ExperiencesinIntelSGXresearch
DongsuHanandSeongminKimKAIST
Jointworkwith:
ChanghoChoi,SohamDesai*,JuhyengHan,JaehyungHa,PreritJain*,JaeHyukLee,YoujungShin,BrentByounghoonKangandTaesooKim*
1APNet2017*
Trend1:SecurityandPrivacyCriBcalFactorsinTechnologyAdopBon
• Demandsfor“security”and“privacy”areincreasing– WidespreaduseofTransportLayerSecurity(TLS)– Popularityofanonymitynetworks(e.g.,Tor)– UseofstrongauthenTcaTon/encrypToninWiFi
• ExpectaTononsecurityandprivacyimpactsdesigndecisions:– OperaTngsystem(iOS,Android)– Apps/services(e.g.,messenger,adblocker)– Networkinfrastructure(inter-domainSDN)
2APNet2017
• Demandsfor“security”and“privacy”areincreasing– WidespreaduseofTransportLayerSecurity(TLS)– Popularityofanonymitynetworks(e.g.,Tor)– UseofstrongauthenTcaTon/encrypToninWiFi
• ExpectaTononsecurityandprivacyimpactsdesigndecisions:– OperaTngsystem(iOS,Android)– Apps/services(e.g.,messenger,adblocker)– Networkinfrastructure(inter-domainSDN)
Trend1:SecurityandPrivacyCriBcalFactorsinTechnologyAdopBon
3APNet2017
Trend2:CommodiBzaBonofTrustedExecuBonEnvironment
• TrustedExecuTonEnvironment(TEE)– IsolatedexecuTon:integrityofcode,confidenTality– Remotea_estaTon
• CommodiTzaTonofTEE– TrustedPlaaormModule(TPM):Slowperformance– ARMTrustZone:Onlyavailableforembeddeddevices– IntelSodwareGuardExtension(SGX)1.NaTveperformance2.CompaTbilitywithx86
4
The commoditization of TEE brings new opportunities for networking.
APNet2017
SGX:IsolatedExecuBon
• ApplicaTonkeepsitsdata/codeinsidethe“enclave”– Smallesta_acksurfacebyreducingTCB(App+processor)– Protectapp’ssecretfromuntrustedprivilegesodware(e.g.,OS,VMM)
5
CPUPackage
SystemMemory
Enclave
MemoryEncrypTonEngine(MEE)
Snooping
AccessfromOS/VMMEncrypted
code/data
APNet2017
Challenger
SGX:RemoteALestaBon
• A_estanapplicaTononremoteplaaorm• ChecktheidenTtyofenclave(hashofcode/datapages)
• Canestablisha“securechannel”betweenenclaves6
TargetEnclave
QuoBngEnclave
SGXCPU
HostplaaormRemoteplaaorm1.Request
2.CalculateMAC
3.SendMAC
6.Sendsignature
CMAC
Hash
4.Verify 5.Signwithgroupkey[EPID]
APNet2017
SGXResearch:CurrentStatusandChallenges
• SGXspecificaTonreleasedin2013.– SGXavailableinIntel’sSkylakemicroarchitecture(2015)– HardwareandsodwareimplementaTonsforSGXlagbehindtheirspecificaTons.
7
SGXCPUandSDKisnowavailable!But..• SpecificaTonforSGX[revision1&2]isnotfullyavailableontheSGXhardware(onlyfuncTonaliTesinrevision1)
• SGXtechnologyhasacomplexlicensemodel– Hardtoobtainfulllicense.
BarrierstoSGXresearch
APNet2017
Ourwork1. Open-sourceemulatorplaaormforSGXresearch
-OpenSGX[NDSS16]
2. WhatimpactdoesSGXhaveonnetworking?-AfirstStepTowardsLeveragingCommodityTrustedexecuTonEnvironmentsforNetworkApplicaTons[HotNets15] -EnhancingSecurityandPrivacyofTor’sEcosystembyusingTrustedExecuTonEnvironment[NSDI17]-SGX-Box:EnablingVisibilityonEncryptedTrafficusingaSecureMiddleboxModule[APNet17]
8
NetworkApplicaBons+TEE=?
