CAP-TEE: Capability Architectures for Trusted Execution

Lead Research Organisation: University of Birmingham
Department Name: School of Computer Science

Abstract

Trusted Execution Environments (TEEs) shield computations using security-sensitive data (e.g. personal data, banking information, or encryption keys) inside a secure "enclave" from the rest of the untrusted operating system. A TEE protects its data and code even if an attacker has gained full root access to the untrusted parts of the system. Today, TEEs like ARM Trustzone and Intel SGX are therefore widely used in general-purposes devices, including most laptops and smartphones. But with increasingly wide-spread use, TEEs have proven vulnerable to a number of hardware and software-based attacks, often leading to the complete compromise of the protected data.

In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs.

When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign.

Planned Impact

The research in this project will benefit:

a) Industry

Our four direct industry partners (Samsung, HP Labs, Horiba Mira, and Thales) will be deeply involved in steering the project to maximise industrial applicability of the results. We envision that the CAP-TEE technologies will find their way into future, more secure smartphones, automotive control units, and industrial control systems. We will also engage with the wider business community through presentations and dedicated dissemination events to ensure widespread adoption of the project results. This makes use of our industrial network, among others developed within the ESPRC and NCSC-funded research insitutes RITICS, RISE, and UKRRIN.

b) Government and society

Society as a whole will benefit from more secure devices used by most of us on a day-to-day basis. We will participate at public engagement events and engage with the media to create and improve public awareness of the benefits of "secure by default" systems as promoted by CAP-TEE. We will also work closely with the government, e.g. the NCSC, to help steer public policy around secure and trustworthy industrial control, rail, and automotive systems as well as trusted execution in general.

c) Research Community

Research papers based on the project results will be submitted to the highest ranked venues in the field. This will advance the state-of-the-art in trusted execution and development of secure embedded systems. We will extend our existing academic collaborations and seek new (inter)national ones. By following an open-source dissemination strategy, we aim to maximise the re-usability of the project results to enable follow-up research and reproducibility by other scientists. For this, we will setup a dedicated project website and repository to make all research artifacts publicly available.

We will collaborate interdisciplinary with the Digital Security by Design Social Sciences Hub+ to explore ways for creating incentives to build "secure by default" products from a social sciences perspective and for informing public policy around stronger security for critical infrastructure.

d) Education

We will continue to train the next generation of cyber security experts both through PhD studentships within CAP-TEE, our GCHQ/NCSC-recognised MSc in Cyber Security, and our UG programme in Computer Science. The novel techniques developed in the project around capability architectures and TEEs will directly feed into our cyber security teaching activities.
 
Description We cooperated with KU Leuven on a novel design to protect sensitive data in a trusted execution environment using capability architectures like ARM Morello.
Exploitation Route The design will eventually be made available as open source for other researchers and industry to build upon.
Sectors Digital/Communication/Information Technologies (including Software),Electronics,Security and Diplomacy

 
Description Teaching series with rail senior leaders
Geographic Reach National 
Policy Influence Type Contribution to new or Improved professional practice
 
Description SCAvenger - Attacking Machine Learning with Side Channel Attacks
Amount £54,000 (GBP)
Organisation Intel Corporation 
Sector Private
Country United States
Start 02/2021 
End 02/2023
 
Description Collaborated on the Made-5G+ proposal 
Organisation Loughborough University
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Qinetiq
Country United Kingdom 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Siemens AG
Department Siemens plc
Country United Kingdom 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Toyota Motor Corporation
Country Japan 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation University of Surrey
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Title Morello baremetal examples 
Description This repository contains example code for bare metal development on the Morello Platform. More information regarding these examples can be found in the CAP-TEE Morello Getting Started Guide. https://github.com/cap-tee/cheri-docs/blob/main/morello-getting-started.md. 
Type Of Technology Webtool/Application 
Year Produced 2021 
Open Source License? Yes  
Impact So far, the software was used in internal research projects, leading to a joint paper with KU Leuven currently under submission 
URL https://github.com/cap-tee/morello-baremetal-examples
 
Description All hands DsbD workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Jackson and Oswald participated in the DsbD all-hands event on 8 September and presented the project results so far.
Year(s) Of Engagement Activity 2021
 
