Hardware-assisted Trusted Execution Environments Look Back, Look Ahead N. Asokan https://asokan.org/asokan/ @nasokan Hardware-assisted TEEs are pervasive Other Software Trusted Software Protected Storage Root of Trust

Hardware support for - Isolated execution: Isolated Execution Environment - Protected storage: Sealing - Ability to convince remote verifiers: (Remote) Attestation Trusted Execution Environments (TEEs) Operating in parallel with rich execution environments (REEs) Cryptocards Trusted Platform Modules https://www.ibm.com/security/cryptocards/ https://www.infineon.com/tpm ARM TrustZone https://www.arm.com/products/security-on-arm/trustzone

Intel Software Guard Extensions https://software.intel.com/en-us/sgx [A+14] Mobile Trusted Computing, Proceedings of the IEEE, 102(8) (2014) [EKA14] Untapped potential of trusted execution environments, IEEE S&P Magazine, 12:04 (2014) 2 Concerns with TEEs: flaws http://www.cs.dartmouth.edu/~pkilab/sparks/ (2007) https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang (2017) (CCS 2019)

https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability) (2018) 3 Concerns with TEEs: suspicions of motives https://www.theregister.co.uk/2002/06/28/ms_palladium_protects_it_vendors/ (2002) https://www.eff.org/wp/trusted-computing-promise-and-risk (2003) http://theinvisiblethings.blogspot.fi/2013/09/thoughts-on-intels-upcoming-software.html (2013) 4 Outline A Look Back: How did TEEs start? What are some (useful) applications for TEEs? What are the downsides of relying on hardware-assisted TEEs?

(How) can we deal with these downsides? What are other examples of hardware-assisted security? 5 Look Back Platform security for mobile devices Mobile network operators: 1. Subsidy locks immutable ID 2. Copy protection device authentication, app. separation 3. End users: 1. Reliability app. separation 2. Theft deterrence immutable ID 3. Privacy app. separation 4. ...

Regulators: 1. RF type approval secure storage 2. Theft deterrence immutable ID 3. Closed Open Different expectations than for PCs! 7 Early adoption of software platform security ~2001 ~2004 ~2008

Mobile software platform security is now widely deployed [KREA11] Old, new borrowed, blue: a perspective on the evolution of mobile platform security architectures, ACM CODASPY (2011) 8 Example: regulatory compliance 3GPP TS 42.009, 2001 Secure storage of RF configuration parameters Early TEEs for mobile phones Nokia Radio Application Processor (RAP), ca. 2001 Saara Matala & Thomas Nyman, Historical insight into the development of Mobile TEEs, Aalto SSG research group blog (2019)

9 https://www.wsj.com/articles/SB893268045342680500 Mobile TEEs: Motivation Business requirements: Regulatory requirements: mobile payment subsidy lock tamper-resistant IMEIs secure storage for RF

Engineering constraints: Cost of discrete security chip too high on bill of materials! New approach: processor secure environments Generic low-cost enabler emerged as skunkworks project within Nokia (rather than point solutions for particular use cases) 10 Mobile TEEs: Development 1982 1996 2002

2003 2003 2004 2008 2015 2016 2019 2004 ARM TrustZone [AF04] TrustZone: Integrated Hardware and Software Security, Information Quarterly (2004)

2003 Texas Instruments OMAP 161x and 73x processors [H03] OMAP Platform Security Features , Whitepaper (2003, updated 2008) 2002 Nokia, Kiiveri and Paatero US9111097B2 Secure execution architecture 1996 Intertrust, Ginter et al US 5892900A Systems And Methods For Secure Transaction Management And Electronic Rights Protection 1982 Texas Instruments, Guttag US4521853A Secure microprocessor/microcomputer with secured memory 1982 Texas Instruments, Guttag and Nussarallah US4521853A Security bit for designating the security status of information stored in a nonvolatile memory 11 Mobile TEEs: Deployment 1982