• WhatimpactdoesTEEhaveonnetworking?[HotNets15]
• Previousefforts:AdopTngTEEtocloudplaaorm– Haven[OSDI’14]:ProtectsapplicaTonsfromanuntrustedcloud– VC3[S&P’15]:TrustworthydataanalyTcsinthecloud
9
NetworkApplicaBons
TEE
IntelSGX
Enhancedsecurity
Newdesignspace
NewfuncBonality
CaseStudies:ThreeApplicaBons
1. Networkinfrastructure:Sodware-definedinter-domainrouTng[HotNets2015]
2. Peer-to-peersystems:Toranonymitynetwork[NSDI2017]
3. Middlebox:SecureMiddlebox[APNet2017]10
NetworkApplicaBons
TEE
IntelSGX
Enhancedsecurity
Newdesignspace
NewfuncBonality
Ourwork1. OpenSGX[NDSS16]:Open-sourceemulatorplaaorm
forSGXresearch
2. WhatimpactdoesSGXhaveonnetworking?-AfirstStepTowardsLeveragingCommodityTrustedexecuTon
EnvironmentsforNetworkApplicaTons[HotNets15] -
-EnhancingSecurityandPrivacyofTor’sEcosystembyusingTrustedExecuTonEnvironment[NSDI17]-SGX-Box:EnablingVisibilityonEncryptedTrafficusingaSecureMiddleboxModule[APNet17]
11
VirtualAddressSpace PhysicalAddressSpace
1.ECREATECreateanenclave
EPC
Memory(Untrusted)
PlaintextCode/Data
2.EADDAddpages
Code/Data
PlaintextCode/Data
Code/Data
PlaintextCode/Data
PlaintextCode/Data
4.EENTEREnterstheenclave 5.EEXITLeavestheenclave
Code/Data Code/Data
Background:EnclaveLifeCycle
13
3.EINITFinalizetheenclave
Enclave
ApplicaToncode
OpenSGX:DesignGoal
13
• OfferacompleteplaaormforSGXresearch– ToexploresodwareandhardwaredesignspaceofSGX– TodevelopandevaluateSGX-enabledapplicaTons
• Solvenon-trivialissuesonSGXsodwarecomponents– Supportforsystemsodwareanduser-levelAPIs– Familiarprogrammingmodelandinterface– SecuredesigntodefendagainstpotenTala_ackvectors(e.g.,Iagoa_acks)
APNet2017
OpenSGX:ComponentOverview
14
• EmulatedSGXhardware • Enclaveloaderü ü ü
SGXOSEmulaBon
SGXQEMU(HWemulaBon)
EnclaveProgram
OpenSGXtoolchain
Enclaveloader
SGXLibraries Trampoline
Stub
RunBmelibrary
EnclaveDebugger
PerformanceMonitor
• OSemulaTonlayer
• OpenSGXuserlibrary• OpenSGXtoolchain
• Enclavedebugger• Performancemonitor
APNet2017
BinaryTranslaTon
OpenSGX:Approach
15
• Usinguser-spaceemulaTonofQEMU– BinarytranslaTontosupportSGXinstrucTons– QEMUhelperrouTnetoimplementcomplexinstrucTons
HelperrouTne-Setregisters-OperatesSGXinstrucBons
QEMU Host(singleaddressspace)
Wrapper
Lib
Stack Heap
Enclave
Code
Data
EPC EPC
EPC
EPC EPC
…
…
enclu(){…
asm(“.byte0x0f”
“.byte0x01”
“.byte0xd7”
“rax=entry”
…}
Entrypoint
…if(opcode==0x0f01d7){helper_enclu();}
…
RIP
EENTER
HardwareEmulaBon
