11 |
Arguing Assurance in Trusted Execution Environments using Goal Structuring Notation / Argumentera assurans i trusted execution environment med goal structuring notationCole, Nigel January 2021 (has links)
A trusted execution environment (TEE) is an isolated environment used for trusted execution. TEE solutions are usually proprietary and specific for a certain hardware specification, thereby limiting developers that use those TEEs. A potential solution to this issue is the use of open-source alternatives such as the TEE framework Keystone and the Reduced Instruction Set Computer V (RISC-V) hardware. These alternatives are rather young and are not as well established as the variants developed by ARM and Intel. To this end, the assurance in Keystone and RISC-V are analysed by studying a remote attestation assurance use case using the goal structuring notation (GSN) method. The aim is to investigate how GSN can be utilised to build assurance cases for TEEs on RISC-V. This thesis presents a process of how GSNs can be created to argue assurance for a TEE solution. Furthermore, Keystone operates under a specific threat model with made assumptions that may have a large impact depending on the use case. Therefore, Keystone is analysed to understand whether the framework mitigates existing vulnerabilities in TEEs. It is concluded that GSN is a viable method for arguing assurance in TEEs, providing great freedom in the creation of the GSN model. The freedom is also its weakness since the argument composition has a high impact on the argument. Furthermore, we conclude that Keystone mitigates multiple known vulnerabilities primarily through made assumptions in its threat model. These cases need to be considered by developers utilising Keystone to determine whether or not the assumptions are valid for their use case.
|
12 |
The Viability of Using Trusted Execution Environments to Protect Data in Node-RED : A study on using AMD-SEV and Intel SGX to protect sensitive data when Node-RED is deployed on the cloud. / Möjligheten att använda Trusted Execution Environments för att skydda data i Node-RED : En studie om användandet av AMD-SEV och Intel SGX för att skydda känslig data när Node-RED körs på molnet.Leijonberg, Carl January 2021 (has links)
The Internet of Things (IoT) consists of a network of physical devices that are connected over the internet for the purpose of exchanging data with other devices and systems. IoT platforms, such as Node-RED, have been introduced in recent times to facilitate communication between different IoT devices. Hosting Node-RED on a cloud service provider might result in the confidentiality of sensitive data on Node-RED being violated by malicious attackers, since users are forced to entrust their sensitive data with the cloud service providers. Using trusted execution environments, such as AMD-SEV and Intel SGX, can mitigate several potential attacks from exposing sensitive information in Node-RED. This thesis investigates if AMD-SEV and Intel SGX are viable options to protect sensitive data in Node-RED when hosted on a cloud service provider. The work in this thesis investigates difficulties encountered when deploying Node-RED on AMD-SEV and Intel SGX, from a usability perspective. Usability is measured by running Node-RED in AMDSEV and Intel SGX, and then recording the complexity of the process. Several performance tests are conducted to measure the performance overhead of Node-RED caused by AMD-SEV. A literature review is also conducted to investigate potential vulnerabilities in AMD-SEV and Intel SGX that could undermine the security of user’s data in Node-RED. The results from this thesis finds that AMD-SEV is a viable option to protect sensitive data in Node-RED when hosted on a cloud service provider. Deploying Node-RED on AMD-SEV is found to be a relatively simple process from a usability perspective. There are some noticeable performance overhead with regards to CPU utilization and TCP throughput, but all other metrics show marginal performance overhead. The potential vulnerabilities in AMD-SEV are not found to be significant enough to make AMD-SEV unviable. The thesis finds Intel SGX to be an unviable solution primarily due to usability. The process of running Node-RED in an Intel SGX enclave is extremely complex and the results show that for most users of Node-RED, this is not viable. The security vulnerabilities found from the literature review, are not significant enough to make Intel SGX an unviable option to protect sensitive user data inNode-RED. / Internet of Things (IoT) är en nätverk av fysiska enheter som är sammankopplade via internet för att kunna skicka data till andra fysiska enheter eller system. IoTplattformar, som Node-RED, har utvecklats för att förenkla kommunikationen mellan olika IoT- enheter. Att köra Node-RED på en molntjänst kan leda till att sekretessen av känslig data på Node-RED blir kränkt av en attack mot molntjänsten. Det är på grund av att användarna av Node-RED är tvungna att tillförlita deras känsliga data till molntjänsten, som deras data kan bli kränkt. Detta problem kan förminskas genom att användarna utnyttjar trusted execution environments som AMD-SEV och Intel SGX för att skydda sin känsliga data på molntjänsten. I denna avhandling, undersöks det om AMDSEV och Intel SGX kan användas för att skydda