1996 2002 2003 2004 2008 2015 2016 2019 First deployment: Nokia 6630 (Charlie)

first 3G phone with TI OMAP 1710 processor (June 2004) ARM TrustZone currently widely deployed TrustZone-M for Cortex-M class microcontrollers (2016) Ca. 2008, TEE unheard of in academic circles first papers in FC 2008, ASIACCS 2009 [AE08] A Platform for OnBoard Credentials, Financial Cryptography and Data Security (2008) [KEAR09] On-board credentials with open provisioning, ACM ASIACCS (2009) Intel SGX SkyLake (2015); wide availability of SDK democratized TEE research 12 Mobile TEEs: Standardization REE (Rich Execution Environment) TEE

Trusted app App App TEE Internal API TPM API TEE Client API Mobile OS trusted user interface biometrics secure element

sockets TEE management debug Trusted OS Device Firmware Roots of Trust MTM / TPM 2.0 Trusted app TEE entry PSA

Device Hardware 13 Using TEEs Original motivations (for mobile TEEs) Tamper-resistant device identifiers (IMEIs) for various use cases including theft protection, subsidy lock, and DRM Sealed storage for secure storage of RFID configuration data Mobile payments Boot integrity 15 TEE applications: academic literature (1/2)

Private membership test for malware scanning, private contact discovery,.. [TLPEPA17] The Circle Game: Scalable Private Membership Test Using Trusted Hardware, ACM ASIACCS (2017) [KLSAP17] Private Set Intersection for Unequal Set Sizes with Mobile Applications, PETS (2017) Signal private contact discovery, Sep 2017 Protection of password-based web authentication [KKPMA18] SafeKeeper: Protecting Web Passwords using Trusted Execution Environments, WWW (WebConf) (2018) https://signal.org/blog/private-contact-discovery Secure accounting for function-as-a-service (FaaS) settings [AAKPS18] S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX, ACM CCSW (2019) Scalable consensus for blockchains and cryptocurrencies [LLKA19] Scalable Byzantine Consensus via Hardware-Assisted Secret Sharing, IEEE Trans. Comp. 68(1) (2018) [GLVA19] Making Speculative BFT Resilient with Trusted Monotonic Counters, IEEE SRDS (2019) Examples only, not a complete list

16 TEE applications: academic literature (2/2) Private neural network evaluation [TB19] Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware, ICLR (2019) High-performance remote ORAM [SGF18] ZeroTrace: Oblivious Memory Primitives from Intel SGX, NDSS (2018) [SS19] ConsenSGX: Scaling Anonymous Communications Networks with Trusted Execution Environments, PETS (2019) [HOJY19] Hardware-Supported ORAM in Effect: Practical Oblivious Search and Update on Very Large Dataset, PETS (2019) Verifiable computation [TZLHJS17] Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge, IEEE EuroS&P (2017) Authenticated data feeds [ZCCJS16] Town Crier: An Authenticated Data Feed for Smart Contracts, ACM CCS (2016) Examples only, not a complete list

17 TEE applications: commercial deployments Digital rights management (e.g. Widevine L1 & L2 content decryption) Widevine DRM Architecture Overview https://www.androidauthority.com/widevine-explained-821935/ Runtime integrity (e.g. OS kernel integrity monitoring) [A+14] Samsung TIMA, ACM CCS (2016) https://doi.org/10.1145/2660267.2660350 Local user authentication (e.g. password authentication, biometrics) Android Gatekeeper https://source.android.com/security/authentication/gatekeeper Android Fingerprint HAL https://source.android.com/security/authentication/fingerprint-hal Windows Hello

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm Property Attestation (e.g. proof that cryptographic credential is protected by TEE) Android Key and ID Attestation https://source.android.com/security/keystore/attestation MirrorLink Content Attestation https://www.etsi.org/deliver/etsi_ts/103500_103599/10354404/01.03.00_60/ts_10354404v010300p.pdf Also see [KAE11] Practical Property-Based Attestation on Mobile Devices, TRUST (2011) Examples only, not a complete list 18 Downsides of TEEs Downsides of TEE-based solutions Difficulty of developer access

Risk of TEE compromise 20 Difficulty of developer access TEEs were closed systems Tools for TEE software development were cumbersome and/or expensive Device or TEE vendor controls what applications allowed to executed in the TEE Ordinary developers cannot deploy TEE apps without vendor approval 21 Risk of TEE compromise Software attacks Many trusted applications are written in unsafe languages Correct trusted code can be vulnerable to confused-deputy attacks Difficult even for hardware security module vendors [CC19]