16
• EmulatesSGXdatastructuresandSGXprocessorkey• Enclavepagecache(EPC)memorymanagement– Directmappingonvirtualmemory– AccessprotecTon:Instrumentmemoryaccess
EPC_begin
EPC_end
enclave_begin
enclave_end
QEMU’stranslaTonrouTne
…Case(Load|Store){}
…
Virtualaddressspace
2.Prohibitothersenclaves’EPCtocurrentenclave’sEPC
1.ProhibitaccessfromhosttoEPC
InstrucBonSupport
17
• OpenSGXsupportsmostinstrucTonsinthespecificaTon– ExceptfordebuggingrelatedinstrucTons(e.g.,EDBGRD)– Instead,itoffersrichenvironmentfordebuggingsinceitisa“so_wareemulator”(e.g.,GDBstub)
• ProvidessimpleCAPIswhichwrapsassemblycode– User-levelinstrucTons(ENCLU):accessibletouser-levelAPIs– Super-levelinstrucTons(ENCLS):Requiressystemsupport
APNet2017
OSEmulaBonLayer
18
• EmulateOStoexecutetheprivilegedSGXinstrucTons• OS-neutralinterfacefor:
– Bootstrapping(EPCallocaTon)– EnclaveiniTalizaTon&pagetranslaTon– DynamicEPCpageallocaTon
Systemcall DescripBonsys_sgx_init() AllocateEPCmemoryregion
sys_init_enclave() Createanenclave,AddandmeasureEPCpagessys_add_epc() AllocatesanewEPCpagetotherunningenclave
sys_stat_enclave() ObtainstheenclaveperformancestaTsTcs
APNet2017
NarrowinterfaceforSGXuserlib:TrampolineandStub
…
“Astrictandnarrowinterfacetohandleenclave-hostcommunicaTonusingshareddata/code”
19Enclave
Code
Heap
Lib
EmulatedOS Wrapper
Trampoline
(Shared)
…if(fcode==FUNC_MALLOC)alloc_tramp();…
fcodemcode
argument1
heap_end Stub:ShareddatatospecifythefuncBoncodeandarguments
Trampoline:Sharedcodetocalluser-levelAPIsinthewrapper
Heap
…malloc(100);…
malloc(){…sgx_exit(tram);…}
<SpecificaBon>fcode:FUNC_MALLOCmcode:EAUGsize:100
Stub
FULL!
TrampolineandStubInterface
Stub…
“Astrictandnarrowinterfacetohandleenclave-hostcommunicaTonusingshareddata/code”
20Enclave
Code…malloc(100);…
Heap
Libmalloc(){…sgx_exit(tram);…}
EmulatedOS
intsys_add_epc(){encls(EAUG,…);…
Trampoline
(Shared)
CallEAUG
heap_end
ERESUME
EEXIT
heap_end+4KFUNC_MALLOC
EAUG100
…if(fcode==FUNC_MALLOC)alloc_tramp();…
Wrapper
alloc_tramp(){…sys_add_epc();…}
User-levelAPIstorequestsystemcalls
SystemCall
OpenSGX:UsageExample
21
• SimilartobuildingaCprogram– Compile(Similartogcc)– Sign(Usingprogrammer’skey)– ExecuTon(Compiledenclavebinaryisloadedandexecuted)
APNet2017
voidenclave_main(){char*hello=“hellosgx!\n”;sgx_enclave_write(hello,strlen(hello));sgx_exit(NULL);}
$opensgx–chello.c$opensgx–shello.sgx–keysign.key$opensgxhello.sgxhello.confhellosgx!
