Usermode Secret Protection SP architecture Paper and slides

  • Slides: 17
Download presentation
User-mode Secret Protection (SP) architecture Paper and slides from: Ruby Lee, Peter Kwan, Patrick

User-mode Secret Protection (SP) architecture Paper and slides from: Ruby Lee, Peter Kwan, Patrick Mc. Gregor, Jeffrey Dwoskin and Zhenghong Wang, “Architecture for Protecting Critical Secrets in Microprocessors”, IEEE/ACM International Symposium on Computer Architecture (ISCA), June 2005. Princeton Architecture Laboratory for Multimedia and Security (PALMS), Princeton University

One User, Many Documents/Keys, Multiple Devices 1

One User, Many Documents/Keys, Multiple Devices 1

Attacks on Devices Reduced security perimeter: Physical probing From the box to the chip

Attacks on Devices Reduced security perimeter: Physical probing From the box to the chip Processor chip On-chip cache Off-chip cache Disk Main memory Video Registers SW Access to hard disk Network Other I/O SWSecure Access I/O in supervisor mode SW Access in OS Interrupt Handler • Security vulnerabilities: – Software – Physical (device theft) 2

Past Work • Distributed software-based key management – Involves multiple servers • Secure coprocessors

Past Work • Distributed software-based key management – Involves multiple servers • Secure coprocessors and crypto tokens (deployed) – Tamper-resistant crypto modules (IBM’s 4758) and smartcards • Trusted Computing Group (TPM recently available) – Industry: Microsoft NGSCB, Intel La. Grande. • Recent secure processor proposals (research) – XOM, AEGIS, VSCo. P • Our approach – Lower cost, high performance, no auxiliary hardware, no permanent secret and requires minimal trusted software 3

Secret Protected (SP) Architecture Security Goal: Keep user’s keys private to the user 1.

Secret Protected (SP) Architecture Security Goal: Keep user’s keys private to the user 1. New Trust Model – Most SW and HW untrusted 2. Trusted software module (TSM) – Securely perform operations using the keys 3. Encrypted keychain – Reduce the amount of secrets needing protection 4. Concealed execution mode (CEM) – Protect the execution environment of TSM 5. New processor features – – Very small additions to ISA Secure I/O – input of the user key. 4

New Trust Model TSM API Unprivileged Software Trusted Software Module Privileged Software User Secrets

New Trust Model TSM API Unprivileged Software Trusted Software Module Privileged Software User Secrets OS Kernel User Secrets Disjoint region of trust wrt CPU protection rings 6

1, 000’s keys are secured by protecting 1 Passphrase Hash() User Master Key K

1, 000’s keys are secured by protecting 1 Passphrase Hash() User Master Key K 1 K 3 K 2 K 4 K 5 7

HW Supporting the Key Chain L 1 instr. Cache Core L 1 data cache

HW Supporting the Key Chain L 1 instr. Cache Core L 1 data cache L 2 unified cache Encryption/ hashing engine External memory Secure I/O logic LEDs, buttons, keyboard New registers: CEM Status Flags (2) CEM Return Address (64) User Master Key (128) Device Master Key (128) CEM Interrupt Hash (128) 8

Secret Protected (SP) Architecture 1. New Trust Model – Orthogonal to protection rings 2.

Secret Protected (SP) Architecture 1. New Trust Model – Orthogonal to protection rings 2. Hierarchical keychain – Reduce amount of secrets needing protection 3. Trusted software module (TSM) – Carry out operations using the keys 4. Concealed execution mode (CEM) –isolation – Protect TSM program integrity – Protect TSM data in main memory and caches – Protect registers on interrupts 5. New processor features – Very little addition to achieve the goal 9

Protect TSM program integrity TSM code Device Master Key Code address Keyed_hash() MAC 48

Protect TSM program integrity TSM code Device Master Key Code address Keyed_hash() MAC 48 bytes Instructions 16 MAC Instructions MAC ……. 64 -byte cache line • Device Master Key • Provide keyed hash (Message Authentication Code) per cache line 10

Basic Approach for protecting TSM data Outside security perimeter: • data exists as ciphertext

Basic Approach for protecting TSM data Outside security perimeter: • data exists as ciphertext • Use Encryption and hashing Inside security perimeter: • data exists as plaintext • Use Tagging DRAM Off-chip cache Processor chip On-chip cache 11

Protection over the entire memory hierarchy Secure Instruction Tags Main Memory L 2 Unified

Protection over the entire memory hierarchy Secure Instruction Tags Main Memory L 2 Unified Cache Secure Code 2 Code 3 L 1 Instr Cache Secure Code 1 Code 3 Secure Code 1 Secure Code Data 2 2 Decryption and hashing Secure Code 1 Secure Code 2 Code 3 Secure Data 2 L 1 Data Cache Data 3 Secure Data 2 Data 3 Data 1 = Y N Secure Data 2 Data 1 Data 3 Secure Code 2 Secure Data Tags • Cache line tagging – separating secure from nonsecure, and data from code. 12

HW Supporting memory protection L 1 instr. Cache Core Registers L 1 data cache

HW Supporting memory protection L 1 instr. Cache Core Registers L 1 data cache L 2 unified cache Encryption/ hashing engine External memory Secure I/O logic LEDs, buttons, keyboard New registers: CEM Status Flags (2) CEM Return Address (64) User Master Key (128) Device Master Key (128) CEM Interrupt Hash (128) 13

Protecting register values during interrupts New registers: CEM Status Flags (2) R 0 R

Protecting register values during interrupts New registers: CEM Status Flags (2) R 0 R 1 R 2 . . . R 31 R 0 One R 1 Plaintext R 2. . . message. R 31 CEM Return Address (64) User Master Key (128) Encryption() Device Master Key (128) CEM Interrupt Hash (128) Ciphertext message. R 31 R 0 One. R 1 R 2 R 0 R 1 Hash() R 2 . . . R 31 • “In situ” registers encryption – no change required in OS interrupt handler • Store hash on-chip • Return address trigger 14

Architectural summary Secure I/O User Master Key protects Operates upon Trusted software module Code

Architectural summary Secure I/O User Master Key protects Operates upon Trusted software module Code Memory Registers Execution environment on device protects Device initialization Device Master Key 15

Small additions to the processor L 1 instr. Cache New registers: Core CEM Status

Small additions to the processor L 1 instr. Cache New registers: Core CEM Status Flags (2) L 1 data cache Core CEM Return Address (64) User Master Key (128) Device Master Key (128) L 2 unified cache Encryption/ hashing engine External memory CEM Interrupt Hash (128) New registers: CEM Status Flags (2) CEM Return Address (64) L 1 instr. L 1 data User Master Key (128) cache Cache Device Master Key (128) L 2 unified cache Secure I/O logic LEDs, buttons, keyboard Secure I/O logic CEM Interrupt Hash (128) 5

Contributions and Conclusions • Minimalist SP-architecture protects critical secrets (keys) which then protect other

Contributions and Conclusions • Minimalist SP-architecture protects critical secrets (keys) which then protect other sensitive data Core • Decouples users from devices L 2 unified cache more convenient and realistic usage model • No permanent secret defends against factory database compromise L 1 instr. L 1 data Cache cache • Master keys are symmetric keys faster and less storage • Security without compromising performance, cost, usability 16