Stanford Seminar - Intel Software Guard Extensions

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so my name is Frank McKean and I work at Intel and I have been working on this particular project for the last mo8 years I guess and and I wanted to go through at a high level how this works and the mechanisms and if you have additional questions I'm more than happy to follow up with other things later on but this is a overview of what this what this particular technology does so I am supposed to have legal disclaimers so you everything I say here is disavowed by Intel and no matter what you do no computer can actually be perfectly secure so and then there's something else in the middle there that I'll let you look at but now you do have to set it up correctly to make an any item work so we'll go through the problem statement we'll take a look at the at the attack surface area at a very high level we will have more information about that in a later presentation at iske will then talk about the programming environment how this fits in today's environment we spend a lot of time making sure that this fit into the current environment such that you can you can put this into an operating system that's running today and make sure that that's available and then we'll talk a little bit about the access control what did we do differently here than what's done today in the processor there's a couple of extra memory checks that are done and we'll just go through that at a very high level then we'll talk about how you prove that you actually have this and you're not really being an emulator and how we can make that work and then if we have time we'll talk about some of the development tools that we have done in the lab so and let's go down so this is today's environment where you have the application and you have you have an application with privilege code underneath and you have the rings that protect you privileges from from the the privilege code and then you go down into a another ring and and you have your applications and this is this was very good in the 80s when everybody was sort of on the same team although we had separation there wasn't an awful lot of work that occurred to really get the bugs out everybody worked together you bought your code from vendors and and everybody knew what the code was so you had a design package in some sort of accounting package and nobody was trying to to take over and remove all the things that you had that changed with the internet to substantial extent suddenly people downloaded things that off the net they didn't really know what it was it turned out to be malicious and with the structure that's available today in the Ring architecture once you find a bug across that entire address privilege space all 40 million lines of OS code or whatever and you can affect an attack on that then you've basically caused yourself to lose control of that privilege level and then of course once you do that you've taken over the entire privilege level you can now go into any application and remove anything you want you can substitute items and essentially at this point in time you own the Machine and everything that's in it and so this is a fairly large problem as far as we were concerned and I think we we looked at this and said this whole ring architecture is not sufficient in today's environment at least that's the the takeaway that we had rings need to be augmented so we we went on this project to augment the Rings and we built these things called enclaves but just to set the stage again for an attack surface that we have today an application in order to maintain integrity protect its secrets protect its integrity needs to rely on all of that code to be running correctly not be compromised and so you have millions of lines of code that that application depends on in order to provide the mission so if your application is a banking application and any of those other three pieces of code are compromised and it's not just the OS we drew this as OS but it's really anything that runs at rings there I'll write the driver that you got when you pulled some old piece of luck hardware out of your drawer and you put it in it suddenly that driver is in your trust boundary so we wanted to do is make sure that those kind of things and some of the code like smm which is an Intel system management mode that we don't show here is not affect it cannot affect the correct application the correct execution the application so we built these enclaves and essentially there's a set of instructions that define a region in the applications address space that's that then is protected by the hardware so you're the OS and VM can manage these locations they can page them in and out but they cannot access the data and they cannot tamper with the data so we provide integrity and confidentiality and replay protection on those enclaves so while those are executing the application developer can can assume that there is integrity in that environment and will show some of the ways the hardware does that protections and this reduces the attack surface substantially so so the other thing with the way we did this there were a lot of efforts to provide a secure environment by having a separate processor and so that would be a separate processor with a smaller amount of memory and you would have some sort of interface and we changed the we abandon that model we had that model with txt but with this model what we've done is have an environment which you can now download into the normal operating ad system address space you can use the resources of the main OS and provide that capability in your native application and because of this it's deployable over you can just download an application it can have an enclave you can put it on a lot you can do it remotely you can have somebody that decides you get a subscription service they can download an enclave and and bring it up and provide trust in that environment so the programming model this is the programming model before SGX normally y OS whether it's Windows or Linux or whatever is up in the upper address space the code and data are down at the lower end area of the address space and this all exists in the user process with an enclave we essentially put that into the same address space and it exists in this environment it's very similar to a DLL and Windows and an Esso file and in Linux so it sits there as a separate set of libraries it behaves as a self-contained unit and inside of there there is code and data that is owned by that Enclave and that code can execute and and assume that it has confidentiality and integrity and that the data also is has confidentiality and integrity and so the hardware is protecting that area that Enclave area and preventing accesses from things that are outside of the Enclave space from reading it altering that area now we have instructions to allow it to remove the enclave and put it to memory but we also