Skip to content

Instantly share code, notes, and snippets.

@dayeol

dayeol/Fall2020Projects.md

Created September 2, 2020 18:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dayeol/ee089eea321e543a2c49e90bd69444c7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dayeol/ee089eea321e543a2c49e90bd69444c7 to your computer and use it in GitHub Desktop.
Download ZIP
Fall 2020 Research Projects
Raw
Fall2020Projects.md

Research Projects

Preventing Iago attacks on Keystone

Iago attack uses an attacker's ability of choosing return value of a procedure call, especially system calls. If the attacker is somehow proxying the procedure, and/or can inject arbitrary return value, she can use this to break confidentiality or integrity of the program. One example is getpid() in Apache. Apache uses the return value of getpid() system call to get non-repeating nonce for its child process. However, if the attacker can choose the return value, it means that she can choose an arbitrary nonce.

The original scenario introduced by the paper was based on a network adversary during remote procedure call (RPC). However, the same attacker model can be applied to the trusted execution environment such as Keystone, as enclaves rely on the untrusted host OS for serving some of the system calls (e.g., I/O read and write).

Goals:

  • Understand Iago attacks and why hardware enclaves are affected
  • Identify what system calls should be served by the untrusted host OS
  • Identify what system calls will be vulnerable to the attack (and how).
  • Think about how we can mitigate the attack for each system call
  • Ideally implement the system calls and the mitigations on Keystone
  • Document all of the findings and mitigations.

Secure dynamic library in trusted execution environments

Dynamic (shared) library is essential for running many of existing applications. Currently, Keystone is only able to run statically-linked binaries, which limits the usage of the enclave. Supporting dynamic library requires ld which can read the library and map it into the enclave's address space.

Also, shared library brings up some fundamental issues to think about. When we use multiple shared libraries, they might have different measurement (hash) per different version. Thus, the workload is now not only just the binary, but also a bunch of dependent libraries. We somehow need a reliable way of verifying the integrity of the libraries.

One example is introducing a summary of the workload similar to manifest file in Graphene. The manifest may include the path and the hash of each library, and the enclave verifies the hash before it loads the library.

Goals:

  • Understand how shared library works in Linux
  • Understand how memory mapping is managed in Keystone
  • Think about how we can manage/verify the dynamic libraries
  • Design and implement dynamic library support in Keystone
  • Document the design and implementation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment