ScholarGoogle ScholarCross RefCross Ref
  19. A. Gollamudi. Impslator. https://github.com/anithag/ impslator, June 2016.Google ScholarGoogle Scholar
  20. A. Gollamudi and S. Chong. Automatic enforcement of expressive security policies using enclaves. Technical Report TR-2-2016, Harvard University, Aug. 2016.Google ScholarGoogle Scholar
  21. P. Gutmann. Data remanence in semiconductor devices. In The Tenth USENIX Security Symposium Proceedings, pages 39–54, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the 17th USENIX Security Symposium, July 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In USENIX Symposium on Operating Systems Design and Implementation, Oct. 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. S. Hunt and D. Sands. Just forget it—the semantics and enforcement of information erasure. In Proceedings of the 17th European Symposium on Programming, pages 239–253, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Intel. Intel software guard extensions (Intel SGX) programming reference. https://software.intel.com/sites/ default/files/managed/48/88/329298-002.pdf, 2014.Google ScholarGoogle Scholar
  26. A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In Proceedings of the 17th IEEE Computer Security Foundations Workshop, June 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure compilation to protected module architectures. ACM Transactions on Programming Languages and Systems, 37(2):6, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. R. Perlman. File System Design with Assured Delete. In Proceedings of the Third IEEE International Security in Storage Workshop, pages 83–88, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, Jan. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. A. Sabelfeld and A. C. Myers. A model for delimited release. In Proceedings of the 2003 International Symposium on Software Security, number 3233 in Lecture Notes in Computer Science, pages 174–191, 2004.Google ScholarGoogle Scholar
  31. A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255–269, June 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM Trustzone to build a trusted language runtime for mobile applications. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 67–80, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. K. Satvat, M. Forshaw, F. Hao, and E. Toreini. On the privacy of private browsing - a forensic approach. Journal of Information Security and Applications, 19(1), Feb. 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy data analytics in the cloud using SGX. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, pages 38–54, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska. S-NFV: Securing NFV states by using SGX. In Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pages 45–48, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. R. Sinha, S. Rajamani, S. Seshia, and K. Vaswani. Moat: Verifying confidentiality of enclave programs. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1169–1184, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. R. Sinha, M. Costa, A. Lal, N. P. Lopes, S. Rajamani, S. A. Seshia, and K. Vaswani. A design and verification methodology for secure isolated regions. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 665–681, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3): 167–187, Jan. 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Automatic enforcement of expressive security policies using enclaves

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!