Integrity and Attestation

During enclave creation (c.f. Section 2.4.1), memory pages added to the enclave using EADD are supposed to bemeasured using the EEXTEND instruction [78]. This instruc-tionextends the value of theenclave identityby calculation of a checksum of a 256 Byte chunk of the memory page’s content concatenated with the previous value. The enclave identity value describes the enclave’s memory contents and the sequence of SGX

in-structions that were called during enclave creation and is held in theMRENCLAVEfield of the enclave’sSECSdata structure. This value is finalised by theEINITinstruction that completes the enclave creation process and can not be changed afterwards.

In order for theEINITinstruction to accept an enclave and initialise it correctly, it expects a validEINITTOKEN[28], which is issued by a special enclave provided by Intel called thelaunch enclaveand comprises meta information about the enclave to be ini-tialised such as the expectedMRENCLAVEvalue. Only on provision of a validEINITTOKEN the enclave is marked initialised by the architecture and ready to be entered by user space threads. EINIT also expects a signature by the enclave developer’s private key which is delivered in the form of theSIGSTRUCTdata structure [28, 6]. DuringEINIT, the signature inside SIGSTRUCTis verified and MRENCLAVEis compared to the signed MRENCLAVEinside theSIGSTRUCT. During theEINITprocess, theMRSIGNERvalue is writ-ten into the SECS which denotes the identity of the enclave certificate’s signer [6, 28].

Attestation allows to establish trust into an SGX enclave by proving the enclave’s in-tegrity and the inin-tegrity of the underlying SGX hardware to the attester. The attestation process can be executed between two enclaves on a platform (local attestation) or between an enclave and a remote entity (remote attestation). Though, on SGX platforms, remote attestation is based internally on local attestation.

Local attestation proves an enclave’sMRENCLAVEvalue to another enclave on the same platform. For this the attesting enclave—attester—sends its ownMRENCLAVEvalue to the enclave to be attested. Upon reception, this enclave creates areportusing theEREPORT instruction, which is destined and distinct for the attester’s MRENCLAVE and sends it back to the attester. This report proves that the hardware is trustworthy and comprises the enclave’s identities and attributes, up to 256 Bit arbitrary user data and a Message Authentication Code (MAC). The attester now retrieves itsreport keyusing theEGETKEY instruction which allows the verification of that MAC. This proves that the attested en-clave is running on the same platform. Afterwards, the attester compares theMRENCLAVE value included in the report with the expected value and is then assured of the integrity of the attested enclave. Finally, this process can be repeated in reverse direction to es-tablish a mutually trusted relationship between the two enclaves.

The process of remote attestation of SGX enclaves is based on the local attestation described in the previous paragraph. However, as a first step of remote attestation, the enclave to be remotely attested is first locally attested by a special enclave provided by Intel—the Quoting Enclave. This enclave can create a so calledquote after successful local attestation, that constitutes a cryptographic proof of the identity of the attested enclave that can be verified by a remote party. Upon reception of such a quote, the re-mote attester can verify it using the Intel Attestation Service (IAS) provided by Intel and

2.4 Intel SGX

compare theMRENCLAVEvalue included in the quote with the expected value. Thereby, remote attestation is inherently based on trust in Intel as the processor manufacturer, that equips every SGX-capable CPU with an individual key during manufacturing and is also responsible for the IAS. However, it is also possible to establish a third party attestation service without run-time dependencies to Intel [5, 101].

Since an enclave’s data in the EPC is backed by (volatile) DRAM, it is essential to be able to persist data outside the enclave. However, confidentiality and integrity of an enclave’s assets stored outside it must still be protected. For this purpose, Intel SGX offers special keys supposed to encrypt data persisted outside the enclave’s boundary in a process calledsealing[6]. Those keys can be accessed by an enclave using theEGETKEY instruction, and differentiate between the enclave and the sealing identity. Sealing to the enclave identity only permits access to instances of the very same enclave as the key is derived from the enclave’s identity (MRENCLAVE). In contrast, sealing to the sealing identity permits access also to other enclaves with the same sealing authority as the key is derived fromMRSIGNER. With the help of those keys, the enclave can persist data securely outside its reach by using any cryptographic operation of its own choosing.

In general, SGX was tailored to protect the confidentiality and integrity of sensitive user data in enclaves. Using SGX allows to assume a very strong attacker model, that even covers physical access to the machine and allows the OS itself to be considered malicious. However, as SGX enclaves are executed within regular user processes on top of a commodity OS, they are helpless against availability attacks such as a denial of service attacks as the underlying OS can simply decide to not schedule an enclave. In addition to that, side channel attacks are excluded from SGX’s threat model [28], leaving defence mechanisms against such kinds of attacks to the enclave developers.