maintain the integrity when we when that happens we'll talk about those instructions there are controlled entry points we didn't want the we didn't want to have to we didn't want someone to be able to go into any place inside of a enclave romp attacks are becoming very popular now and that would be one very big rap attack so what we did was we have a controlled entry point so it looks very much like an RPC type of interface where you do an e enter and you go into the Enclave at a particular point and then software takes over and you can't enter it anywhere else than those particular entry points we have multiple threading support you can build as many threads as you want into an enclave so it provides support for the general-purpose threading environment what needs to happen for each one of those is we define a thread control structure you put it in as you build the Enclave it's registered as part of the of the Enclave and then you can do an e enter into each of those and we don't have any limit on those as far as the architecture goes if you have a certain number of them and you have limited memory on your machine you may decide you want to limit them but there's nothing in the architecture to do that when you know I think when you when you want to enter an enclave you have a thread control structure that you have there that you can use as an e enter into that Enclave and inside the Enclave you can have global data between threads and outside you can have threads that coincide but they can't necessarily send data across that boundary between the Enclave I don't know if that answers your question quite or not but essentially this is very similar to the threatening environment that they are today you can have as many processors enter the Enclave as there are Hardware processors and you can define hundreds of these threads and and still have you know some of them are not used at any given time so it's a very similar threading model the other thing to know is that the Enclave can reach out into the application data and it can it can retrieve data from out in that area and bring it back in the application cannot reach into the Enclave if an application tries to read into the Enclave today's implementations will return all ones you don't get any information and some of the future ones will probably return ciphertext but essentially you get nothing when you try to access that area and if you try to write into the area we just throw the right away now we still may know just we still maintain all of the page table protections so the operating system hasn't been subverted here The Enclave still must work inside of the page tables in the security environment that the that the OS has produced in the environment well we're thinking about that in a future generation what what happens today even without enclaves is when you write to non-existent memory rather than cause a crash of the machine or something or an exception that comes back to someplace where you've you know the processor is long gone but somehow this thing is rattling around and comes back into the into the machine at the wrong place because you've changed contexts in i/o we just throw the right away so we already had that mechanism in place and so we just use that the same processor is in the get into each other they cannot now architectural II we define this area as an area for the enclave theoretically the the architecture doesn't prevent someone from defining an overlap between them but the enclaves themselves will as you put the pages in identify with one or the other and you will get exceptions and other bad behavior if you try to overlap them but each Enclave is as instantiated is a unique one and you have to you instantiate it by starting with this instruction will go into and then you place pages in each time for each Enclave so each one is is a unique instantiation well there are another questions so this is the environment and I just wanted to walk through some of these we start at the very bottom the Akkar Duero and what we've done in the hardware is we've created a new memory semantics and we refer to this as the Enclave page cache and this this uncle this memory access semantics is is now doing extra checks over and above what the hardware used to do when you made a memory reference so in in the old environment you went through the page tables you've got a translation and if everything worked out correctly you went out to memory and you read the location or you wrote the location in the in this environment you do all of that and then you go out and hardware will do some additional checks and it will check to make sure that the access is from someone that's executing inside of that Enclave and not anyone else and it will check that the linear address that you built the Enclave as is the same as the one you're referencing so we protect from some OS trying to remap the pages underneath the application and it will check also whether the application wanted to have this be read or write accessible so we have additional read and write checks that the application can have that the hardware will enforce as you're building your Enclave and in the first version that is somewhat limited you have to put those out when you build the Enclave on our spec we have a second generation where you can actually manipulate those and software inside of the Enclave can can actually make make changes there and do dynamic memory allocation so so this area is carved out in the first generation this is carved out as a separate portion of memory it's inside of a fixed area of memory and and we and the hardware declares this when you boot the machine The Enclave page cache map is metadata that's used to do all these check so the hardware needed to go and check somewhere and the memory that's used to hold the metadata to perform these checks we refer to as the enclave page cache map this performance it's not all that bad because you do it at a TLB miss and so yes it is an extra reference in the TLB filled pipeline but overall I don't think that's a major we have leather major or out performance issues we'll get into later inside of the cache so you can run if you if you do this and you feel your TLB you can run a full performance hopefully that will be more obvious after I go through some of the checks and if it's not let me know and we'll wha go through that so the next level up is the set of instructions that are used to build the Enclave to page in Page Enclave pages out of this limited area and put them in regular memory and - and to remove the pages so in the in the privileged code environment and we made this part of the privileged environment because traditionally most operating systems have managed resources that's their major goal and we have changed the paradigm that they can then manage the data and change it but we haven't taken away the ability for an OS to manage the resources and so in this environment we first start