CAP-TEE: Capability Architectures for Trusted Execution
Lead Research Organisation:
University of Birmingham
Department Name: School of Computer Science
Abstract
Trusted Execution Environments (TEEs) shield computations using security-sensitive data (e.g. personal data, banking information, or encryption keys) inside a secure "enclave" from the rest of the untrusted operating system. A TEE protects its data and code even if an attacker has gained full root access to the untrusted parts of the system. Today, TEEs like ARM Trustzone and Intel SGX are therefore widely used in general-purposes devices, including most laptops and smartphones. But with increasingly wide-spread use, TEEs have proven vulnerable to a number of hardware and software-based attacks, often leading to the complete compromise of the protected data.
In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs.
When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign.
In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs.
When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign.
Planned Impact
The research in this project will benefit:
a) Industry
Our four direct industry partners (Samsung, HP Labs, Horiba Mira, and Thales) will be deeply involved in steering the project to maximise industrial applicability of the results. We envision that the CAP-TEE technologies will find their way into future, more secure smartphones, automotive control units, and industrial control systems. We will also engage with the wider business community through presentations and dedicated dissemination events to ensure widespread adoption of the project results. This makes use of our industrial network, among others developed within the ESPRC and NCSC-funded research insitutes RITICS, RISE, and UKRRIN.
b) Government and society
Society as a whole will benefit from more secure devices used by most of us on a day-to-day basis. We will participate at public engagement events and engage with the media to create and improve public awareness of the benefits of "secure by default" systems as promoted by CAP-TEE. We will also work closely with the government, e.g. the NCSC, to help steer public policy around secure and trustworthy industrial control, rail, and automotive systems as well as trusted execution in general.
c) Research Community
Research papers based on the project results will be submitted to the highest ranked venues in the field. This will advance the state-of-the-art in trusted execution and development of secure embedded systems. We will extend our existing academic collaborations and seek new (inter)national ones. By following an open-source dissemination strategy, we aim to maximise the re-usability of the project results to enable follow-up research and reproducibility by other scientists. For this, we will setup a dedicated project website and repository to make all research artifacts publicly available.
We will collaborate interdisciplinary with the Digital Security by Design Social Sciences Hub+ to explore ways for creating incentives to build "secure by default" products from a social sciences perspective and for informing public policy around stronger security for critical infrastructure.
d) Education
We will continue to train the next generation of cyber security experts both through PhD studentships within CAP-TEE, our GCHQ/NCSC-recognised MSc in Cyber Security, and our UG programme in Computer Science. The novel techniques developed in the project around capability architectures and TEEs will directly feed into our cyber security teaching activities.
a) Industry
Our four direct industry partners (Samsung, HP Labs, Horiba Mira, and Thales) will be deeply involved in steering the project to maximise industrial applicability of the results. We envision that the CAP-TEE technologies will find their way into future, more secure smartphones, automotive control units, and industrial control systems. We will also engage with the wider business community through presentations and dedicated dissemination events to ensure widespread adoption of the project results. This makes use of our industrial network, among others developed within the ESPRC and NCSC-funded research insitutes RITICS, RISE, and UKRRIN.
b) Government and society
Society as a whole will benefit from more secure devices used by most of us on a day-to-day basis. We will participate at public engagement events and engage with the media to create and improve public awareness of the benefits of "secure by default" systems as promoted by CAP-TEE. We will also work closely with the government, e.g. the NCSC, to help steer public policy around secure and trustworthy industrial control, rail, and automotive systems as well as trusted execution in general.
c) Research Community
Research papers based on the project results will be submitted to the highest ranked venues in the field. This will advance the state-of-the-art in trusted execution and development of secure embedded systems. We will extend our existing academic collaborations and seek new (inter)national ones. By following an open-source dissemination strategy, we aim to maximise the re-usability of the project results to enable follow-up research and reproducibility by other scientists. For this, we will setup a dedicated project website and repository to make all research artifacts publicly available.
