Abstract
Hardware-based enclave protection mechanisms, such as Intel's SGX, ARM's TrustZone, and Apple's Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information security policies.
We present IMPE, a novel calculus that captures the essence of SGX-like enclave mechanisms, and show that a security-type system for IMPE can enforce expressive confidentiality policies (including erasure policies and delimited release policies) against powerful low-level attackers, including attackers that can arbitrarily corrupt non-enclave code, and, under some circumstances, corrupt enclave code. We present a translation from an expressive security-typed calculus (that is not aware of enclaves) to IMPE. The translation automatically places code and data into enclaves to enforce the security policies of the source program.
- G. Aggarwal, E. Bursztein, C. Jackson, and D. Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Conference on Security, 2010. Google Scholar
Digital Library
- Apple. iOS security. https://www.apple.com/business/ docs/iOS_Security_Guide.pdf, Sept. 2015.Google Scholar
- O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 191–205, 2012. Google Scholar
Digital Library
- ARM. ARM security technology — building a secure system using TrustZone technology. http: //infocenter.arm.com/help/topic/com.arm. doc.prd29-genc-009492c/PRD29-GENC-009492C_ trustzone_security_whitepaper.pdf, 2009.Google Scholar
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, pages 43–59, 2009. Google Scholar
Digital Library
- A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Terminationinsensitive noninterference leaks more than just a bit. In Proceedings of the 13th European Symposium on Research in Computer Security, Oct. 2008. Google Scholar
Digital Library
- A. Askarov, S. Moore, C. Dimoulas, and S. Chong. Cryptographic enforcement of language-based erasure. In Proceedings of the 28th IEEE Computer Security Foundations Symposium, July 2015. Google Scholar
Digital Library
- E. Boros and P. L. Hammer. Pseudo-boolean optimization. Discrete Applied Mathematics, 123(1-3):155–225, Nov. 2002. Google Scholar
Digital Library
- S. Chong and A. C. Myers. Language-based information erasure. In Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pages 241–254, 2005. Google Scholar
Digital Library
- S. Chong and A. C. Myers. End-to-end enforcement of erasure and declassification. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, pages 98–111, June 2008. Google Scholar
Digital Library
- J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime through secure deallocation. In USENIX Security, 2005. Google Scholar
Digital Library
- E. S. Cohen. Information transmission in computational systems. ACM SIGOPS Operating Systems Review, 11(5):133– 139, 1977. Google Scholar
Digital Library
- R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, Mar. 2005.Google Scholar
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976. Google Scholar
Digital Library
- A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pages 61–75, 2012. Google Scholar
Digital Library
- C. Fournet and J. Planul. Compiling information-flow security to minimal trusted computing bases. In Proceedings of the 20th European Conference on Programming Languages and Systems, pages 216–235, 2011. Google Scholar
Digital Library
- GlobalPlatform. Trusted user interface API specification v1.0. http://www.globalplatform.org/ specificationsdevice.asp, 2013.Google Scholar
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 11–20, Apr. 1982.Google Scholar
Cross Ref
- A. Gollamudi. Impslator. https://github.com/anithag/ impslator, June 2016.Google Scholar
- A. Gollamudi and S. Chong. Automatic enforcement of expressive security policies using enclaves. Technical Report TR-2-2016, Harvard University, Aug. 2016.Google Scholar
- P. Gutmann. Data remanence in semiconductor devices. In The Tenth USENIX Security Symposium Proceedings, pages 39–54, 2001. Google Scholar
Digital Library
- J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the 17th USENIX Security Symposium, July 2008. Google Scholar
Digital Library
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In USENIX Symposium on Operating Systems Design and Implementation, Oct. 2014. Google Scholar
Digital Library
- S. Hunt and D. Sands. Just forget it—the semantics and enforcement of information erasure. In Proceedings of the 17th European Symposium on Programming, pages 239–253, 2008. Google Scholar
Digital Library
- Intel. Intel software guard extensions (Intel SGX) programming reference. https://software.intel.com/sites/ default/files/managed/48/88/329298-002.pdf, 2014.Google Scholar
- A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In Proceedings of the 17th IEEE Computer Security Foundations Workshop, June 2004. Google Scholar
Digital Library
- M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure compilation to protected module architectures. ACM Transactions on Programming Languages and Systems, 37(2):6, 2015. Google Scholar
Digital Library
- R. Perlman. File System Design with Assured Delete. In Proceedings of the Third IEEE International Security in Storage Workshop, pages 83–88, 2005. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, Jan. 2003. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. A model for delimited release. In Proceedings of the 2003 International Symposium on Software Security, number 3233 in Lecture Notes in Computer Science, pages 174–191, 2004.Google Scholar
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255–269, June 2005. Google Scholar
Digital Library
- N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM Trustzone to build a trusted language runtime for mobile applications. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 67–80, 2014. Google Scholar
Digital Library
- K. Satvat, M. Forshaw, F. Hao, and E. Toreini. On the privacy of private browsing - a forensic approach. Journal of Information Security and Applications, 19(1), Feb. 2014. Google Scholar
Digital Library
- F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy data analytics in the cloud using SGX. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, pages 38–54, 2015. Google Scholar
Digital Library
- M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska. S-NFV: Securing NFV states by using SGX. In Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pages 45–48, 2016. Google Scholar
Digital Library
- R. Sinha, S. Rajamani, S. Seshia, and K. Vaswani. Moat: Verifying confidentiality of enclave programs. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1169–1184, 2015. Google Scholar
Digital Library
- R. Sinha, M. Costa, A. Lal, N. P. Lopes, S. Rajamani, S. A. Seshia, and K. Vaswani. A design and verification methodology for secure isolated regions. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 665–681, 2016. Google Scholar
Digital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3): 167–187, Jan. 1996. Google Scholar
Digital Library
Index Terms
Automatic enforcement of expressive security policies using enclaves
Recommendations
Automatic enforcement of expressive security policies using enclaves
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsHardware-based enclave protection mechanisms, such as Intel's SGX, ARM's TrustZone, and Apple's Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information ...
Declarative Policies for Capability Control
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations SymposiumIn capability-safe languages, components can access a resource only if they possess a capability for that resource. As a result, a programmer can prevent an untrusted component from accessing a sensitive resource by ensuring that the component never ...
Expressive Declassification Policies and Modular Static Enforcement
SP '08: Proceedings of the 2008 IEEE Symposium on Security and PrivacyThis paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a ...







Comments