off building an enclave by doing an e create instruction and that declares an instance of an enclave and it starts a process we have a page that's put into the Enclave page cache which is declaring this is a particular Enclave and and then as we fill in each of these as we want to put the data and the code into the Enclave we use the e add instruction and that adds the page in one at a time into the Enclave so you've actually you just an she ate the Enclave and then you put the pages in one at a time by copying them in one thing to note and I don't think it's called out explicitly in these foils but as we do this there have been no secrets yet all of this code and data is residing in main memory when you build the Enclave so you build an enclave there's no secret until you instantiate it and lock it up and then go ask somebody for a secret and that's the the usage model we have yes well so the next instruction I extend we do a cryptographic hash of the data we've loaded into the Enclave create instruction yes how do you protect the software the creation we don't we if you mess it up the when we do this cryptographic hash of everything it will not measure it will not match what the developer actually wanted to have built so he should say you built a bad Enclave I am NOT giving you the secret so it was important to me to not have a by the way not have secrets in this when you built the Enclave because if you own the machine you should have the right to look at your code at least the beginning to know what you have and so for that reason we we leave this as unencrypted data until such time as you actually have something to put in for secret but you modify the code and you change the measurement so you can modify the code but you cannot you cannot avoid detection let me put it that yes so so we assume that a developer building this Enclave will do so on a machine without someone's having hacked it now if you don't trust your tools you could have have had been hacked in both cases which case you will have the hack in both places but if you do if you do this correctly on your machine without without any malware on that machine you will be able to build an enclave with a set of measurements we will report that set of measurements back to the person that's provisioning secrets and this Enclave should match that one and it's what would the correct yes and it's computationally infeasible to to actually spoof that mechanism yes this is gonna deploy for instance in the context I don't know the details of that particular microkernel we are working with various OS vendors to make this for them to develop support for this we also have for shorter-term built a set a driver that can actually do all of these operations so a privileged driver right now can do this all this work so you can actually load this without any kernel support directly so yes the extend instruction will do a cryptographic measurement as of that page and and you we essentially have this mechanism to accumulate a hash of the Enclave as we're building it and measuring it and so the developer needs to do that on his machine and now he has the gold standard he has a golden measurement and when you build this on a remote machine you use that as the entry bar so if you don't have the right measurement you don't get to get a secret back and so people that modify it can do so but that won't won't affect the integrity well it infect the integrity but will be detected after we've built the Enclave we have an instruction called Ian it and this is where you can now declare the Enclave is fully built we locked the measurement down so you can't manipulate the measurement any more and up until this time you couldn't enter the Enclave you couldn't build half an enclave and then suddenly enter it and now you've declared this to be the whole enclave and you can now enter it but now you're going to have to live with the measurement that you just locked down so if you did everything correctly then the measurement should reflect a correctly built Enclave and everything is good and now you can go out to someone and ask for secrets EEB lock etrak you write back any load are paging instructions and the goal for enclave paging of this CPC is that we can take a page out and put it into main memory and bring it back in and it still maintains the same properties of security properties of confidentiality and integrity as though it resided inside of that area so we have metadata that goes out when you do the you encrypt the data you send it out you have metadata that goes with it and we keep a version around inside of the enclave page cache to to make sure that it's anchored in the hardware the epa instruction is part of that versioning for paging and and hopefully we can go into that in a little more detail and finally when you're all done with your Enclave you can remove it and take all the pages out of here and and therefore free up for a new Enclave to come in from the point of view of the application environment the user level process they would ask for an enclave to be built by ring zero components or privileged components and then once that's done they would use the instructions up there we enter to enter the Enclave and start execution or exit to leave the Enclave if an environment such as most modern operating systems you have exceptions and interrupts and other external events and you leave the Enclave we save all of the information inside of the on clay itself all the architectural state we fill the registers with essentially the reset values so it's the registers look as though the part was just reset and we go into the exception but then you need to resume execution and the e resume instruction is what's used to resume execution of your Enclave when you return and and then there are two other instructions II get key any report and those are security instructions used to seal your data away based on an enclave measurement or an enclave key that the developer has generated and the report is used to prove that this Enclave has been built correctly and that it runs on until pardon or yes some any questions yes after we do the attestation slide so I think that should explain most of that well so this is a common system resource and and traditionally operating systems have managed common system resources and so we we just felt that that was the traditional way of doing this we wanted this to fit into the current oh s environment and and be something that you can bring along and have one Enclave and then you know grows over time so yes so the e report is an instruction hardware instruction that will do its thing on that Enclave so it doesn't really matter if you're in a it won't the the VM won't have the key that's ruisseau ciated with that particular part so there's some some set of numbers there and not but it's it's big yes no that was too hard made my head hurt we decided for the first time we would just do one there have been