data i Node-RED när den körs på en molntjänst. Användarvänligheten av att köra Node-RED med AMD-SEV och Intel SGX undersöks genom att uppskatta hur komplicerad denna process är. Flera tester genomförs också för att mäta vilken påverkan AMD-SEV har på prestandan av Node-RED. En litteraturöversikt genomförs också för att undersöka potentiella sårbarheter i AMD-SEV och Intel SGX som skulle kunna utnyttjas för att komma åt känslig data i Node-RED. Resultaten från avhandlingen visar att AMD-SEV kan vara användbart för att skydda känslig data i Node-RED när den körs på en molntjänst. AMDSEV är väldigt användarvänlig när Node-RED ska köras. AMD-SEV har en märkbar påverkan på prestandan av processorn och TCP- genomströmning, men för de andra faktorerna som mäts har AMD-SEV ingen större påverkan. Litteraturöversikten finner inga sårbarheter som är tillräckligt farliga för att göra AMD-SEV oanvändbar för att skydda känslig data iNode-RED. Resultaten från avhandlingen visar dock att Intel SGX inte är särskilt användbar för att skydda känslig data i Node-RED när den körs på en molntjänst. Detta är främst för att det är väldigt komplicerat att köra Node-RED i en Intel SGX enklav från en användarvänlighet synpunkt. De flesta av Node-REDs användare skulle finna det för komplicerat att använda Intel SGX för att skydda sin känsliga data. Litteraturöversikten finner inga sårbarheter allvarliga nog för att göra Intel SGX oanvändbar.
|
13 |
Securing cloud-hosted IoT Workflows with Intel SGXJamil Ahsan, Adnan January 2022 (has links)
The rapid increase in the number of IoT devices and their widespread applications demands secure and scalable solutions for managing and executing IoT workflows. This thesis investigates the security of IoT workflows created in Node-RED, an open-source visual programming tool, and deployed on untrusted hosts managed by a major cloud service provider, Azure. The hypothesis was that the security of IoT workflows could be improved by utilizing a trusted execution environment, such as Intel SGX. Additionally, an assessment of consequent performance degradation was proposed. A threat model for an IoT workflow system scenario was established using the STRIDE threat modeling framework. An evaluation of the security guarantees provided by the prototype system was performed using an analysis comparing the security guarantees of underlying technologies, predominantly Intel SGX, and aggregating them to establish the security promises of the final system. The performance evaluation of the system was conducted using a set of experimental workflows, executed both natively on Linux and inside Intel SGX. The proposed prototype system was deemed to be capable of mitigating 15 out of 18 potential threats defined in the threat model, which indicates a significant threat risk reduction. However, the added security resulted in degraded performance, which was considerable when executing system calls and significantly noticeable for workflows requiring multi-threading. The results showed that node execution time inside SGX was 4.8 times slower and the mean round trip time for workflow execution was 6 times slower than the native execution. The thesis aims to provide a starting point for estimating performance degradation for potential future applications requiring secure IoT workflow deployment on untrusted hosts. / Den snabba ökningen av antalet IoT-enheter i dagens samhälle och deras breda användningsområden kräver säkra och skalbara lösningar för exekvering av IoT-arbetsflöden. Detta examensarbete undersöker säkerheten för IoT-arbetsflöden skapade i Node-RED, ett öppen källkodsverktyg för visuell programmering, i kontexten att dessa arbetsflöden exekveras på opålitliga enheter som hanteras av molntjänstföretag, som i detta fall är Azure. Hypotesen var att säkerhetsgarantin för IoT-arbetsflöden kunde förbättras genom att använda en betrodd exekveringmiljö, såsom Intel SGX. Dessutom krävdes en utvärdering av påföljderna på systemets prestanda som en konsekvens av den betrodda exekveringmiljöns användning. En hotmodell för ett IoT-arbetsflödesystem etablerades med hjälp av ramverket STRIDE. En bedömning av säkerhetsgarantierna som tillhandahålls av prototypsystemet genomfördes med hjälp av en kvalitativ analys som jämförde säkerhetsgarantier för underliggande teknologier, främst Intel SGX, och aggregerade dessa för att etablera säkerhetsgarantin för det slutgiltiga systemet. Prestandautvärderingen av systemet genomfördes med hjälp av ett antal experimentella arbetsflöden, som exekverades både direkt på Linux och inuti den betrodda exekveringsmiljön Intel SGX. I det föreslagna prototypsystemet ansågs 15 utav 18 potentiella hot som definierats i hotmodellen vara försumbara, vilket indikerar en signifikant reduktion av hotbilden. Dock resulterade den ökade säkerheten i en försämrad prestanda, som var betydande när systemanrop användes och synnerligen märkbar för flöden som krävde parallellisering. Resultaten visade att nodexekveringstiden inuti SGX var 4,8 gånger långsammare och medelvärdet för rundturstiden för exekvering av ett arbetsflöde var 6 gånger långsammare än den direkta exekveringen. Examensarbetet syftar till att ge en utgångspunkt för att bedöma prestandaförsämringen för potentiella framtida applikationer som kräver säkra IoT-arbetsflöden exekverade på opålitliga enheter.
