CAP-TEE: Capability Architectures for Trusted Execution

Lead Research Organisation: University of Birmingham
Department Name: School of Computer Science

Abstract

Trusted Execution Environments (TEEs) shield computations using security-sensitive data (e.g. personal data, banking information, or encryption keys) inside a secure "enclave" from the rest of the untrusted operating system. A TEE protects its data and code even if an attacker has gained full root access to the untrusted parts of the system. Today, TEEs like ARM Trustzone and Intel SGX are therefore widely used in general-purposes devices, including most laptops and smartphones. But with increasingly wide-spread use, TEEs have proven vulnerable to a number of hardware and software-based attacks, often leading to the complete compromise of the protected data.

In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs.

When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign.

Planned Impact

The research in this project will benefit:

a) Industry

Our four direct industry partners (Samsung, HP Labs, Horiba Mira, and Thales) will be deeply involved in steering the project to maximise industrial applicability of the results. We envision that the CAP-TEE technologies will find their way into future, more secure smartphones, automotive control units, and industrial control systems. We will also engage with the wider business community through presentations and dedicated dissemination events to ensure widespread adoption of the project results. This makes use of our industrial network, among others developed within the ESPRC and NCSC-funded research insitutes RITICS, RISE, and UKRRIN.

b) Government and society

Society as a whole will benefit from more secure devices used by most of us on a day-to-day basis. We will participate at public engagement events and engage with the media to create and improve public awareness of the benefits of "secure by default" systems as promoted by CAP-TEE. We will also work closely with the government, e.g. the NCSC, to help steer public policy around secure and trustworthy industrial control, rail, and automotive systems as well as trusted execution in general.

c) Research Community

Research papers based on the project results will be submitted to the highest ranked venues in the field. This will advance the state-of-the-art in trusted execution and development of secure embedded systems. We will extend our existing academic collaborations and seek new (inter)national ones. By following an open-source dissemination strategy, we aim to maximise the re-usability of the project results to enable follow-up research and reproducibility by other scientists. For this, we will setup a dedicated project website and repository to make all research artifacts publicly available.

We will collaborate interdisciplinary with the Digital Security by Design Social Sciences Hub+ to explore ways for creating incentives to build "secure by default" products from a social sciences perspective and for informing public policy around stronger security for critical infrastructure.

d) Education

We will continue to train the next generation of cyber security experts both through PhD studentships within CAP-TEE, our GCHQ/NCSC-recognised MSc in Cyber Security, and our UG programme in Computer Science. The novel techniques developed in the project around capability architectures and TEEs will directly feed into our cyber security teaching activities.

Publications

10 25 50
 
Description Collaborated on the Made-5G+ proposal 
Organisation Loughborough University
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Qinetiq
Country United Kingdom 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Siemens AG
Department Siemens plc
Country United Kingdom 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation Toyota Motor Corporation
Country Japan 
Sector Private 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Collaborated on the Made-5G+ proposal 
Organisation University of Surrey
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context.
Collaborator Contribution Led and contributed to the proposal submission.
Impact No outputs yet as the proposal is still under review.
Start Year 2021
 
Description Article published in The Register 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published in The Register titled: Intel's SGX cloud-server security defeated by $30 chip, electrical shenanigans
Year(s) Of Engagement Activity 2020
URL https://www.theregister.com/2020/11/14/intel_sgx_physical_security/
 
Description Delivered a Talk at HP Labs 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Co-I Ryan delivered a tutorial talk at HP Labs 22 October 2020, "Intro to Keystone (an enclave system for RISC-V)"
Year(s) Of Engagement Activity 2020
 
Description Delivered a Talk at Huawei Security Advisory Board 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Co-I Ryan delivered a Talk at Huawei Security Advisory Board 27 November 2020, "An overview of hardware security anchors for IoT and embedded applications"
Year(s) Of Engagement Activity 2020
 
Description Help Net Security Article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published on Help Net Security titled: 'Researchers break Intel SGX by creating $30 device to control CPU voltage'
Year(s) Of Engagement Activity 2020
URL https://www.helpnetsecurity.com/2020/11/16/break-intel-sgx/
 
Description Kick-off Project Workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact We organised a virtual kick-off project workshop where we invited project partners from Thales, HP, Horiba Mira, Innovate UK, EPSRC and University of Cambridge CHERI project members. The workshop included internal talks on project such as Plundervolt as well as external speakers from the CHERI group followed by a two-group discussion session for those interested in different applications of the research.
Year(s) Of Engagement Activity 2020
 
Description Phoronix Article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Article published online in Phoronix titled ' VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack'
Year(s) Of Engagement Activity 2021
URL https://www.phoronix.com/scan.php?page=news_item&px=VoltPillager-HW-Undervolt