for Mu fo r Mult lti-Cl Clouds ouds wi with Intel l SGX GX - - PowerPoint PPT Presentation

Toward rds s Managem agemen ent of C f Chain ins s of f Tru rust st fo for Mu r Mult lti-Cl Clouds

• uds wi

with Intel l SGX GX

Houssem KANZARI and Marc LACOSTE Orange Labs

Second Workshop on Security in Clouds (SEC2 2016 )

interne Orange 2

Trust and Isolation Issues in Cloud Environment

Cloud Infrastructure Layers Hardware Hypervisor (Compromised) VM VM(Attacker) VM

Inter-DC Network

ISOLATION

Vertical CoT Horizontal CoT

Threats : VM secure execution compromised due to the vulnerability against insider attack Approach: Hardware aided secure isolated execution Intel SGX enclave

Exploit

interne Orange 3

Trust and Isolation Issues in Cloud Environment

Cloud Infrastructure Layers Hardware Hypervisor (Untrusted) VM VM VM

Inter-DC Network

ISOLATION

Vertical CoT Horizontal CoT

Threats : VM integrity issues due to the vulnerability of virtualized hardware over hypervisor Approach: Secure channel who can bypass untrusted layers Chain of Trust

interne Orange 4

Outline Background: chains of trust and Intel SGX Evaluation Implementation: CoT API over OpenSGX CoT attestation protocols:

• Intra-SGX Platform
• Remote SGX Platform

interne Orange 5

Chain of Trust Based Intel SGX

Chain of Trust:

• RoT for measurement and reporting
• Each element reports it’s trustworthy in
• rder to be a part of the CoT
• Append element to the CoT by

measuring it’s trust Enclave Intel SGX:

• A secure execution context

(code+data) isolated from external access

• On demand report generation for

trustworthy attestation

• Built-in report integrity measurement

Enclave (Trustor) Enclave (Trustee) Build then deliver report Check report integrity

Intel SGX capabilities matches CoT model requirements

interne Orange 6

Proposed Attestation Protocols

Intra-SGX Platform enclaves Attestation Intel SGX platform guarantees the local integrity of its enclaves Each enclave verify the integrity of the

• ther through a MAC computing

challenge allowed by Intel SGX Establish trust between two enclaves

interne Orange 7

Proposed Attestation Protocols

Inter-SGX Platform Quoting enclave is responsible of reporting enclave integrity outside the platform The target attest about its integrity to quoting enclave The quoting enclave deliver to the target a formatted proof able to be verified outside the platform Establish trust between two enclaves remotely located

interne Orange 8

Implementation over OpenSGX

Encla lave Prog

• gra

ram

Appli licatio ion Program ram

SGX X OS Emulation lation QEMU SGX

Code

Measu surement reports rts Encryp ryptio ion keys SGX lib

SGX System Call SGX Instruction Enclave Mode switch

CoT API API

Data ta Stac ack

Attestati tion

• n Rout

utine nes Key and Repor

• rt Handl

ndler

Inter er-En Enclave clave Commu mmuni nica cator

CoT API features:

• Built-in key creation, report signing and checking procedure.
• Dedicated secure socket interface
• Ready to use attestation routines

Architecture

interne Orange 9

Preliminary Scalability Results

CPU cycle consumption during CoT building vs CoT size

• Start-up offset (~120 Mcycles)
• CoT establishment overhead

appears sub-linear w.r.t size

Our protocols could scale to large CoT sizes

Next steps:

• Translate our approach from emulated to real Intel SGX hardware
• Verify scalability on very large CoT size
• Extend and enhance CoT API to capture richer CoT model (cross-layer)
• Integrate with self management security framework

Million CPU Cycles CoT Size (# of enclaves) 140 135 130 125 2 3 4 5 6 7 8 9 10

Thank you