|
14 |
Methodologies, Techniques, and Tools for Understanding and Managing Sensitive Program InformationLiu, Yin 20 May 2021 (has links)
Exfiltrating or tampering with certain business logic, algorithms, and data can harm the security and privacy of both organizations and end users. Collectively referred to as sensitive program information (SPI), these building blocks are part and parcel of modern software systems in domains ranging from enterprise applications to cyberphysical setups. Hence, protecting SPI has become one of the most salient challenges of modern software development. However, several fundamental obstacles stand on the way of effective SPI protection: (1) understanding and locating the SPI for any realistically sized codebase by hand is hard; (2) manually isolating SPI to protect it is burdensome and error-prone; (3) if SPI is passed across distributed components within and across devices, it becomes vulnerable to security and privacy attacks. To address these problems, this dissertation research innovates in the realm of automated program analysis, code transformation, and novel programming abstractions to improve the state of the art in SPI protection. Specifically, this dissertation comprises three interrelated research thrusts that: (1) design and develop program analysis and programming support for inferring the usage semantics of program constructs, with the goal of helping developers understand and identify SPI; (2) provide powerful programming abstractions and tools that transform code automatically, with the goal of helping developers effectively isolate SPI from the rest of the codebase; (3) provide programming mechanism for distributed managed execution environments that hides SPI, with the goal of enabling components to exchange SPI safely and securely.
The novel methodologies, techniques, and software tools, supported by programming abstractions, automated program analysis, and code transformation of this dissertation research lay the groundwork for establishing a secure, understandable, and efficient foundation for protecting SPI.
This dissertation is based on 4 conference papers, presented at TrustCom'20, GPCE'20, GPCE'18, and ManLang'17, as well as 1 journal paper, published in Journal of Computer Languages (COLA). / Doctor of Philosophy / Some portions of a computer program can be sensitive, referred to as sensitive program information (SPI). By compromising SPI, attackers can hurt user security/privacy. It is hard for developers to identify and protect SPI, particularly for large programs. This dissertation introduces novel methodologies, techniques, and software tools that facilitate software developments tasks concerned with locating and protecting SPI.
