1

A First Step Towards Leveraging Commodity Trusted Execution

Environments for Network Applications

Seongmin Kim Youjung Shin Jaehyung Ha Taesoo Kim* Dongsu Han

KAIST * Georgia Tech

2

Trend 1: Security and PrivacyCritical Factors in Technology Adoption

• Demands for “security” and “privacy” are increasing– Widespread use of Transport Layer Security (TLS)– Popularity of anonymity networks (e.g., Tor)– Use of strong authentication/encryption in WiFi

• Expectation on security and privacy impacts design decisions:– Operating system (iOS, Android)– Apps/services (e.g., messenger, adblocker)– Network infrastructure (inter-domain SDN)

3

• Demands for “security” and “privacy” are increasing– Widespread use of Transport Layer Security (TLS)– Popularity of anonymity networks (e.g., Tor)– Use of strong authentication/encryption in WiFi

• Expectation on security and privacy impacts design decisions:– Operating system (iOS, Android)– Apps/services (e.g., messenger, adblocker)– Network infrastructure (inter-domain SDN)

Trend 1: Security and PrivacyCritical Factors in Technology Adoption

4

Trend 2: Commoditization of Trusted Execution Environment

• Trusted Execution Environment (TEE)– Isolated execution: integrity of code, confidentiality – Remote attestation

• Commoditization of TEE– Trusted Platform Module (TPM) : Slow performance– ARM TrustZone : Only available for embedded devices– Intel Software Guard Extension (SGX) 1. Native performance 2. Compatibility with x86

The commoditization of TEE brings new

opportunities for network applications.

5

Network Applications + TEE = ?

• What impact does TEE have on networking?

• Previous efforts: Adopting TEE to cloud platform– Haven [OSDI’14] : Protects applications from an untrusted cloud– VC3 [S&P’15] : Trustworthy data analytics in the cloud

NetworkApplications

TEE

Intel SGX

Enhanced security

New design space

New functionality

6

SGX : Isolated Execution

• Application keeps its data/code inside the “enclave”– Smallest attack surface by reducing TCB (App + processor)– Protect app’s secret from untrusted privilege software (e.g.,

OS, VMM)

CPU Package

System Memory

Enclave

MemoryEncryptionEngine (MEE)

Snooping

Access from OS/VMMEncrypted

code/data

7

SGX : Remote Attestation

• Attest an application on remote platform• Check the identity of enclave (hash of code/data

pages)• Can establish a “secure channel” between enclaves

Target Enclave

Quoting Enclave

Challenger Enclave

SGX CPU

Host platformRemote platform

SGX CPU

1. Request2. Calculate MAC

3. Send MAC

6. Send signature

CMAC

Hash

4. Verify

5. Sign with group key [EPID]

8

Case Studies: Three Applications

1. Network infrastructure: Software-defined inter-domain routing

2. Peer-to-peer systems: Tor anonymity network3. Middlebox: TLS and “secure” middleboxes

NetworkApplications

TEE

Intel SGX

Enhanced security

New design space

New functionality

SDN-based Inter-domain Routing

• Offers new properties – Fast convergence, application-specific peering, flexibility,

what-if analysis [hotnets2011]• Reveals private information: topology and policy

AS A

AS C

AS D

AS B

9

Inter-domainController

1) Topology2) Policies (e.g., export policy)

AS A

SDN-based Inter-domain Routing

AS C

AS D

AS B

Inter-domainControllers

10

Prior work [hotnets2011] uses Secure Multi-Party Computation (SMPC) to solve this, but the computational complexity is prohibitive.

11

SDN-based Inter-domain RoutingInter-domain

Controller

AS A

AS-localController

Router

SDNSwitch

AS B

AS-localController

EnclaveEnclave

Enclave

• Enclose private information inside the enclave• Communication through a secure channel after

attestation

12

SDN-based Inter-domain RoutingInter-domain

Controller

AS A

AS-localController

Router

SDNSwitch

AS B

AS-localController

ASes agree upon a common code base.Makes sure that it does not leak private information [Moat].It becomes the TCB of the inter-domain routing infrastructure.

EnclaveEnclave

Enclave

13

SDN-based Inter-domain RoutingInter-domain

Controller

AS A

AS-localController

Router

SDNSwitch

AS B

AS-localController

1. Mutually attest/authenticate using remote attestation

2. Collect policy and topology through a secure channel

3. Main controller computes routing path

4. Sends routes for each AS through a secure channel

Agreed upon code

EnclaveEnclave

Enclave

Attestation

Collect infoSend routes

Extending Features: Policy verification

• Enabling verification on routing decisions – Want to verify whether the promise is being kept [SPIDeR]

AS A

AS C

AS D

AS B

14

I will give you my shortest route to Google!

[SPIDeR]

Inter-domainController

Extending Features: Policy verification

• Enabling verification on routing decisions – Want to verify whether the promise is being kept [SPIDeR]

AS A

AS C

AS D

AS B

Inter-domainController

15

I will give you my shortest route to Google!