Side-channel attacks Timing Memory access Electromagnetic emanations [CC19] Everybody be Cool, This is a Robbery!, Black Hat (2019) 22 Dealing with downsides Challenge: easy development GlobalPlatform standards for TEE interfaces http://www.globalplatform.org/specificationsdevice.asp Open-source tools for TEE app development available: OP-TEE https://www.op-tee.org/ Open-TEE https://open-tee.github.io/ OpenEnclave https://openenclave.io

Developing TEE applications is no longer cumbersome or expensive [MDNA15] Open-TEE An Open Virtual Trusted Execution Environment, TRUST (2015) 24 Challenge: open deployment On-board Credentials (ObC) (2006-2009) open credential platform leveraging TEE functionality allows any developer to write/use TEE apps deployed in Nokia and Windows smartphones (2009-2012) applications: - RSA SecurID, mobile ticketing (trialed at NY MTA LIRR in 2011), even "soft SIM Other efforts to address the deployment hurdle: User centric provisioning work from Royal Holloway - E.g., A Paradigm Shift in Smart Card Ownership Model (2010)

GlobalPlatform white paper - A New Model: The Consumer-Centric Model and How It Applies to the Mobile Ecosystem Whitepaper (2012) [KEAR09] On-board credentials with open provisioning, ACM ASIACCS (2009) 25 Challenge: Dealing with TEE compromise Hardware attacks pose a serious threat No longer reasonable to assume hardware security to be inviolable Abandon hardware-assisted TEEs altogether? Instead rely only on cryptographic techniques like MPC? TEEs still hold the promise of efficient solutions Hardware-assistance and cryptography are not mutually exclusive! Defense-in-depth is desirable Novel approaches for dealing with TEE compromise may be feasible 26

Challenge: Dealing with TEE compromise Prevent Formal verification Minimal coupling between TEE and REE Tolerate Replication / redundancy Application-specific mitigation 27 Formal Verification Formal Verification Formal verification can prevent software vulnerabilities Good track record with protocol specs and implementations TLS 1.3 [CMSv16]

miTLS, a formally-verified TLS implementation [BFKPS13] Applicable to platform security seL4, a formally-verified microkernel [K+09] ProvenCore, ProvenCore-M, commercial formally-verified kernels [L15] Caveat: Formal analysis is only as good as the underlying model seL4 needed to be patched for Meltdown like everything else [CMSv16] Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication, IEEE S&P (2016) [BFKPS13] Implementing TLS with Verified Cryptographic Security, IEEE S&P (2013) [K+09] seL4: Formal Verification of an OS Kernel, ACM SOSP (2009) [L15] ProvenCore: Towards a Verified Isolation Micro-Kernel, MILS (2015) 28 Minimal Coupling Recall: TEE system architecture Device

Rich execution environment (REE) App Trusted execution environment (TEE) App TEE API Trusted app Device OS Trusted app

TEE mgmt. layer TEE entry Hardware and firmware with TEE support 29 Figure adapted from: Global Platform. TEE system architecture. 2011. Minimal Coupling TEE hardware realization alternatives Legend: SoC : system-on-chip OTP: one-time programmable

TEE component External Peripherals Off-chip memory External Peripherals Off-chip Memory On-SoC RAM OTP

Fields ROM Processor core(s) Internal peripherals External Peripherals Off-chip Memory On-SoC

On-SoC RAM OTP Fields ROM Processor core(s) Internal peripherals RAM OTP Fields

ROM Processor core(s) Internal peripherals On-chip Security Subsystem External Security Co-processor External Secure Element (TPM, smartcards) Embedded Secure Element

Figure adapted from: Global Platform. TEE system architecture. 2011. Processor Secure Environment (SGX, TrustZone, M-Shield) 30 Minimal Coupling Minimal coupling TEE closely coupled to REE Larger attack surface Intel SGX ARM Trustzone

Greater sharing of resources (OS services, cache, memory, processor) TPM TEE more isolated from REE Smaller attack surface 31 Minimal coupling in the real world Minimal Coupling Discrete security processors in modern smartphones Apple Secure Enclave Processor (SEP)