|
15 |
Optimizing TEE Protection by Automatically Augmenting Requirements SpecificationsDhar, Siddharth 03 June 2020 (has links)
An increasing number of software systems must safeguard their confidential data and code, referred to as critical program information (CPI). Such safeguarding is commonly accomplished by isolating CPI in a trusted execution environment (TEE), with the isolated CPI becoming a trusted computing base (TCB). TEE protection incurs heavy performance costs, as TEE-based functionality is expensive to both invoke and execute. Despite these costs, projects that use TEEs tend to have unnecessarily large TCBs. As based on our analysis, developers often put code and data into TEE for convenience rather than protection reasons, thus not only compromising performance but also reducing the effectiveness of TEE protection. In order for TEEs to provide maximum benefits for protecting CPI, their usage must be systematically incorporated into the entire software engineering process, starting from Requirements Engineering. To address this problem, we present a novel approach that incorporates TEEs in the Requirements Engineering phase by using natural language processing (NLP) to classify those software requirements that are security critical and should be isolated in TEE. Our approach takes as input a requirements specification and outputs a list of annotated software requirements. The annotations recommend to the developer which corresponding features comprise CPI that should be protected in a TEE. Our evaluation results indicate that our approach identifies CPI with a high degree of accuracy to incorporate safeguarding CPI into Requirements Engineering. / Master of Science / An increasing number of software systems must safeguard their confidential data like passwords, payment information, personal details, etc. This confidential information is commonly protected using a Trusted Execution Environment (TEE), an isolated environment provided by either the existing processor or separate hardware that interacts with the operating system to secure sensitive data and code. Unfortunately, TEE protection incurs heavy performance costs, with TEEs being slower than modern processors and frequent communication between the system and the TEE incurring heavy performance overhead. We discovered that developers often put code and data into TEE for convenience rather than protection purposes, thus not only hurting performance but also reducing the effectiveness of TEE protection. By thoroughly examining a project's features in the Requirements Engineering phase, which defines the project's functionalities, developers would be able to understand which features handle confidential data. To that end, we present a novel approach that incorporates TEEs in the Requirements Engineering phase by means of Natural Language Processing (NLP) tools to categorize the project requirements that may warrant TEE protection. Our approach takes as input a project's requirements and outputs a list of categorized requirements defining which requirements are likely to make use of confidential information. Our evaluation results indicate that our approach performs this categorization with a high degree of accuracy to incorporate safeguarding the confidentiality related features in the Requirements Engineering phase.
|
16 |
Recommending TEE-based Functions Using a Deep Learning ModelLim, Steven 14 September 2021 (has links)
Trusted execution environments (TEEs) are an emerging technology that provides a protected hardware environment for processing and storing sensitive information. By using TEEs, developers can bolster the security of software systems. However, incorporating TEE into existing software systems can be a costly and labor-intensive endeavor. Software maintenance—changing software after its initial release—is known to contribute the majority of the cost in the software development lifecycle. The first step of making use of a TEE requires that developers accurately identify which pieces of code would benefit from being protected in a TEE. For large code bases, this identification process can be quite tedious and time-consuming. To help reduce the software maintenance costs associated with introducing a TEE into existing software, this thesis introduces ML-TEE, a recommendation tool that uses a deep learning model to classify whether an input function handles sensitive information or sensitive code. By applying ML-TEE, developers can reduce the burden of manual code inspection and analysis. ML-TEE's model was trained and tested on functions from GitHub repositories that use Intel SGX and on an imbalanced dataset. The accuracy of the final model used in the recommendation system has an accuracy of 98.86% and an F1 score of 80.00%. In addition, we conducted a pilot study, in which participants were asked to identify functions that needed to be placed inside a TEE in a third-party project. The study found that on average, participants who had access to the recommendation system's output had a 4% higher accuracy and completed the task 21% faster. / Master of Science / Improving the security of software systems has become critically important. A trusted execution environment (TEE) is an emerging technology that can help secure software that uses or stores confidential information. To make use of this technology, developers need to identify which pieces of code handle confidential information and should thus be placed in a TEE. However, this process is costly and laborious because it requires the developers to understand the code well enough to make the appropriate changes in order to incorporate a TEE. This process can become challenging for large software that contains millions of lines of code. To help reduce the cost incurred in the process of identifying which pieces of code should be placed within a TEE, this thesis presents ML-TEE, a recommendation system that uses a deep learning model to help reduce the number of lines of code a developer needs to inspect. Our results show that the recommendation system achieves high accuracy as well as a good balance between precision and recall. In addition, we conducted a pilot study and found that participants from the intervention group who used the output from the recommendation system managed to achieve a higher average accuracy and perform the assigned task faster than the participants in the control group.