[SPIDeR]

Predicate Predicate

Enclave

• Verify only the predicates agreed upon by A and B

Among all routes to Google from B, is the one B advertising to A the shortest?

16

Tor: Anonymity Network• Tor network : uses 3-hop onion routing

– Directory servers : Advertise available onion routers (ORs), vote for bad exit nodes

– Relies on volunteer provided hosts

EntryRelay

Exit

When exit node is compromised,(unless end-to-end encryption is used)1. Snooping or tampering of the plain-text2. Break of anonymity : Bad apple attack

Directory servers

Tor clientDestination

Tor network

17

Tor: Anonymity Network• Tor network : uses 3-hop onion routing

– Directory servers : Advertise available onion routers, vote for bad exit nodes

– Relies on volunteer provided hosts

Directory servers

Tor clientDestination

EntryRelay

Exit

When directory servers are compromised,1. Tie-breaking attacks while voting2. Admission of malicious ORs

Tor network

18

Tor network

Application of TEE to Tor

1) SGX-enabled directory servers2) SGX-enabled directory servers & ORs

Directory servers

Tor clientDestination

EntryRelay

Exit

Enclave

Enclave Remote attestation

- Detect problematic exit nodes through integrity check

- Keep sensitive data in enclave1) Authority keys2) List of available ORs

- Integrity check each other- Automatic admission of new ORs

19

Application of TEE to Tor

1) SGX-enabled directory servers2) SGX-enabled directory servers & ORs3) Fully SGX-enabled setting

Remote attestation

Tor clientDestination

EntryRelay

Exit

Enclave

Enclave

Enclave Enclave

Enclave Enclave

Eliminate directory servers altogether

Tor networkEach Tor components can check the integrity of target program (Tor binary)

20

Implementation• OpenSGX [NDSS’16] : Open source SGX emulator

– Fully functional, instruction-compatible emulator of SGX build on top of QEMU

– Emulates system software and provide SGX libraries

SGX OS Emulation

QEMU SGX

CodeDataStack

Enclave Program

User process (single address space)

SGX System call

SGX instruction

Enclave mode switch

Package Info(Key, Entry point)

SGX LibrariesTrampoline

21

Preliminary Evaluation: Overhead

• Estimate the overhead in terms of additional CPU cycles– Each SGX instruction = 10 k cycles [Haven]

<Cost of remote attestation>

Target Quoting Challenger0

2000000000400000000060000000008000000000

10000000000without DHwith DH

CPU Cyc

les (B)

Cost of remote attestation:

3% of 1024-bit Diffie-Hellman

For each I/O operations, 2 Mode switches + SGX library calls

<Cost of packet transmission>

SGX libraryEnclave

…send()...

User space OS

Trampoline

22

SDN-based inter-domain routing

– 30 ASes with the centralized inter-domain controller– Inter-domain controller : 90% more CPU cycles– AS-local controllers : 70% more CPU cycles

<# of CPU cycles consumed in the inter-domain controller>

Without SGX

With SGX

0 100000000 200000000 300000000CPU Cycles

Number of participating ASes : 30

23

Conclusion

• Commoditization of TEE brings new opportunities for network applications

• Cases studies show wide range of impact:– Policy privacy of SDN-based inter-domain routing– New design space of Tor anonymity network– Secure in-network functions

• SDN-based inter-domain routing:– Characterize and measure the overhead of using SGX– Consumes 70-90% more CPU cycles

24

25

SDN-based inter-domain routing

– 30 ASes with the centralized inter-domain controller– Inter-domain controller : 90% more CPU cycles– AS-local controllers : 70% more CPU cycles

<# of CPU cycles consumed in the inter-domain controller>

CPU Cyc

les

Number of participating ASes2 5 10 15 20 25 300

50000000100000000150000000200000000250000000300000000

without SGX with SGX

26

Secure Multi-party Execution• SGX Program owner can remotely verify the integrity of code• Publicly available programs (e.g., git) can validate the integrity

of project by sharing the private key for the attestation• Creates signature of program through shared private key

Publicrepo

attestation

Example) 1. Tor binary for OR 2. SDN-based controller program

27

Enclave

In-network Functions (Middleboxes)

• Use of TLS protocol disrupts in-network processing Only endpoints of communication can access the plain-text• SGX enables opportunity for secure in-network functions

Middlebox

Proxy

Firewall

IDS

2. Gives session keys through a secure channel

1. Authenticate middlebox through remote attestaion

ServerCan be done unilaterally or bilaterally.

Enclave

Enclave

28

Trend 2: Commoditization of Trusted Execution Environment

• Trusted Execution Environment (TEE)– Isolated execution: integrity of code, confidentiality – Remote attestation

• Commoditization of TEE– Trusted Platform Module (TPM) : Slow performance– ARM TrustZone : Only available for embedded devices– Intel Software Guard Extension (SGX) 1. Native performance 2. Compatibility with x86

The commoditization of TEE brings new

opportunities for network applications.