Apple, iOS Security Whitepaper, May 2019 Google Titan M Google Device Security Group, Building a Titan, Android Developers Blog, October 2018 Physical isolation mitigates against entire classes of hardware-level exploits Processor, caches, memory, and persistent storage are not shared with main OS 32 Layered defense using multiple TEEs Minimal Coupling Replication/Redundancy Enables division of tasks (and secrets) between two (or more) elements Improved security for stored secrets Android Strongbox Keymaster

SEP Secure Key Store https://developer.android.com/training/articles/keystore#HardwareSecurityModule https://support.apple.com/en-us/HT209632 Sensitive peripheral management (e.g. camera LED indicator, microphone disconnect) SEP camera/microphone hardware control https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf Trusted path (e.g. isolated circuit to side buttons) Android Protected Confirmation https://android-developers.googleblog.com/2018/10/android-protected-confirmation.html Insider attack resistance (e.g. firmware updates require device owners cooperation) Android Insider attack Resistance https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html

33 Application-specific mitigation App-specific mitigation Premise: Exploiting a hardware compromise may leave tell-tale signs Approach: Use application-specific domain knowledge for detection or mitigation of the effects of hardware compromise 34 Example: Proof of Elapsed Time (PoET) App-specific mitigation PoET is a replacement for Proof of Work in Bitcoin-like blockchains

Proof of Work: First miner to solve puzzle wins (gets to proposes next block) Work ~ Exp (difficulty) Proposals can be made at a rate proportional to computational power Proof of Elapsed Time: TEE issues attestation after waiting (idly) for a while; First miner to get the attestation wins Idle wait time ~ Exp (difficulty) Proposals can be made at a rate proportional to the number of idle CPUs Intel, Hyperledger Sawtooth Documentation, 2015 35 Example: Dealing with TEE compromise App-specific mitigation Problem: A compromised TEE can win every block Statistical solution: refuse blocks from machines that

have won too many times Before: compromised TEEs give attacker unlimited power After: attacker power proportional to # of compromised TEEs Design for Failure Open question: How can TEE-using applications detect/mitigate effects of TEE-compromise? [Intel15] Hyperledger Sawtooth Documentation (2015) [C+174] On Security Analysis of Proof-of-Elapsed-Time (PoET), SSS (2017) 36 Cross-layer design for security App-specific mitigation - Frank Piessens (2019) Hennessy and Patterson on cross-layer design (for performance):

Achieving significant gains through such approaches will require a vertically integrated design team that understands applications, domain-specific languages and related compiler technology, computer architecture and organization, and the underlying implementation technology In this new era, vertical integration has become more important, and teams that can examine and make complex trade-offs and optimizations will be advantaged Such cross-layer design can have similar benefits for security Not surprising, as there are often significant trade-offs between security and performance 37 Carrying security information across layers App-specific mitigation - Frank Piessens (2019) Applications may have precise information about what data in the program is confidential

In state-of-practice compilation, this information is lost By preserving this information during compilation, we can use it to selectively close micro-architectural channels used in transient execution attacks [P+15] Secure compilation to protected module architectures, ACM TOPLAS (2015) [ASJP12] Secure compilation to modern processors, CSF (2012) [N+19] HardScope: Hardening Embedded Systems Against Data-Oriented Attacks, ACM DAC (2019) [LNWPEA19] PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. USENIX Security (2019) 38 Other types of hardwareassisted security Software Attacks against TEEs https://www.blackhat.com/us-15/briefings.html#attacking-your-trusted-core-exploiting-trustzone-on-android (2015) https://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html (2016) https://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html (2016)

40 Protection against software attacks Novel hardware architectures CHERI, fat pointers, Hardware extensions rolled out by processor vendors x86: Memory Protection Keys (MPK) Memory Protection eXtensions (MPX) ARM:

Pointer Authentication (PA) Memory Tagging Extensions (MTE) Branch Target Indication (BTI) 41 How to utilize hardware-security primitives? New hardware primitives are being rolled out Can we efficiently combine them to achieve new security properties? How do different techniques compare? e.g., ARM PA and ShadowStack achieve similar security for return-address protection? Understanding can help hardware vendors to choose which mechanisms to deploy Intel Intel 64 and IA-32 Architectures Software Developer Manuals (2019) ARM Armv8.5-A Memory Tagging Extension (2019) 42

