Secure I/O with Intel SGX

Research output: ThesisMaster's ThesisResearch

Abstract

Unlike mobile phones, modern smart phones are no longer designed for a specific, definite use case. They not only feature a fully-fledged general purpose CPU but are also equipped with a multitudinous and permanently increasing set of application software. It is extremely difficult to have such a big software stack completely free of bugs. Hence, smart phones nowadays face increased susceptibility to malware, comparable to notebooks and personal computers. To tackle this issue, recent work has put a lot of effort into building a secure execution environment where applications are protected by a completely isolated execution container. Thus, bugs in the big software stack do not directly affect the protected application.

However, secure execution alone is not enough. Many applications on a mobile device require secure interaction with the user. Consider a secure application requesting user passwords and credit card information or providing secure chat. No piece of untrusted code outside the secure application shall have access to user input and output. Without a method for secure I/O, secure execution technology might be of no value to the end user at all, since sensitive information cannot be securely communicated. Therefore, secure I/O is needed.



To achieve secure I/O, one can encrypt sensitive content between I/O device and secure application. Thus, no malicious software can sniff on user input/output. However, mobile devices such as a smart phone or notebook are typically restricted to use legacy I/O devices, which do not support encryption at all. Therefore, secure I/O has to be assisted by the secure execution technology.

Apart from ARM TrustZone, there is currently no appropriate secure execution technology available which addresses secure I/O with legacy I/O devices. Intel Software Guard Extensions~(SGX), for example, is a major upcoming player in secure execution technology but completely lacks support for secure I/O. Due to its broad dissemination in the near future, we investigate on enabling secure I/O with Intel SGX. In a proof-of-concept, we supplement SGX with a security microkernel, called {seL4}. We use seL4 to transparently and exclusively bind an I/O device to an SGX-hardened application. This enables to do secure I/O from within that application, even in the presence of malware. By trusting the security kernel, we approve an increased Trusted Computing Base. This is acceptable since seL4 is both, small and verifiable. Finally, we discuss possible modifications to SGX hardware in order to support secure I/O by design. This would eliminate the need for a security kernel, which would be easier to integrate in existing software stacks.
Original languageEnglish
QualificationMaster of Science
Awarding Institution
  • Institute of Applied Information Processing and Communications (7050)
Supervisors/Advisors
  • Werner, Mario, Advisor
  • Mangard, Stefan, Supervisor
Award date19 May 2016
Publication statusPublished - 2016

Fingerprint

Mobile devices
Laptop computers
Mobile phones
Application programs
Personal computers
Cryptography
Program processors
Containers
Hardware
Malware
Trusted computing

Cite this

Secure I/O with Intel SGX. / Weiser, Samuel.

2016.

Research output: ThesisMaster's ThesisResearch

Weiser, S 2016, 'Secure I/O with Intel SGX', Master of Science, Institute of Applied Information Processing and Communications (7050).
@phdthesis{5c07120a8be640ff8adf1db73f61f5f0,
title = "Secure I/O with Intel SGX",
abstract = "Unlike mobile phones, modern smart phones are no longer designed for a specific, definite use case. They not only feature a fully-fledged general purpose CPU but are also equipped with a multitudinous and permanently increasing set of application software. It is extremely difficult to have such a big software stack completely free of bugs. Hence, smart phones nowadays face increased susceptibility to malware, comparable to notebooks and personal computers. To tackle this issue, recent work has put a lot of effort into building a secure execution environment where applications are protected by a completely isolated execution container. Thus, bugs in the big software stack do not directly affect the protected application. However, secure execution alone is not enough. Many applications on a mobile device require secure interaction with the user. Consider a secure application requesting user passwords and credit card information or providing secure chat. No piece of untrusted code outside the secure application shall have access to user input and output. Without a method for secure I/O, secure execution technology might be of no value to the end user at all, since sensitive information cannot be securely communicated. Therefore, secure I/O is needed. To achieve secure I/O, one can encrypt sensitive content between I/O device and secure application. Thus, no malicious software can sniff on user input/output. However, mobile devices such as a smart phone or notebook are typically restricted to use legacy I/O devices, which do not support encryption at all. Therefore, secure I/O has to be assisted by the secure execution technology. Apart from ARM TrustZone, there is currently no appropriate secure execution technology available which addresses secure I/O with legacy I/O devices. Intel Software Guard Extensions~(SGX), for example, is a major upcoming player in secure execution technology but completely lacks support for secure I/O. Due to its broad dissemination in the near future, we investigate on enabling secure I/O with Intel SGX. In a proof-of-concept, we supplement SGX with a security microkernel, called {seL4}. We use seL4 to transparently and exclusively bind an I/O device to an SGX-hardened application. This enables to do secure I/O from within that application, even in the presence of malware. By trusting the security kernel, we approve an increased Trusted Computing Base. This is acceptable since seL4 is both, small and verifiable. Finally, we discuss possible modifications to SGX hardware in order to support secure I/O by design. This would eliminate the need for a security kernel, which would be easier to integrate in existing software stacks.",
author = "Samuel Weiser",
year = "2016",
language = "English",
school = "Institute of Applied Information Processing and Communications (7050)",