3 Trusted Execution in the Cloud

Cloud computing [79] has gained traction and popularity in the recent years [87, 25, 46].

This is due to its benefits for all involved parties, as the cloud providers benefit from ef-ficient resource usage and the economy of scale, while the customers can offload many maintenance tasks to the cloud provider and focus more on their main targets. Thereby, cloud computing allows the customers to flexibly rent all kinds of computing resources they need, when they need them and only as long as they actually need them. However, security is still a crucial requirement and as it can not be guaranteed in a cloud envi-ronment yet [86], this influences cloud adoption significantly and even renders some use cases impractical or infeasible in public clouds [87, 55, 49, 82, 97, 46, 62].

The demand for a secure and trusted cloud platform is high and could enable new cloud usage scenarios that are impossible at the moment. This requires the cloud providers to establish a platform that can guarantee certain security properties to their customers. Therefore, it is not enough to only define constraints in contracts that both, the provider and the customer sign, instead it is required to enforce security proper-ties such as confidentiality of data by technical means. While confidentiality-protected data storage in an untrusted cloud is feasible relatively easily by client-side data encryp-tion before uploading the data to the cloud, it is a much harder challenge to allow data processing of sensitive data in such an untrusted environment.

In this thesis, a trusted cloud platform is approached that allows sensitive data pro-cessing as described above without trusting the cloud provider. This means the cloud provider should be restricted by technical means from accessing the customer’s data.

This not only prevents the cloud provider from accessing the data despite not being al-lowed to, but also removes the burden of being able to do so off the cloud provider. The latter is particularly relevant in case of higher level access requests by a governmental authority that pursues mass surveillance, for example.

If such a trusted cloud platform existed, it would enable new opportunities for us-age scenarios that are not possible right now. For example, currently if sensitive data is supposed to be processed in a public cloud environment it has to be gauged if data leakage can be accepted and compensated through financial penalties. This could be a relevant option for cloud usage by industry that experience profit collapses on data

leakage. However, it might not be a viable option for medical applications that involve patient data that are relevant to a patient and even her descendants for decades. Another example could be governmental cloud usage, that, for example, could incorporate intel-ligence data. In both these cases, impaired entities of data leakage would probably not be interested in financial compensation and suffer from irreplaceable damage. Cur-rently, since there are no technical means to protect data from such risks, such cloud usage is not possible.

One straight forward approach to achieve a trusted cloud platform would be the at-testation of the whole software stack. However, for several reasons this is particularly impractical in a cloud scenario: the cloud provider would be forced to publish the source code of all his management and infrastructure software including the hyper-visor to allow this. Though this is problematic since the competition between cloud providers results in highly customised software [3] which might also be considered a business secret. For example Amazon used to rely on a highly customised version of the Xen hypervisor [14] and just recently switched to a likewise customised KVM-based [59]

hypervisor. In addition, any updates to attested software would require remote attes-tation again. Furthermore, the attested software stack would be huge, resulting in a higher probability for exploitable security vulnerabilities [75]. Thereby, this applies to software components running on commercial cloud machines that are responsible for accounting and monitoring of the cloud platform. Due to these disadvantages this ap-proach to a trusted cloud is to be considered impractical.

Instead in this thesis we try to establish a trusted cloud platform by usage of trusted execution technology in an otherwise untrusted cloud environment. On top of our envisioned trusted cloud platform we intend to run partitioned applications with only a minimal trusted component in order to reduce the overall TCB and achieve high security. In addition to that, for the same reasons, we also put emphasis on minimising the TCB of the trusted cloud platform itself.

In this chapter we first discuss various origins of security issues in a cloud setting, and define the properties of a trusted cloud platform. Then, we present our trusted cloud platform TrApps, which implements the defined security properties and allows the execution of partitioned cloud applications with trusted components.

3.1 Cloud Security Issues

There are several possible sources of security risks in a cloud setting that go beyond a regular software’s security risks. Some are caused by the co-location of multiple soft-ware artefacts on the same hardsoft-ware platform and various kinds of interactions

be-3.1 Cloud Security Issues

tween them. Others are partly caused by the benefits that cloud computing offers to its customers, such as the inherent safety through redundancy of running a software com-ponent in multiple data centres, that causes a loss of control over where data resides globally. In the following we describe different sources of cloud security risks.