|
17 |
A Study on Private and Secure Federated Learning / プライベートで安全な連合学習Kato, Fumiyuki 25 March 2024 (has links)
京都大学 / 新制・課程博士 / 博士(情報学) / 甲第25427号 / 情博第865号 / 新制||情||145(附属図書館) / 京都大学大学院情報学研究科社会情報学専攻 / (主査)教授 伊藤 孝行, 教授 黒田 知宏, 教授 岡部 寿男, 吉川 正俊(京都大学 名誉教授) / 学位規則第4条第1項該当 / Doctor of Informatics / Kyoto University / DFAM
|
18 |
Towards attack-tolerant trusted execution environments : Secure remote attestation in the presence of side channelsCrone, Max January 2021 (has links)
In recent years, trusted execution environments (TEEs) have seen increasing deployment in computing devices to protect security-critical software from run-time attacks and provide isolation from an untrustworthy operating system (OS). A trusted party verifies the software that runs in a TEE using remote attestation procedures. However, the publication of transient execution attacks such as Spectre and Meltdown revealed fundamental weaknesses in many TEE architectures, including Intel Software Guard Exentsions (SGX) and Arm TrustZone. These attacks can extract cryptographic secrets, thereby compromising the integrity of the remote attestation procedure. In this work, we design and develop a TEE architecture that provides remote attestation integrity protection even when confidentiality of the TEE is compromised. We use the formally verified seL4 microkernel to build the TEE, which ensures strong isolation and integrity. We offload cryptographic operations to a secure co-processor that does not share any vulnerable microarchitectural hardware units with the main processor, to protect against transient execution attacks. Our design guarantees integrity of the remote attestation procedure. It can be extended to leverage co-processors from Google and Apple, for wide-scale deployment on mobile devices. / Under de senaste åren används betrodda exekveringsmiljöer (TEE) allt mera i datorutrustning för att skydda säkerhetskritisk programvara från attacker och för att isolera dem från ett opålitligt operativsystem. En betrodd part verifierar programvaran som körs i en TEE med hjälp av fjärrattestering. Nyliga mikroarkitekturella anfall, t.ex. Spectre och Meltdown, har dock visat grundläggande svagheter i många TEE-arkitekturer, inklusive Intel SGX och Arm TrustZone. Dessa attacker kan avslöja kryptografiska hemligheter och därmed äventyra integriteten av fjärrattestning. I det här arbetet utvecklar vi en arkitektur för en betrodd exekveringsmiljö (TEE) som ger integritetsskydd genom fjärrattestering även när TEE:s konfidentialitet äventyras. Vi använder den formellt verifierade seL4-mikrokärnan för att bygga TEE:n som garanterar stark isolering och integritet. För att skydda kryptografiska operationer, overför vi dem till en säker samprocessor som inte delar någon sårbar mikroarkitektur med huvudprocessorn. Vår arktektur garanterar fjärrattesteringens integritet och kan utnyttja medprocessorer från Google och Apple för att användas i stor skala på mobila enheter.
|
19 |
Side-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache AttackMoghimi, Ahmad 27 April 2017 (has links)
In modern computing environments, hardware resources are commonly shared, and parallel computation is more widely used. Users run their services in parallel on the same hardware and process information with different confidentiality levels every day. Running parallel tasks can cause privacy and security problems if proper isolation is not enforced. Computers need to rely on a trusted root to protect the data from malicious entities. Intel proposed the Software Guard eXtension (SGX) to create a trusted execution environment (TEE) within the processor. SGX allows developers to benefit from the hardware level isolation. SGX relies only on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards any kind of side-channel attacks. Researchers have demonstrated that microarchitectural sidechannels are very effective in thwarting the hardware provided isolation. In scenarios that involve SGX as part of their defense mechanism, system adversaries become important threats, and they are capable of initiating these attacks. This work introduces a new and more powerful cache side-channel attack that provides system adversaries a high resolution channel. The developed attack is able to virtually track all memory accesses of SGX execution with temporal precision. As a proof of concept, we demonstrate our attack to recover cryptographic AES keys from the commonly used implementations including those that were believed to be resistant in previous attack scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous attacks which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover the AES key from T-Table based implementations in a known plaintext and ciphertext scenario with an average of 15 and 7 samples respectively.
|
20 |
Detection of side-channel attacks targeting Intel SGX / Detektion av attacker mot Intel SGXLantz, David January 2021 (has links)
In recent years, trusted execution environments like Intel SGX have allowed developers to protect sensitive code inside so called enclaves. These enclaves protect its code and data even in the cases of a compromised OS. However, SGX enclaves have been shown to be vulnerable to numerous side-channel attacks. Therefore, there is a need to investigate ways that such attacks against enclaves can be detected. This thesis investigates the viability of using performance counters to detect an SGX-targeting side-channel attack, specifically the recent Load Value Injection (LVI) class of attacks. A case study is thus presented where performance counters and a threshold-based detection method is used to detect variants of the LVI attack. The results show that certain attack variants could be reliably detected using this approach without false positives for a range of benign applications. The results also demonstrate reasonable levels of speed and overhead for the detection tool. Some of the practical limitations of using performance counters, particularly in an SGX-context, are also brought up and discussed.
|
Page generated in 0.1444 seconds