people sort of dancing around that request but right now we don't have that yes you could have multiple instances of a non plane that executes the same piece of code they will each have their own set of code and they will each be separate instances and they cannot necessarily you can't swap pages between them for instance you know sure I can't share code there is a request from several people to have shared pages we're thinking about that but that's not a well yes right now we're still at this stage where we're looking at other things and that's not top of my list some yes process specification Enclave between local processes can be shared as long as the address space is the same or you should at least the enclave address is the same yes you can add multiple mappings well you can milk you can put it into multiple spaces you cannot have multiple mappings you have to have the same linear address mapping or virtual address mapping for the Enclave in both is only going to run and ring three there there are much better arguments for well first of all most applications are we looking at really don't need to have ring zero support you know your banking application and your you know databases those things can run it ring three so we also weren't your of the entire we part of the goal here is to make sure we do no harm to the environment and this does change the security equation for a platform somewhat but by limiting this the ability for malware for instance if it gets in here is very it's very limited right it's at ring three it cannot it has to leave in order to go and take over the platform it's a little bit of a road bump for forensics but for the most part you know it's pretty harmless so there were a lot less issues to look at so we we said for the first version we really want to make sure that that this is a positive impact on the platform as we move forward I think there are people asking for rings are privileged components there and I'm not sure if the ring is actually are the right way to look at that ok any other questions ok so I I have a cartoon here that explains all of this in animation I did this for training for some of our internal customers and and so I've left it in because it seems to be helpful for people this is uh this is what we have we have a virtual address space a physical address space and whoops that was not the right thing to do oh all right wow that's scary I remembered the slide number okay so and essentially what we do is we we have the e create it declares a range inside of the virtual address space that's going to be part of that Enclave we have this Enclave page cache over here when you booted the machine we declared this what region of memory was going to have these extra memory access semantics and we have this area of metadata that's going to be also removed from the memory map as far as the operating system is concerned and hardware will use that to maintain and check metadata and so as we move forward the other thing to note is we have this this what we call mr enclave so mr. enclave is a is the measurement register for the enclave itself this is where we're keeping the running total of the or hash of the Enclave if anybody's done any work with TPM for instance this is a very similar concept we just keep this running hash too as we move forward so we go and we're going to take plaintext data we're going to move it down we're going to use the e add instruction copy it down put it into the into the Enclave itself it'll be mapped into that location by changing the PT ES and all of that and the EP CMM entry will show that this is now a ballad page it has an enclave ID which is associated with the particular Enclave and it has a what we call the linear address which is the virtual address intel has this several layers of translation so i'm sorry if i confuse you with that but it's virtual address and we do that several times we fill up the Enclave we put it into memory and then after we've done all that we'll do any extend and we'll do do a measurement of these and this will cause the measurement register to be updated we'll do a measurement of each of the pages one thing to note it's not required that you measure the pages if you have a heap area that you don't care about you know you're going to overwrite it and you're really sure you would never put a bug in your Enclave then you're welcome to not measure it our library right now measures everything so if you do this as part of our library build you will simply measure everything and then once all of that is done we will declare that this Enclave is executable and now you can go in and execute in those pages and you can enter into the Enclave you can exit the Enclave you can finish what you're doing so you can have this Enclave up and enter and exit forever till the movies over til you're done with whatever metal record you had whatever you want to do and then you do an e remove remove all the pages and they all become invalid in the e PCM and therefore they disappear I'm not sure I understood your question there is and that's an interesting question hold that thought for just talk about how we protect from that I think it's the next foil yes so we have access control and there are two areas of access control there's on the processor package where we have control and we want to keep data decrypted so we have to prevent accesses by any non Enclave actor and there's off-chip where we don't have any protections and we want to protect from that and we use encryption and and replay protection when we have data that leaves the chip so what we do for on chip when we're going to check whether we can access this page we have an address request comes in and say a load or something and we do the traditional page table access and that will follow the normal procedure if it's not mapped the operating system would fault if it is mapped then we have to do an extra addressed extra set of checks so we first check to see are we in Enclave mode and is this an enclave access that means it has to wear an enclave mode and it has to be in that range of the address where we declared the Enclave would reside and if it is those things is it well if it's not those things then is it an address inside of that Enclave page cache area and if it's not an ad access into that Enclave page cache area we just allow the access to occur that's a normal memory access we're not running in an enclave mode nothing happened there and this is this is basically a hardware module running in the front of the load pipeline if it is inside of that we replace the address with what we call a board page that's an internal intel jargon for hey this is a reference that we are disallowing so we will return all ones for the read request so applications get just junk and if it's a right we will throw it away if it is an enclave access then we again do a check to see if it's inside of the Enclave page cache and if it is inside then we'll