Codeenclave_main()
Data“hellosgx\n”
0x0000EPC1
0x1000EPC2
Entrypoint:SigStruct:…
OpenSGX:CurrentStatus
22
• Availableatgithub,releasedinMay2015– 14kLoC– h_ps://github.com/sslab-gatech/opensgx– 11Contributors(Gatech,KAIST,Twosigma,MITRE,…)– 31uniquecloners,1,645Views(January,2016)– Usedinacademia:S-NFV[SDN-NFVSecurity16],EdgefuncTons[SEC16],
SGX-enabledVMmigraTon[IEEESERVICES16],System-levelOpenSGX[Computers&Security17],…
• Ourcurrentcommunity
APNet2017
Ourwork1. OpenSGX[NDSS16]:Open-sourceemulatorplaaorm
forSGXresearch
2. WhatimpactdoesSGXhaveonnetworking?-AfirstStepTowardsLeveragingCommodityTrustedexecuTon
EnvironmentsforNetworkApplicaTons[HotNets15] -
-EnhancingSecurityandPrivacyofTor’sEcosystembyusingTrustedExecuTonEnvironment[NSDI17]-SGX-Box:EnablingVisibilityonEncryptedTrafficusingaSecureMiddleboxModule[APNet17]
23
Toranonymitynetwork
24
• Tor:themostpopularanonymitynetworkforInternetusers– Helpsuserstodefendagainsttrafficanalysisandkeepuser’sprivacy(e.g.,whatsitesyouvisit,IPaddress)[fromTorproject,www.torproject.org]– Freelyavailableasanopensource– 1.8millionusersonadailybasis
*fromOnionview,h6ps://onionview.codeplex.com/
APNet2017
ThegeographiclocaTonofTorrelays*
Tornetwork:Threatmodel
25
• Tor’sThreatmodel– Torisavolunteer-basednetwork:Torrelaysarenottrusted
CanobservesomefracBonofnetworktraffic
CanrunaTorrelaysofhisown
CancompromisesomefracBonofTorrelays
Entry Middle Exit Torclient DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
• 3-hoponionrouTng:asingleTorenTtycannotknowbothclientandserver
ProcessingUnit:Cell(512Bytes)
APNet2017
LimitaBonsofTor
26
Entry Middle Exit Torclients
DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
ALackerscanmodifythebehavior
GivefalseinformaTontoothers
Modifyorinjectthecell
Bandwidth20MB/s150MB/s
Inflated!
ProcessingUnit:Cell(512Bytes)
InformaBonvisibletoaLackers
Cell: header
DemulTplexandidenTfyacircuit
Cell
Cell
APNet2017
SGX-Tor:LeveragingIntelSGXonTor
27
IntelSGX
Improvedtrustmodel
OperaBonalprivacy
PracBcalityTornetwork
Middle
Improvedtrustmodel OperaBonalprivacy PracBcality• SpellsoutwhatuserstrustinpracTce
• ProvidesulTmateprivacy
• ProtectssensiTvedataandToroperaTons
• PreventsmodificaTonsonTorrelays
• Thechanceofhavingmorehardwareresourcesdonated
• Incrementallydeployable
• CompaTbility
SGX-Tor
APNet2017
Userprocess(TorapplicaBon)
SGX-Tor:DesignandImplementaBon
28
Enclavememory
SSLLibrary
ALestaBonModule
SealingModule
Seals/unsealsprivatedata
Integritycheck
Torcode/data(Core)-CircuitEstablishment-Hiddenservice-VoTng-EncrypTon/DecrypTon-Cell/ConsensuscreaTon
Crypto/TLSoperaTonsSecurelyobtainstheentropyandTmevalue
EncryptsandstoresthesensiTvedataoutsidetheenclave
ValidatestheenclavehashoftheTorprogram
APNet2017
Userprocess(TorapplicaBon)
SGX-Tor:DesignandImplementaBon
29
Enclavememory
SSLLibrary
ALestaBonModule
SealingModule
Seals/unsealsprivatedata
Integritycheck
Torcode/data(Core)-CircuitEstablishment-Hiddenservice-VoTng-EncrypTon/DecrypTon-Cell/ConsensuscreaTon
Crypto/TLSoperaTons
SystemCall
EnclaveCreaTon
Trusted Untrusted
EnclaveiniTalizaTon
StandardLibrary(glibc)
Torcode/data(Untrusted)
SGXRunBmeLibrary
Applica0on
ECALL
OCALLRequestsystem
services
OCALL/ECALLWrapper
Userprocess(TorapplicaBon)
SGX-Tor:DesignandImplementaBon
30
Enclavememory
SSLLibrary
ALestaBonModule
SealingModule
Seals/unsealsprivatedata
Integritycheck
Torcode/data(Core)-CircuitEstablishment-Hiddenservice-VoTng-EncrypTon/DecrypTon-Cell/ConsensuscreaTon
Crypto/TLSoperaTons
SystemCall
EnclaveCreaTon
Trusted Untrusted
EnclaveiniTalizaTon
StandardLibrary(glibc)
Torcode/data(Untrusted)
SGXRunBmeLibrary
Applica0on
ECALL
OCALLRequestsystem
services
OCALL/ECALLWrapper
Narrowinterface
Sanitychecking1. Argumentlength2. Addressrange
ALacksdefeatedbyusingSGX-Tor
31
Replay CellcounBng
DirectoryauthoriBes
Maliciousrelay(modifiedTor)
1.BWscanning 2.Detectscanning 3.ReportfakeBW 4.Create
consensusdocument
AdverTsedBWInflated!