Forthcoming IEEE SP Special Issue IEEE Security and Privacy Magazine Special Issue on Hardware-assisted Security mid-to-late 2020 Submissions: Dec 22, 2019 https://computer.org/digital-library/magazines/sp/call-for-papers-special-issue-on-hardware-assisted-security 43 Takeaways TEEs have been around for more than two decades Dominant design choice informed by cost and usability considerations Unconditional trust in hardware-TEEs is no longer acceptable TEEs are still useful: defense-in-depth, novel mitigations for TEE failure possible? Other hardware-assisted security mechanisms to harden software are emerging

https://asokan.org/asokan/ @nasokan Thanks to my students: 44 Lachlan J. Gunn, Hans Liljestrand, Thomas Nyman Acknowledgments Icons on Platform security for mobile devices and Dealing with TEE compromise made by those-icons , freepik, and Good Ware from www.flaticon.com licensed by CC 3.0 BY Icons on Mobile TEEs: Motivation made by Good Ware from www.flaticon.com licensed by CC 3.0 BY Nokia 6630 image by JotWu from en.wikipedia.org licensed by CC 3.0 BY Web icon on title slide from material.io licensed by Apache 2.0 45

Recently Viewed Presentations

  • Unit - ThinkChemistry

    Unit - ThinkChemistry

    Unit 2 Alcohol and Carbonyl Compounds ... methylbutan-1-ol d.3-ethylpentanal b. 3-methylpentan-2-ol 1st hint What is the link between isomers and molecular formula? a hint!!!! 2nd hint Isomers have different structural formulae but identical..? Which of the following is an isomer...
  • CS235102 Data Structures - National Tsing Hua University

    CS235102 Data Structures - National Tsing Hua University

    CS235102 Data Structures Chapter 3 Stacks and Queues Chapter 3 Stacks and Queues The Stack Abstract Data Type The Queue Abstract Data Type A Mazing Problem Evaluation of Expressions 3.1 The stack ADT (1/5) A stack is an ordered list...
  • Intermediate thalassemia - sbmu.ac.ir

    Intermediate thalassemia - sbmu.ac.ir

    In iron deficiency, hepcidin production is inhibited resulting in increased intestinal iron absorption and increased release of RE iron. In hereditary haemochromatosis, mutations interfering with hepcidin regulation result in an . inability to inhibit iron absorption . leading to abnormal...
  • Brainstorming


    in Genomic Repeats Detection John W. Romein Jaap Heringa Henri E. Bal Vrije Universiteit Faculty of Sciences, Department of Computer Science Bio-Informatics Group & Computer Systems Group
  • Enzymes: Remarkable Biological Catalysts Jianing Li Chemistry Department

    Enzymes: Remarkable Biological Catalysts Jianing Li Chemistry Department

    Enzymes: Remarkable Biological Catalysts Jianing Li Chemistry Department Columbia University April 14th,2007 The activity of an enzyme is responsible for the glow of the luminescent jellyfish Basic Concepts Enzyme Substrate Active Site Cofactor and coenzyme Inhibitor What is an enzyme?
  • An Introduction to Electrochemistry in Inorganic Chemistry

    An Introduction to Electrochemistry in Inorganic Chemistry

    The reduction potential can be related to free energy change by: Gº = -nFDEº where n = # electrons transferred = 1,2,3 F = 96.5 kJ/volt, called the Faraday constant ***** Table of Standard Reduction Potentials --- Oxidant + e-...
  • HGIA Chapter 4 - Migration

    HGIA Chapter 4 - Migration

    Mobility • Part of American experience ... * Why do you think annual mobility rates have changes over time? • Regional and sub-regional shifts in population • Net migration • Migration patterns reflect: ... HGIA Chapter 4 - Migration
  • Results from 8 iterations of GSLIS classes LIS 380/501

    Results from 8 iterations of GSLIS classes LIS 380/501

    Graduate School of Library and Information Science University of Illinois at Urbana-Champaign ... Networking online: Cybercommunities. In J. Scott & P. Carrington (Eds.), Handbook of Social Network Analysis. ... James, Jim, [email protected], [email protected]) Distinguishing between two or more ...