check to make sure that all those references this reference meets all of their criteria yes yes you've done a enter instruction you've entered the Enclave and you're inside of that vert that linear address that virtual address range that says you're inside of the Enclave because we have to if you are an Inc inside of the Enclave and you'll see that in a minute and we're outside of the EPC that's an enclave referencing the external memory and we have to do a separate check for that we'll do that in a second that that one in a second but in this case we do the check if all the checks pass then the memory access is allowed if the checks are not allowed or don't pass then we do signal fault in this case so you get a in the first version you'll get a general protection fault and in future versions we will give a page fault for this condition if the address is not an EPC and it is an enclave access which means somehow the operating system or somebody has mapped this thing into the wrong area and we will also signal fault so this is how we do all of the access controls inside of the processor for all the course so so everybody goes through this new additional check inside of the inside of the memory pipeline so did that answer your question with protections and whether we have to write DRAM and all of that I was asking a question in the context of the genome operating system that has a recursive ring model I say okay microkernel so I'm turned out this can't help how this is going to fit into that but let's continue on I'm still okay I think the question was what's he doing we actually clean zeroed out what we do we remove we do not say we do not zero out the memory but once we do any remove one of the checks in the C PCM is to check that the vet page is valid and now it's not valid anymore after you remove it's no longer valid somebody else you filled it with something oh maybe not well in our case it is because the only instructions that you can actually use to set the valid bit or require you to either write zeros or to write some new Enclave yes we do oh I did it again I I am very sorry I keep hitting the wrong buddy so let me okay so outside of the Enclave we want to protect the data and so as I mentioned inside the data is unencrypted you can run at full cache performance and we have a security boundary here so if you can take your chip apart you probably and you can actually probe it while it's running there are people that can do that there are labs that have that capability then you probably can bypass this most people don't do this to their chips and in fact in our in our company we're not very good at this either turns out we fail at this quite a bit when we try to do it it does void the warranty I'm not sure what they'll say if you tried to bring it back at that point I'm not even sure anybody's ever tried again we I'm not sure that this is a big secret people talk about how they go about on actually doing these things there are companies down here in Silicon Valley that will do this for for money so if you if you're a lawyer and you want to sue somebody there are companies that will help you with that so it's not an impossible task it is harder as you get down to very small geometries I will I will say and that's one of the things we're up against but nevertheless this is our boundary and we've decided that if you if you breach that then that's past our our protections but when we leave the chip we want to make sure that that date of your credit card information or whatever else you have in there is protected as it leaves the area so we have a memory encryption engine that sits on the book on the boundary here right at the memory controller and as the data for for that EPC area or EPC M area falls out into main memory it will be encrypted and it will be integrity protected and replay protected and then put into main memory and it turns out that not only is that really good for for protection against Hardware attacks it also protects against a number of software attacks that are at the corners of hardware software so you cause a reset of the part you don't want the all the distribution all the protections to disappear which they normally do well in our case the key also disappears so all that data is is essentially unreadable so there's some very nice properties of having an encryption engine right there because I just keep trying until I find one that matches now another key this-this-this encryption is a aes-128 it's you but this is a 64 byte cache line coming in and out here so it's multiple aes blocks it's you know it's not just a word oh yeah if you try to write a word which is possible in most microprocessors you will have quite the event right you end up going out getting the whole cache line bringing it back writing them in putting them back out that kind of thing yes very critical but this key management is actually just a random number taken from our random number generator when you reset the part inside ever does anybody outside know with this key yes No this key is randomly generated at the time you power up we put it in there when you reset the part a new one is generated or read from the random number generator and and you start over we need to be in the clear or encrypted with a different key not sure what you mean by external this key is only encrypting that memory there's no external it has no external access it's simply Hardware reads this value when you when you reset the part and you put it in there and hardware is the only one that has access to that key we have versions that are part of this the M EE is very complicated it has a tree of because we want to do this on a cache line basis it's a very small block relative to main memory so we end up with a replay tree that requires quite a bit of integrity protection it takes up right now in the first version is like 25% of memories of that epc area will be used we are working on getting that down we have a couple of ideas there yes they are wired by the cache line plus the integrity data is larger than the cache line yes the integrity data for that block of epc is all allocated at boot time so it disappears it's just out there we it's consumed entirely and so therefore the operating system doesn't have to deal with it it's just gone yes if you have the same block in two different places there it will be different and I'm not sure I remember the exact algorithm that's used there but you won't see the same thing repeatedly and we have a version in there so you never see the same one if you write zeros every time you'll see a different value there so yes I'm not sure I understand your question yes the replay the tree is sort of memory we anchor it inside of the processor package so we again go back we have anchors in here of the of the tree so that you you have to you can't get at that in today's environment that is true I think as we move on to very large env data areas we're going to have to