Peter R. Pietzuch prp@doc.ic.ac.uk

Maru:Hardware-Assisted Secure Cloud Computing

Peter Pietzuch

Large-Scale Distributed Systems GroupDepartment of Computing, Imperial College London

http://lsds.doc.ic.ac.uk

ATI – February 2017

prp@imperial.ac.uk

Trust Issues: Provider Perspective

• Cloud provider does not trust users

• Use virtual machines to isolateusers from each other and the host

• VMs only provide one way protection

2

Redis

OS

VMM

Firmware

Cloud platform

Staff

…

trust

ed

Trust Issues: User Perspective

• Users trust their applications

• Users must implicitly trust cloud provider

• Existing applications implicitlyassume trusted operating system

3

Redis

OS

VMM

Firmware

Cloud platform

Staff

…

untru

sted

Trusted Execution with Intel SGX

• Users create HW-enforced trusted environment

• Supports unprivilegeduser code

• Protects against strong attacker model

• Remote attestation

• Available oncommodity CPUs

4

OS

VMM

Firmware

Cloud platform

Staff

…

untru

sted

Enclave

• New enclave processor mode

• 18 new instructions to manage enclave life cycle

• Enclave memory only accessible from enclave

• Certain instructions disallowed, e.g., syscall

5

…EENTER…

Execute…Return

privileged access from OS, VMM forbidden

untrusted trusted

Intel SGX: Hardware-Assisted Security

• No system calls

• Performanceoverhead

SGX: System Call Overhead (pwrite)

l

l

l

l

l

l

l

l

10

100

1000

10000

1 2 3 4 5 6 7 8Threads

Syst

em c

alls

(100

0s/s

)

glibc (32 B)

glibc (64 KB)

SGX SDK (32 B)

SGX SDK (64 KB)

System calls outside of enclave are expensive

SGX: Memory Access Overhead

l l l ll

l

l l l l l l l l

l l l l l l l

l

l

ll

l

l l l l l l l

l

l

ll

l l l l l l l l ll

l

l

ll l

ava

ila

ble

E

PC

size

L3

size

1

10

100

1000

2 4 8 16 32 64 128 25692

Allocated memory size (MiB)

No

rm

alize

d ru

n tim

e

l

l

Reads (random)

Reads (sequential)

Writes (random)

Writes (sequential)

Reads (random)

Reads (sequential)

Writes

(random)

Writes (sequential)

Large amount of enclave memory leads to poor performance

SGX Research Challenges

8

Untrustedcomponent

Secure enclave

Sensitive code

and data

TCB size

Attacksurface

Performanceoverhead

1. II. Privilege Separation

(Minimal TCB?)

I. Complete unmodified applications in enclaves

(Systems support?)

Systems Support for SGX?

9

Operating System

Hardware

Application

Libraries

C Library (libc)

Operating System

Hardware

Application

Libraries

C Library (libc)

1. SCONE: Secure CONtainer Environment

• 1. Good performance/security trade-off– Small TCB (0.8×–2.1× of native size)– Low overhead (0.3×–1.1× of native

throughput)

• 2. Efficient system call support– M:N user-level threading– Asynchronous syscall execution

• 3. Transparent interface shielding– Encryption of file descriptors– TLS support for network sockets– Encrypted data stored outside enclave

Host operating system (Linux)Container

SCONE kernelmodule

Enclave

Syst

em c

all

requ

ests

SGX-aware C libraryAsynchronous system call interface

Application-specific librariesFile system shieldNetwork shield

trusted

Syst

em c

all

resp

onse

s

lock-freequeuesscall4

scall5scall6

SCONEcomponent

Intel SGXdriver

resp2resp3

M:N Threading

Application Code

Exte

rnal

con

tain

er in

terf

ace

trus

ted

untr

uste

dresp1

2. Glamdring: Application Partitioning

11

Code GenerationGraph Partitioning

Modifiedbinary(initial

tainting)

Originalsource code

Untrustedapp code

Sensitiveapp code

Trace Collection

Instru-mentedbinary

/path/to/file1 function1

/path/to/file2 function2

/path/to/file3 function3

/path/to/file4 function4

/path/to/file5 function5

/path/to/file5 function5

/path/to/file6 function6

/path/to/file7 function7

/path/to/file8 function8

1. Static / Dynamic Analysis

2. Graphpartitioning

3. Automated source-to-source code transform

Collect information to obtain valid partitioning

Find partitioning of application

Implement partitioning using Intel SGX SDK

3. LibSEAL: Secure Auditing Library

• LibSEAL: Secure TLS Auditing Library – Provide accountability to TLS-enabled application– Help link integrity violations to origin

• Workflow:1. Securely log communication

between client and service2. Audit against application-specific

invariants

• Use cases:– Dropbox: Have files been lost?– Git: Is the the server hiding commits?– Owncloud: Were there illegitimate modifications to content or layout?

12

T3.2 Set of reusable secure micro-services

libseal – secure auditing library (I)

Provide accountability to legacy SSL-enabled application → Link (malicious) behaviour to its origin

Targets data integrity

Privacy-preserving

No (trusted) third party

Workflow:

1. Securely log conversation

between client and server

2. Audit against application-specific

properties

Cloud infrastructure (untrusted)

Enclave (trusted)

libseal(terminates SSL)

SSL-enabled

Appli-cation

ClientClientClientClient

log

T3.2 Set of reusable secure micro-services

libseal – secure auditing library (II)

Use cases

Git

Have any files been modified?

Is the the server hiding any commits, branches or tags?

Owncloud collaborative text editor

Did the server or any illegitimate users access thedocument or modify its content or layout?

Dropbox

Have any files been modified or accessed by anyillegitimate users or the server?

T3.2 Set of reusable secure micro-services

libseal – secure auditing library (II)

Use cases

Git

Have any files been modified?

Is the the server hiding any commits, branches or tags?

Owncloud collaborative text editor

Did the server or any illegitimate users access thedocument or modify its content or layout?

Dropbox

Have any files been modified or accessed by anyillegitimate users or the server?

T3.2 Set of reusable secure micro-services

libseal – secure auditing library (II)

Use cases

Git

Have any files been modified?

Is the the server hiding any commits, branches or tags?

Owncloud collaborative text editor

Did the server or any illegitimate users access thedocument or modify its content or layout?

Dropbox

Have any files been modified or accessed by anyillegitimate users or the server?

Maru: Security Threats in Data Science

13

Hardware

Hypervisor

Data science job

Other VMVM

OS

External attacker

Malicioustenant

Maliciousinsider

Maru Research Directions

• 1. Security model for shielded data science jobs– How to harden shielded jobs? How to deal with vulnerabilities, bugs?– What about external dependencies/libraries?

• 2. Integration of language runtimes with secure enclaves– How to integrate SGX support for the JVM?– What is the right programming model for SGX enclaves?

• 3. Unikernel support for secure enclaves– How to support existing legacy binaries?– How to build type-safe minimal secure enclaves for data science jobs?

• 4. Prototype platform implementation and evaluation– Integration with Apache Flink or other dataflow frameworks

• 5. Dataflow attacks and mitigations strategies– What attacks are possible by observing encrypted dataflows?– Can we apply techniques for unobservable communication?

14