2.BandwidthinflaBon
1.TaggingaLack
APNet2017
Entry Middle Exit Torclients
DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
ALacksdefeatedbyusingSGX-Tor
32
Replay CellcounBng
DirectoryauthoriBes
Maliciousrelay(modifiedTor)
1.BWscanning 2.Detectscanning 3.ReportfakeBW 4.Create
consensusdocument
AdverTsedBWInflated!
2.BandwidthinflaBon
1.TaggingaLack
APNet2017
Entry Middle Exit Torclients
DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
ALractmoreclients!
ALacksdefeatedbyusingSGX-Tor(Cont.)
33
-accesssensiBvedata -modifythecodeALackerscannot
ALacksdefeated/miBgatedbySGX-Tor• CircuitdemulTplexing[S&P06]• BandwidthinflaTon[PETS07,S&P13]• Tagginga_ack[TON12,CCS12,S&P13]
…
Entry Middle Exit Torclients DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
Enclave
Circuitestablishment
CellcreaTonEncrypTon/DecrypTon
Onion/SSLkeycreaTon
Enclave EnclaveEnclave
Cell
Circuitdescriptor
Privatekeys
SGX-Torisanopensource:h_ps://github.com/KAIST-INA/SGX-Tor
PerformanceevaluaBon
34
• SGX-Torperformance:WANse�ng– EstablishaprivateTornetwork– FortherealisTcscenario,weconsiderthe“localityofrelays”(Asia,EU,U.S.West,U.S.East)
00.20.40.60.81
0 250 500 750 1000
CummulaT
veProb.
Time-to-first-byte(ms)
10MB
100M
B
0 30 60 90 120
HTTPSHTTP
HTTPSHTTP
Throughput(Mbps)
FileSize
(MB)
client
server
Entry(KAIST)
Middle(Cloud)1.EU2.U.S.West3.U.S.East
Exit(Gatech)
<EvaluaBonenvironment>
:SGX-Tor :OriginalTor
11.9%degradaTon 3.9%addiTonallatency
Enclave Enclave
OurEarlyLessonsonSGXresearch
• PerformanceoverheadscausedbyusingSGX– EPCPaging(limitedmemoryspace:<200MB)– Contextswitch(foreachOCALL)
• WhilebuildingSGX-basedsystem,weshould– Reduceenclavesizeasmuchaspossible– MinimizecopyingalreadyencrypteddatatoEPC(e.g.,SSL-encryptedpacket)
– Seallargedatastructuresthatareusedinfrequently
35APNet2017
OurEarlyLessonsonSGXresearch(Cont.)