rethink our interface and talk about whether that is part of the trust boundary and we do something locally on that chip so we are looking at multi package support so the first version that we have available will be clients only single package we've we've done a lot of work on how to make this work on multiple packages and I think that will extend over to other packages other than processor packages as we need it is there another question what you're asking is if someone else comes along and overwrites that data well first of all another core won't be able to do that because we had that access control mechanism we will prevent that from occurring at least in the first generation or two but if someone else comes along that's attached to this memory like you do port it and you said oh I'm going to overwrite that then yes it will cause this crash and it will be painful because we will stop everything and we will decide to reset the whole part so it will be a very ugly event yes errors and therefore the critics traffic hash of my encrypted data memory is now wrong it doesn't check and you're saying that at that point your chip freaks yes you're ignorant was bliss before now we won't do this check in our current implementation for clients that I believe is is there is no error correcting code but on parts that have error correcting we plan to do is have the have the ECC be checked and be correct before you go for that fatal law check yes but if you if you passed ECC so somebody that's attacking this part recalculates ECC says yeah this will go in well yeah it will go in and and then we will have an integrity mismatch and and so then we will stop in order to do this you have to do a hardware attack you had to go and start putting data in on the outside or have or somehow lower the voltage on your DRAM or do something that caused the DRAM not to faithfully respond well most well it depends how much you pay for your DRAM i guess most intel when we design a static ram area i think that's part of the normal testing so that should not be an issue but yes it is possible if you save $10 on your dram that you didn't get that protection i don't know let's parkour the crackers more often well that's that's I guess we'll see whether that's the case so it is also true that you had those errors before you just didn't know them we're there so I don't know whether you feel better about that or not I guess I wanted to be on the conservative side from a cryptographic point of view so when you make a guess and you actually fail you that taught you something right it reduced the space that of the numbers of guesses you have to make anymore now in the case of something that's like 2 to the minus 128 chance it's not a very large number but our cryptographers decided that they would prefer to reef or sever e1 to start over so when that happens the key is changed and now your guess is is like you started over you're you're back at the full range of your space so I guess we erred on the side of security in that case something did not have adjustments after people use it I just think that's going to be part of the course so where there are other questions no not tonight it is it is an impact we do have some caching that that keeps that tree in in some cases but in the worst case scenario or you have to do this you might walk three levels so you end up with a memory bandwidth degradation that could be an impact on performance that is probably our biggest performance impact public for what the actually I'm not sure we know we have our benchmarks have been sort of back and forth it depends on your cash size right it's it's all a matter of what application you're running how much of it's in the cash how many times you're falling out of the cash so the cash behaves identical to any other application so in other applications when you fall out of the cash you see this we just see this at a higher rate so your degradation is faster in this case a cache miss might be much more expensive it might hit in the cache we have extra caches what I mentioned was for the integrity so we might hit those integrity and it's just one reference we might also miss all that and do three references to fill that miss to prevent unnecessary cash missing because well-behaved streams don't necessarily work best with standard statistical caching and so on typically if you're a stream oriented multimedia guy you end up having to do workarounds unless the CPU understands about stream process we don't have that in this first generation I take it you only do this for data that's in the Enclave and for other data you did it up to the encryption that's correct which means you did it doesn't affect the performance benchmarks or be judged by performance where we're running benchmarks inside of the Enclave to understand the difference but but again it depends on how much of it sits in the cache and we have different processors that have different cache sizes so you know we have to it's not that I I just don't think we have those numbers well-defined you and again part of this is to provide protection from snooping and and things from the main memory okay so that's the that's the area that protects and produces the the Enclave the walls around the protection now once you have that how do you prove to someone that you have it and how do we go about that so that will be the attestation and sealing section so I'll start looking at that and essentially as I mentioned the Enclave is in the clear before you instantiate it so you have you can have sections of code and data they're encrypted but there's no place to put the secret for the encryption so yeah not on a developer can download encrypted data but he still got the keys not sending it with it and you put those into the Enclave and there's no way to decrypt it you have to get the secrets from someone outside you have to enable this if you want this to be secure now you could do that on your keyboard if you feel that your machine is in such high integrity state that there isn't anything there and there are some reasons you might do that before you plug it into the internet for instance after that you have to be able to convince a third party that you really do have Enclave hardware and how do we go about doing that and we'll talk about that so that's one of the major things how do we show somebody that this is really a machine that supports an enclave and it's on it's a machine that hasn't been taken apart we have limited means to know whether it's been taken apart or not well show that and then we want to be able to after we do that to an outside party we're only proving from Intel's point of view from the chip that this is really the hardware you may want to store secrets in there and you may want to have your own identities in there for everybody that owns an enclave and we just want a way to do that without necessarily going through this whole identification process so those are the