Private application execution

Lead Research Organisation: University of Cambridge
Department Name: Computer Science and Technology

Abstract

General purpose processors have the great advantage of being able to run many applications side by side and on the same hardware. These processors are used in continuously, larger systems with increasingly, valuable data. Malicious software will attempt to access the data of other applications to exploit this value. A common solution to this problem is enforcing segregation between these applications. For example, an operating system can sandbox different applications, a hypervisor can separate different operating systems or the processor itself can guarantee separation of resources on hardware level.

One common theme through these solutions is that there is one root of trust which has all the privileges. For example, in the case where an operating system sandboxes different applications, the operating system is the root of trust which restricts the resources of the applications. Thus, the operating system enforces that the applications cannot access each other's data; the operating system controls all the data and delegates only parts of it to each application. One caveat of such a system is that if the root of trust is compromised then every application and all the data on the device is compromised. In modern systems, the chance that there is a vulnerability in an operating system that can be exploited by malicious software is quite high.

This research proposal aims to look at still enforcing the data separation, but not necessarily relying on one root of trust to do so. On a hardware level, we can allow applications to keep data secret from the operating system. In this case, the operating system may still allocate resources, but the hardware can enforce that it cannot read the content of an application's data. Keeping application code and data secret, will be called private application execution. One example for why this would be useful is if an app contains the Bitcoin private keys on a person's phone. They would not want those private keys to be leaked if the mobile operating system is compromised and lose all that value. In security terms, private application execution would protect the confidentiality of the application's data from the operating system and the rest of the applications.

The research will be done on the CHERI platform, which has been developed by the Computer Laboratory in Cambridge. On this platform, different approaches to private application execution can be verified and compared. Additionally, as opposed to the closed-source implementation which exists as Intel's Software Guard Extensions (SGX), information about this research can be published and scrutinized by academia.

In a world where privacy and security are becoming more important the principle of least privilege is a useful concept to limit the impact of an attack. This principle should also apply to the operating system and therefore private application execution is a promising concept to limit the data that the operating system has access to.

Publications

10 25 50

Studentship Projects

Project Reference Relationship Related To Start End Student Name
EP/N509620/1 30/09/2016 29/09/2022
1940704 Studentship EP/N509620/1 30/09/2017 29/09/2020 Marno Van Der Maas
 
Description My work is focused on isolating applications that are running on the same computer from each other. Additionally, my isolation mechanism should protect applications from malicious operating systems. I call this isolation mechanism private execution.

Through my work on private execution I have studied a class of attacks called side-channel attacks, which use implementation specific details to extract information from a victim indirectly. An example of a direct channel of communication is if you ask a child if they've brushed their teeth, but you can check this with a side channel by testing whether the toothbrush is wet. Similar channels exist in modern processors where resources are shared between applications and this sharing causes traces of information to leak from one application to another.

Since my previous submission, I have been able to publish a paper on the Praesidio system, which shows that it is possible to physically isolate enclaves onto separate cores to stop even privileged attackers from stealing data from enclaves. We show that this is possible for Linux applications on a RISC-V processor, which gives us high confidence that it is possible on other general purpose operating systems and processors as well.
Exploitation Route These specific findings can be used by hardware developers to make better processors and can be used by private execution environments to improve their security. Finally, understanding side-channel attacks helps developers understand what attacks private execution environments protect against and what protections they need to build themselves.
Sectors Digital/Communication/Information Technologies (including Software)

Electronics

Security and Diplomacy

URL https://doi.org/10.1145/3411505.3418437
 
Title Praesidio SDK 
Description This is a complete software development kit to run Praesidio enclaves on top of a RISC-V simulator and includes a Linux driver to assist applications in spinning off enclaves. 
Type Of Material Computer model/algorithm 
Year Produced 2020 
Provided To Others? Yes  
Impact This SDK is the source of the results published in our peer reviewed paper: https://doi.org/10.1145/3411505.3418437 This was made available under the MIT license in the spirit of open research. 
URL https://github.com/marnovandermaas/praesidio-sdk
 
Description Contribution to Capability Hardware Enhanced RISC Instructions 
Organisation University of Cambridge
Country United Kingdom 
Sector Academic/University 
PI Contribution I fully participated in the CHERI group in the University of Cambridge and helped define version 7 of the instruction set architecture. My contribution included reviewing the document and implementing CHERI instructions in the RISC-V ISA simulator: https://github.com/CTSRD-CHERI/riscv-isa-sim
Collaborator Contribution The CHERI group has been at the forefront of evaluating hardware capabilities by implementing a full stack implementation from the hardware to the operating system and applications running on top of them. This project has been so successful that ARM has publicly announced it will take these ideas into account in their new instruction set version. More information about the CHERI group can be found here: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
Impact Here is the instruction set architecture reference: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-927.pdf Here is the RISC-V simulator with added CHERI instructions: https://github.com/CTSRD-CHERI/riscv-isa-sim Here are the overall contributions made by the project over the years: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
Start Year 2017
 
Description eFutures Early Career Researcher Workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Other audiences
Results and Impact This workshop was organized by eFutures and was about creating enabling early career researchers from getting to the next step in their career. One of the main aspects of this workshop was the networking with other researchers in similar points of their career as well as with more experienced researchers.
Year(s) Of Engagement Activity 2020
URL https://efutures.ac.uk/efutures-early-career-researcher-multidisciplinary-and-diversity-workshop-jan...