• SecurityissueswhilebuildingSGXsystems– Narrowinginterfacetoreducea_acksurfaceandsanitycheckingforinput/outputarguments
– Newa_ackscenarioscausedbyassumingmalicioussystemsodware(e.g.,bandwidthinflaTonbyOSinSGX-Tor)
• Asaresultofourexperience,wereleaseSGX-portedOpenSSLasanopensource– h_ps://github.com/sparkly9399/SGX-OpenSSL
36APNet2017
Conclusion• WedesignandimplementOpenSGX,fullyfuncTonalandinstrucTon-compaTbleSGXemulator
• CommodiTzaTonofTEEbringsnewopportuniTesfornetworkapplicaTons
• Ongoingwork:ApplySGXtoNetworkFuncTonVirtualizaTon– BuildingasecuremiddleboxbyleveragingSGX– WillbepresentedinAPNet2017(SGX-Box)
37APNet2017
38APNet2017
OurEarlyLessonsonSGX
39
• MisconcepBonsonSGX– SGXfordesktop-likeenvironment:NeedssecureI/Ochannel(integraTonwithhardwaretechnologysuchasIntelIPT)
– NeedEPIDsupportforremotea_estaTon
• MalicioususeofIntelSGX– MalwaremightbepossiblebyabusingtheisolaTonproperty– FailsontradiTonalsignature-basedAVprograms
APNet2017
Comparison:IntelSGXvsOpenSGX
40
IntelSGX OpenSGX Type Hardware SodwareEmulator
InstrucTons 16ENCLS,8ENCLU 13ENCLS,8ENCLU(Exceptdebugging)
Datastructures Specified ○
Paging Pagetable Directmapping
Systemsodware Notspecified UserlevelemulaTon
UserlevelAPIs SDKisavailable(OnlyforWindows) ○
Enclave
DefenseagainstIagoaLacks
41
• Iagoa_acks[ASPLOS’13]:MaliciousOStriestosubverttrustedapplicaTonbyincorrectbehaviorex)addsincorrectEPCpageforheap
…malloc();
…
ApplicaTon In-enclaveLib
EmulatedOS
Wrapper Stubheap_endcur_heap_ptrvoid*malloc(intsize){
if(cur_heap_ptr==heap_end){stub->mcode=EAUG;exit(trampoline);}
Trampolinemalloc_tramp(){sys_add_epc();}
enclu(EACCEPT,…); intsys_add_epc(){…}
BadEPCpage
Detect!
MemoryStateofOpenSGXProgram
42
SGXOSEmulaBon
QEMUSGX
Userprocess(singleaddressspace)
ENCLS(e.g.,EINIT)
PackageInfoEntrypointMeasurementKey…
SGXLib Trampoline
Stub Wrapper
Lib
Stack Heap
EnclaveProgram
Code
Data
EPC EPC
EPC
EPC EPC
…
…
Privilegeboundary
Systemcallsboundary
ENCLU(e.g.,EENTER)
ENCLU(e.g.,EEXIT)
Systemcall(e.g.,sys_sgxinit())
Conclusion
43
• WedesignandimplementOpenSGX,fullyfuncTonalandinstrucTon-compaTbleSGXemulator
• AsashowcasingapplicaTon,wedevelopSGX-enabledTortoenhancethesecurityandprivacy
• OpenSGXoffersopportunitytoleverageallcomponentsofSGXfortheresearch– HardwaresemanTcs(e.g.,encrypTonschemeofMEE)– Systemsodware,enclaveloaderanduser-levelAPIs– RedesigningunforeseensecurityapplicaTons(e.g.,Tor)
APNet2017
Trend:CommodiBzaBonofTEE
44
• TrustedExecuTonEnvironment(TEE):HardwaretechnologyfortrustedcompuTng
OS(untrusted)
ApplicaTon(untrusted)
Securecontainer IntegritycheckingàPreventsbehaviormodificaTon
Modified Torcode
• IntelSGX:apromisingTEEtechnologyforgenericapplicaTons– NaTveperformanceinthesecuremode– AvailableonIntelSkylakeandKabylakeCPU
Cannotaccessdata,flowcontrolXàProtectsthesecrecyoftheprogram
edit
Original
APNet2017
Tornetwork:Threatmodel(Cont.)
45
DirectoryauthoriBes
• Carefuladmission• Behaviormonitoring
Torclient DesTnaTon AnonymityBroken!
APNet2017
Tornetwork:Threatmodel(Cont.)
46
Torclient DesTnaTon AnonymityBroken!
… • Havingalargenumberofrelays
Out-of-scope:network-leveladversary(controlsalargefracTonofnetwork)
1. Currentlyruns~10,000relays
2. Large-scaletrafficcorrelaTonisbelievedtobeverifydifficultinpracTce
APNet2017
DirectoryauthoriBes
• Carefuladmission• Behaviormonitoring
Tornetwork:Threatmodel(Cont.)
47
Out-of-scope:network-leveladversarywhocancontrolsalargefracBonofTor
network
1. Currentlyruns~10000relays
2. Large-scaletrafficcorrelaBonarebelievedtobeverifydifficultinpracBce
However, Tor is still vulnerable to many types of attacks under its traditional threat model
APNet2017
Torclient DesTnaTon AnonymityBroken!
… • Havingalargenumberofrelays
DirectoryauthoriBes
LimitaBonsofTor
48
Problem1.Torrelaysaresemi-trusted– AuthoriTescannotfullyverifythebehaviorsofthem
Problem2.EvenaLackerscontrolafewTorrelays,theycan– AccessinternalinformaTon(circuitidenTfier,cellheader,…)– Modifythebehaviorofrelays(DDoS,packettampering,…)
Modifyingthebehavior
AccessinginternalinformaBon
• MaliciouscircuitcreaTon[Security09,CCS11]• Snipera_ack[NDSS15]• Badapplea_ack[LEET11]
• HarvesTnghiddenservicedescriptors[S&P13]
• CircuitdemulTplexing[S&P06]• WebsitefingerprinTng
[Security15]
Both
<Low-resourceaLacks> • tagginga_ack[ICC08,TON12,
CCS12,S&P13]• BandwidthinflaTon[PETS07,
S&P13]• ControllingHSDir[S&P13]
LimitaBonsofTor(Cont.)
49
ToaddresstheproblemsonTor,1)Fundamentaltrustbootstrappingmechanism2)AdvancedtrustmodeltoverifyuntrustedremoteparTesarerequired
APNet2017
Entry Middle Exit Torclients
DesTnaTon
Plain-text
TLSchannel TLSchannel TLSchannel
SGX-Tor:LeveragingIntelSGXonTor
50
IntelSGX
Improvedtrustmodel
OperaBonalprivacy
PracBcalityTornetwork
Middle
Improvedtrustmodel OperaBonalprivacy PracBcality• SpellsoutwhatuserstrustinpracTce
• ProvidesulTmateprivacy
• ProtectssensiTvedataandToroperaTons
• PreventsmodificaTonsonTorrelays
• Thechanceofhavingmorehardwareresourcesdonated
• Incrementallydeployable
• CompaTbility
SGX-Tor
APNet2017
àReducesthepowerofana_ackerwhocurrentlygetsthesensiTveinformaTonbyrunningTorrelays
àRaisesthebarforToradversarytoatradiTonalnetwork-leveladversary(onlypassivelyseetheTLSbytestream)
SGX-Tor:ThreatModel
51
• OnlytruststheunderlyingSGXhardware&Torcodeitself• Donotaddressnetwork-leveladversaries:whocanperformlarge-
scaletrafficanalysis• Outofscope:VulnerabiliTesinTorcodes,SGXsidechannela_acksàMiTgatedbyrecentSGXresearch:Moat[CCS16],SGX-Shield[NDSS17],T-SGX[NDSS17]
OS(untrusted)
ApplicaTon(untrusted)
Enclave
CPU
Powerfulnetwork-leveladversary:out-of-scopeTCB:Enclave+CPUpackage
<SGXThreatmodel> <TorThreatmodel>
NewfuncBonality:AutomaBcadmission
52
• IntegrityverificaBonofrelays(DirectoryauthorityàOnionRouter)– AutomaTcallyadmits“unmodified”and“SGX-enabled”relays– Improvedtrustmodel:currentimplicittrustmodelturnsintotheexplicittrust
model
Directoryauthority
Torrelays
Expectedhash Admit(matchsuccess)
A_estaTonfail(notSGX-enabled)
A_estaTonfail(badhash)
Enclave
EnclaveRemote
A_estaTon
Enclave
Nickname:OR1
Nickname:OR2
Nickname:OR3
Consensusdocument
(modified)
name:OR1BW:20MB/sfingerprint:….