Description Article published in The Register 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published in The Register titled: Intel's SGX cloud-server security defeated by $30 chip, electrical shenanigans
Year(s) Of Engagement Activity 2020
URL https://www.theregister.com/2020/11/14/intel_sgx_physical_security/
 
Description Delivered a Talk at HP Labs 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Co-I Ryan delivered a tutorial talk at HP Labs 22 October 2020, "Intro to Keystone (an enclave system for RISC-V)"
Year(s) Of Engagement Activity 2020
 
Description Delivered a Talk at Huawei Security Advisory Board 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Co-I Ryan delivered a Talk at Huawei Security Advisory Board 27 November 2020, "An overview of hardware security anchors for IoT and embedded applications"
Year(s) Of Engagement Activity 2020
 
Description Engagement with RazorSecure on CAP-TEE 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Industry/Business
Results and Impact Thomas engaged several times with RazorSecure on CAP-TEE in a digital safety context.
Year(s) Of Engagement Activity 2021
 
Description Help Net Security Article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published on Help Net Security titled: 'Researchers break Intel SGX by creating $30 device to control CPU voltage'
Year(s) Of Engagement Activity 2020
URL https://www.helpnetsecurity.com/2020/11/16/break-intel-sgx/
 
Description Kick-off Project Workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact We organised a virtual kick-off project workshop where we invited project partners from Thales, HP, Horiba Mira, Innovate UK, EPSRC and University of Cambridge CHERI project members. The workshop included internal talks on project such as Plundervolt as well as external speakers from the CHERI group followed by a two-group discussion session for those interested in different applications of the research.
Year(s) Of Engagement Activity 2020
 
Description Phoronix Article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published online in Phoronix titled ' VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack'
Year(s) Of Engagement Activity 2021
URL https://www.phoronix.com/scan.php?page=news_item&px=VoltPillager-HW-Undervolt
 
Description Presentation to the Rail Safety and Standards Board 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Thomas presented the goals of CAP-TEE to the Rail Safety and Standards Board and to Rock Rail.
Year(s) Of Engagement Activity 2021
 
Description UKRRIN CEDS technical cyber security presentation 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Thomas' UKRRIN CEDS technical cyber security presentation to UKRRIN CEDS universities included CAP-TEE as a project. Thomas' presentation at the UKRRIN CEDS Research Open Day included a section on CAP-TEE.
Year(s) Of Engagement Activity 2021
 
Description invited talk at STW'2021 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Ryan had an invited talk at STW'2021 (Huawei Security and Technology Workshop, October 2021).
Year(s) Of Engagement Activity 2021
 
Description invited talk at the Shonan seminar 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Ryan gave an invited talk called "Hardware technologies for making privacy violations transparent and accountable" at the Shonan seminar (Japan) on the theme of "Biggest failures in privacy" on 28 Sept.
Year(s) Of Engagement Activity 2021
 
Description invited talk at workshop on the Security of Software / Hardware Interfaces (SILM 2021) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Garcia gave an invited talk on the hardware attack aspects of our work: "Plundering and Pillaging with Voltage: Software and Hardware-based Fault-injection Attacks against SGX", 3rd edition of workshop on the Security of Software / Hardware Interfaces (SILM 2021). Co-located with EuroS&P.
Year(s) Of Engagement Activity 2021
 
Description keynote talk at 14th International Conference on Security for Information Technology and Communications 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Ryan gave a keynote talk at 14th International Conference on Security for Information Technology and Communications
Year(s) Of Engagement Activity 2021
 
Description panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security) 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Ryan was invited as panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security, 300 delegates), December 2021.
Year(s) Of Engagement Activity 2021
 
Description showcase for National Cyber Strategy 2022 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Oswald and other project members (virtually) attended the National Cyber Strategy 2022 on Wednesday 15 December. We had prepared a CAP-TEE showcase for the in-person event, but due to the Covid situation the event was made virtually at short notice.
Year(s) Of Engagement Activity 2021
 
Description talk at hardwear.io 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Future CAP-TEE / DsbDtech contributions to TEE security and work around hardware undervolting highlighted in Oswald's talks at hardwear.io
Year(s) Of Engagement Activity 2021
 
Description virtual seminar talk at Infineon 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Oswald gave a virtual seminar talk at Infineon, relating to fault injection and the hardware attack aspects of the project.
Year(s) Of Engagement Activity 2021