the things that were solving here so the service provider the person that's that's distributed the Enclave they need to be able to understand that and they need to be able to vet that this is a Intel CPU I've mentioned all that and they need to be able to prove that this Enclave can be has the software running inside it that we claimed this is the measurement register and we need to know that the Enclave is in the right execution environment and that the sealing identity will be that'll be used and the sealing identity is something that that can that we'll talk about a little bit it's essentially who signed this Enclave and presented it to the hardware to run and finally we have the ability to understand whether this processor has been patched we have Micro code patch we've had it for many years we can tell somebody remotely that yes it is indeed been patched with the latest security values so you can rest assured that it meets this set of criteria so basically when you generate this cryptographic log we put the code we put the data and all of the stack and heap information that's been measured and we also put the location of each of the pages so part of this is when you did this Yod we put the address of that page as part of that hash and we put the what we refer to as the security flags this is the things like the read/write/execute that are defined for that e PCM and some other values that are there and then we have this M R Enclave this is the register we talked about it's basically a 256 bit digest and it is the TCB of the Enclave so the software verifier needs to get this information needs to get it securely and be able to compare that against some golden value to make sure that it can be that he's comfortable with or she is comfortable with that up there is not you well hold that thought just a second we have two types of attestation we have local ACTU station and we have remote attestation local at the station is the ability to prove to someone that you are indeed on that platform locally and that you that you have a particular measurement and what IRRI port does is it will generate a cryptographic report that will bind the mr enclave of the target value to the report key and then e Gehrke will provide the report key to verify that report and this is very very subtle and I always forget it and I'll have to remember it as we move through this but the we have a cartoon in the next couple of the pictures that'll help with that and and so essentially what we do is we have created a symmetric key that we use asymmetrically for local attestation and then once you do that we have the ability for that local Enclave to be provisioned with values that are provided by an attestation that an attestation server can then prove that this is a a Intel Enclave so we start off we have two enclaves and we want them to prove to each other that they're one to prove to the other that that Enclave is there and that the measurement value is indeed what it says so we have those enclaves we have the verify Enclave and it's going to send its mr enclave its measurement value to the reporting Enclave so I want a measurement I want this Enclave to validate that one so he sends his measurement value over and then that Enclave will do an e report with the mr enclave and that will generate a Mack and everything for that enclave transfer that value from that Enclave to that Enclave over an untrusted channel is protected or unprotected when it leaves the first time play it is unprotected and the Mack is a message authentication code yes or - yes okay how are the keys no the keys yeah well these keys are sort of being held closely and by hardware via these instructions that's the subtlety I always have to think about this because we allow these values to be transferred the keys that you're deriving inside the hardware to generate these values are not available to either Enclave okay so we then use available hardware can check some of these and we'll give you some results back based on the key but you never yes so we basically do all this we send that whoops I think we went too far maybe it skipped here we basically send this over and and now the verifying Enclave can actually obtain the report doesn't look like it kind of I did this as an animation and I took the animations and I put them into PowerPoint and I think that one kind of messed up essentially you got it back over here and now the the receiving Enclave even though it's not here can verify this by obtaining the report key its report key and verifying this Mac based on the office authenticity of the report the Mac is part of the report and you send that back over and then you can identify you can verify the report key by having checking this with your mr enclave in it and as a result then so I mean you really need to understand the details of that up at a level that I don't want to go into today but we can come back essentially if you look at that what will happen is this will come back over the mr enclave is fed in as part of the report as one of the parameters into that instruction and then you bring it back and you can verify that Enclave using the Erie get key instruction to to verify that that's correct after we do that we want to take this value so this is a what we've done is we've said okay this Enclave over here on the on the left side is is now the one that has been has given its information to this other Enclave and we're now going to say well that Enclave was something special that has a special global attestation mechanism and in our case we call this epidemis e ID is again very similar to what is done by by the TPM for their direct anonymous attestation and and so we then send that back over to the remote Enclave and this value now is something that the remote party can can actually do a check on with an attestation server that intel has provided and a private key and a public key for a group and that's the same sort of thing here so no we went to this was this was the this we went from the local attestation now we're in the process of doing they're the global one local is a symmetric key and the remote is done with a asymmetric key and it's a anonymous type of environment so the remote party won't know which machine it is that's the idea then what they do know is that it's part of this group and Intel will provide the group members for that and there are all sorts of cryptography about you can decide whether Intel or somebody else decides that this is a part that's bad you can make some calculations and I can never remember that crypto after I look at it okay so after verifying this report then this Enclave which we called the quoting Enclave this is the global quote that we're providing we'll sign the report and we'll use the epital convert it to something that's global that can be used by the verifying party and and then it will be sent over and then the remote platform can verify this quote with the epic part of