}

TY - THES

T1 - Secure I/O with Intel SGX

AU - Weiser, Samuel

PY - 2016

Y1 - 2016

N2 - Unlike mobile phones, modern smart phones are no longer designed for a specific, definite use case. They not only feature a fully-fledged general purpose CPU but are also equipped with a multitudinous and permanently increasing set of application software. It is extremely difficult to have such a big software stack completely free of bugs. Hence, smart phones nowadays face increased susceptibility to malware, comparable to notebooks and personal computers. To tackle this issue, recent work has put a lot of effort into building a secure execution environment where applications are protected by a completely isolated execution container. Thus, bugs in the big software stack do not directly affect the protected application. However, secure execution alone is not enough. Many applications on a mobile device require secure interaction with the user. Consider a secure application requesting user passwords and credit card information or providing secure chat. No piece of untrusted code outside the secure application shall have access to user input and output. Without a method for secure I/O, secure execution technology might be of no value to the end user at all, since sensitive information cannot be securely communicated. Therefore, secure I/O is needed. To achieve secure I/O, one can encrypt sensitive content between I/O device and secure application. Thus, no malicious software can sniff on user input/output. However, mobile devices such as a smart phone or notebook are typically restricted to use legacy I/O devices, which do not support encryption at all. Therefore, secure I/O has to be assisted by the secure execution technology. Apart from ARM TrustZone, there is currently no appropriate secure execution technology available which addresses secure I/O with legacy I/O devices. Intel Software Guard Extensions~(SGX), for example, is a major upcoming player in secure execution technology but completely lacks support for secure I/O. Due to its broad dissemination in the near future, we investigate on enabling secure I/O with Intel SGX. In a proof-of-concept, we supplement SGX with a security microkernel, called {seL4}. We use seL4 to transparently and exclusively bind an I/O device to an SGX-hardened application. This enables to do secure I/O from within that application, even in the presence of malware. By trusting the security kernel, we approve an increased Trusted Computing Base. This is acceptable since seL4 is both, small and verifiable. Finally, we discuss possible modifications to SGX hardware in order to support secure I/O by design. This would eliminate the need for a security kernel, which would be easier to integrate in existing software stacks.

AB - Unlike mobile phones, modern smart phones are no longer designed for a specific, definite use case. They not only feature a fully-fledged general purpose CPU but are also equipped with a multitudinous and permanently increasing set of application software. It is extremely difficult to have such a big software stack completely free of bugs. Hence, smart phones nowadays face increased susceptibility to malware, comparable to notebooks and personal computers. To tackle this issue, recent work has put a lot of effort into building a secure execution environment where applications are protected by a completely isolated execution container. Thus, bugs in the big software stack do not directly affect the protected application. However, secure execution alone is not enough. Many applications on a mobile device require secure interaction with the user. Consider a secure application requesting user passwords and credit card information or providing secure chat. No piece of untrusted code outside the secure application shall have access to user input and output. Without a method for secure I/O, secure execution technology might be of no value to the end user at all, since sensitive information cannot be securely communicated. Therefore, secure I/O is needed. To achieve secure I/O, one can encrypt sensitive content between I/O device and secure application. Thus, no malicious software can sniff on user input/output. However, mobile devices such as a smart phone or notebook are typically restricted to use legacy I/O devices, which do not support encryption at all. Therefore, secure I/O has to be assisted by the secure execution technology. Apart from ARM TrustZone, there is currently no appropriate secure execution technology available which addresses secure I/O with legacy I/O devices. Intel Software Guard Extensions~(SGX), for example, is a major upcoming player in secure execution technology but completely lacks support for secure I/O. Due to its broad dissemination in the near future, we investigate on enabling secure I/O with Intel SGX. In a proof-of-concept, we supplement SGX with a security microkernel, called {seL4}. We use seL4 to transparently and exclusively bind an I/O device to an SGX-hardened application. This enables to do secure I/O from within that application, even in the presence of malware. By trusting the security kernel, we approve an increased Trusted Computing Base. This is acceptable since seL4 is both, small and verifiable. Finally, we discuss possible modifications to SGX hardware in order to support secure I/O by design. This would eliminate the need for a security kernel, which would be easier to integrate in existing software stacks.

M3 - Master's Thesis

ER -