NOTE:TorusesthesamebinaryfordirectoryauthoriTes,Torrelays,andclientproxies
APNet2017
Incrementaldeployability
53
• SGX-Tor’sbasicassumpBon:“AllrelaysandauthoriTesareSGX-enabled”
• SGX-Torsupportsinteroperability– Allowsadmissionofnon-SGXrelayswithoutremotea_estaTon– SGX-enabledclientscangetthelistofSGX-TorrelaysfromSGX-enabledauthoriTes
Entry Middle Exit Torclient DesTnaTon
Enclave Enclave Enclave
Enclave … Enclave EnclaveDirectoryauthoriTes
RemoteA_estaTon
Enclave
Enclave
APNet2017
ImplementaBondetail
54
• Engineeringefforts– SupportforWindows/Linux(basedonIntelSGXSDK)– SGX-portedlibraries:OpenSSL,libevent,zlibc– SGX-Torisanopensource:Availableath_ps://github.com/KAIST-INA/SGX-Tor
• TrustedCompuTngBase(TCB)size– TCBsizeofHaven:Morethan200MB(maximumenclavesize:128MBinWindows)
– 3.8xsmaller(320KLoCvs1,228KLoC)thanGraphene(opensourcelibraryOSforSGX)
APNet2017
EvaluaBon
55
1)WhatkindofsensiBvedataofTorisprotectedbySGX-Tor?2)WhatistheperformanceoverheadofrunningSGX-Tor?3)HowcompaBbleandincrementallydeployableisSGX-TorwiththecurrentTornetwork?
• Environmentalsetup– SGXCPUs:IntelCorei7-6700(3.4GHz)andIntelXeonCPUE3-1240(3.5GHz)– ConfiguraTon:128MBEnclavePageCache(EPC)– RunningTorinWindows,FirefoxasaTorbrowser(intheclientproxy)– EstablishaprivateTornetworkusingchutney
APNet2017
WhatisprotectedbySGX-Tor?
56
CurrentTor Network-leveladversary SGX-Tor
TCP/IPheader Visible Visible Visible TLS-encryptedbytestream Visible Visible Visible
Cell Visible Notvisible Notvisible CircuitID Visible Notvisible Notvisible
VoTngresult Visible Notvisible Notvisible Consensusdocument Visible Notvisible Notvisible
Hiddenservicedescriptor Visible Notvisible Notvisible Listofrelays Visible Notvisible Notvisible Privatekeys Visible Notvisible Notvisible
APNet2017
00.20.40.60.81
0 1 2 3Cu
mmulaT
ve
Prob
. HiddenServiceThroughput
PerformanceevaluaBon(Cont.)
57
• End-to-endclientperformanceofSGX-Tor(usingTorbrowser)– Weblatency:VisiTngAlexaTop50websites– Hiddenservice:HTTPfileserver(downloading10MB)
00.20.40.60.81
0 50 100 150
CummulaT
ve
Prob
.
WebpageLoadingTime(s)
:SGX-Tor :OriginalTor
3.3%degradaTon 7.4%addiTonallatency
SGX-Tor:13.2sOriginal:12.2s
SGX-Tor:1.30MbpsOriginal:1.35Mbps
APNet2017
CompaBbilitywithvanillaTor
58
• Long-running:AdmitSGX-TorrelaysinthevanillaTor– Collectedresultsfortwoweeks
AdverBsedbandwidth* MiddleselecBonProbability NetworkI/Obandwidthpersecond
:SGX-Tor :OriginalTor
Fast Stable
*Fromh_ps://collector.torproject.org/
ServesTortrafficwell ActuallyselectedbymulTpleTorusers
Listedintheconsensusdocument
APNet2017
Conclusion
59
• WedesignandimplementSGX-TorbyleveragingcommodityTEEanddemonstrateitsviability– Givesmoderateperformanceoverhead– ShowsitscompaTbilityandpossibilityofincrementaldeployment
• SGX-TorenhancesthesecurityandprivacyofTorby– DefendingagainstexisTnga_acksonTor– BringingchangestothetrustmodelofTor– ProvidingnewproperTes:automaTcadmission
• Availableatgithub!(h_ps://github.com/KAIST-INA/SGX-Tor)
APNet2017
On-GoingWork
• ApplySGXtoNetworkFuncTonVirtualizaTon– RunningmiddleboxesonactualSGX-enabledCPU– WillbepresentedinAPNet2017(SGX-Box)
• Enhancingthesecurityandprivacyofsodware-definedinter-domainrouTng
60APNet2017