the group and and therefore at this point in time the remote platform has now been should be assured that this particular Enclave that's here on this platform has been instantiated inside an enclave on an intel part that it hasn't been revoked yes no the AP ID is stored in this particular Enclave we call their quoting Enclave and it's provided by Intel during a provisioning cycle that we glossed over today but feel free to come to our all-day talk and we'll go into that shameless plug I know yes well how does Intel decide it should be revoked so the idea here is that this remote platform this remote party the relying party for this attestation can go and query an Intel server and we say oh you have to there's some crypto you have to do because we revoke the part we don't want the remote party to know which part but you want them to know it's been revoked so there's some involved crypto that Ike yes yeah so there is some method to do that the more interesting thing is why would we ever revoke one well if somebody brought theirs in with in pieces like we had mentioned before we probably could revoke that part there are some cases where you might you know if it's published on the web and everybody said hey I took this part apartment here are the values we would know to revoke it otherwise it's very nebulous and it's an interesting security issue as to how you decide as something's trusted more could do that but this is for the remote party so they're not going to buy this other computer they just want to know not to send there their secrets they're in our best interest it certainly would be if we could convince people but uh yes there's this mechanism rely on the algorithms business itself implemented in the Enclave that's a secret at all it's in an enclave which means that the code itself is downloaded before it's actually secured and it's open and by the way we put it at an ISO standard for episo-- you can look at the details there yes only the keys are secret yes we have keys that are particular to every part so every part has unique keys there are keys there that are keys that Intel puts into the part and forgets and there are keys that Intel puts in and remembers and the ones we remember are not part of the sealing infrastructure they're used as part of this how do we know which portion this is so we have this quoting Enclave we need to be able to tell which machine has that particular key we use that and that's that's what that uses for no uses are fuses and they're done it manufacturing that's it now that said we have some way as I mentioned earlier we have this security version number and we do do calculations based on that so if we up the replicate up the security version of the part for a particular change and it could be that we decide there's a bug in that Conclave when we decide to up the security version number we will have a different set of keys derived we wanted to make sure we didn't have to recall the part of Fah there was a bug and say some intel Enclave yes so if you hear some up above some keys to a specific machine up means that you can somehow deny service machine so it cannot procreate very well we don't know which machines right we know the group are you saying if we decided we wanted to never provision this machine we could say all of the Broadwell parts we don't really know you know million go out every day we don't really keep track of where'd they go I mean yeah there's a little paranoia I guess you could argue but where I don't think we're that good yes no it's done this a matter of law of the reset so we actually do some some calculations that reset that create a new set of keys based on the fuses and it's best under security version number one security reasons you use someone to be up when you reset right when you set everything goes away and we start on but readings the upgraded security version yes okay and then when you load a patch back in because that's your base hardware and when you load a patch in or you load some software then we calculate the security version at the right time so then we can report that based on what it is at that time but for instance if we reset the part the quoting Enclave isn't there and it won't be there for a while so as far as the security version for that part for that particular Enclave it'll be awhile before we actually get it done yes well because I don't think we are going to be successful being in the trust for everyone go I think we are we are forgetting those keys in this first generation and then we are never going to know them in future generations so so the reason for that is just the manufacturing process today and then at that the some point we will just generate those and they will be in the part and we won't really know what they are we just aren't there in this first generation well it's that and I don't think well it turns out if you go through all the key distribution we actually allow an owner of the platform to inject 250 s 128 bits of entropy on their own so we'll never know the ceiling structure from the beginning from from that anyway so so the whole idea that you can give this part to someone and they can take it apart and know the values for that for that sealed chain is very hard if we don't have that owner what we call owner epic is is this this 128 bits of entropy that anybody can inject and it goes in and it's done at the boot time and that is part of the key calculation and then that is that is going to be a unique value that nobody knows this other base part we just we try to forget that and and that's something we were going to get better at as we move forward yes what I asked you about the software version how do you protect the software version I'm not sure I know exactly what you mean by how you protect it well you said you actually take the system back down to the world artwork and then you reset that will it will go back down to the rock while he will apply some security version four depending on whether it's a micro code patch we will supply if it's a software patch we will do something a little different how do we know yeah I'm not sure what you mean we we use the value that we retrieved from that patch to calculate the keys it's an input into that key calculation yes it's coming from the well the version itself is coming from the patch you load and it's signed and it's encrypted yes security version is the rest is a piece of salt right yes exactly so it essentially is one more thing that that's put into the key derivation okay you

Info

Channel: Stanford Online

Views: 25,006

Rating: undefined out of 5

Keywords: Stanford University, Stanford, SCPD, ee380, Frank Mckeen, Intel, Colloquium, Stanford Online, ee380 seminar, Stanford Seminar, Intel Software, Software Guard Extensions, Innovative Instructions, Next Generation Isolated Execution, Security, Software

Id: mPT_vJrlHlg

Channel Id: undefined

Length: 77min 34sec (4654 seconds)

Published: Thu Apr 16 2015