We will collaborate interdisciplinary with the Digital Security by Design Social Sciences Hub+ to explore ways for creating incentives to build "secure by default" products from a social sciences perspective and for informing public policy around stronger security for critical infrastructure.
d) Education
We will continue to train the next generation of cyber security experts both through PhD studentships within CAP-TEE, our GCHQ/NCSC-recognised MSc in Cyber Security, and our UG programme in Computer Science. The novel techniques developed in the project around capability architectures and TEEs will directly feed into our cyber security teaching activities.
Organisations
- University of Birmingham (Lead Research Organisation)
- LOUGHBOROUGH UNIVERSITY (Collaboration)
- Siemens AG (Collaboration)
- University of Surrey (Collaboration)
- Qinetiq (United Kingdom) (Collaboration)
- Toyota Motor Corporation (Collaboration)
- MIRA (United Kingdom) (Project Partner)
- Thales (United Kingdom) (Project Partner)
- HP Labs (Project Partner)
- Samsung (South Korea) (Project Partner)
Publications
McMahon Stone C
(2022)
The Closer You Look, The More You Learn
Chen Z.
(2021)
VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface
in Proceedings of the 30th USENIX Security Symposium
Cheng Z
(2023)
Watching your call: Breaking VoLTE Privacy in LTE/5G Networks
in Proceedings on Privacy Enhancing Technologies
Description | We cooperated with KU Leuven on a novel design to protect sensitive data in a trusted execution environment using capability architectures like ARM Morello. We found that server management processors can be used to break the security of the system and even damage the main processor. |
Exploitation Route | The design will eventually be made available as open source for other researchers and industry to build upon. |
Sectors | Digital/Communication/Information Technologies (including Software),Electronics,Security and Diplomacy |
Description | Contribution to report for the UN on Rail Cyber Security |
Geographic Reach | Asia |
Policy Influence Type | Contribution to new or improved professional practice |
Description | Teaching series with rail senior leaders |
Geographic Reach | National |
Policy Influence Type | Contribution to new or Improved professional practice |
Description | SCAvenger - Attacking Machine Learning with Side Channel Attacks |
Amount | £54,000 (GBP) |
Organisation | Intel Corporation |
Sector | Private |
Country | United States |
Start | 02/2021 |
End | 02/2023 |
Description | Collaborated on the Made-5G+ proposal |
Organisation | Loughborough University |
Country | United Kingdom |
Sector | Academic/University |
PI Contribution | Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context. |
Collaborator Contribution | Led and contributed to the proposal submission. |
Impact | No outputs yet as the proposal is still under review. |
Start Year | 2021 |
Description | Collaborated on the Made-5G+ proposal |
Organisation | Qinetiq |
Country | United Kingdom |
Sector | Private |
PI Contribution | Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context. |
Collaborator Contribution | Led and contributed to the proposal submission. |
Impact | No outputs yet as the proposal is still under review. |
Start Year | 2021 |
Description | Collaborated on the Made-5G+ proposal |
Organisation | Siemens AG |
Department | Siemens plc |
Country | United Kingdom |
Sector | Private |
PI Contribution | Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context. |
Collaborator Contribution | Led and contributed to the proposal submission. |
Impact | No outputs yet as the proposal is still under review. |
Start Year | 2021 |
Description | Collaborated on the Made-5G+ proposal |
Organisation | Toyota Motor Corporation |
Country | Japan |
Sector | Private |
PI Contribution | Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context. |
Collaborator Contribution | Led and contributed to the proposal submission. |
Impact | No outputs yet as the proposal is still under review. |
Start Year | 2021 |
Description | Collaborated on the Made-5G+ proposal |
Organisation | University of Surrey |
Country | United Kingdom |
Sector | Academic/University |
PI Contribution | Collaborated with Loughborough University and University of Surrey as well as several other industry partners on a proposal for the Made-5G Centre. Proposal includes a WP to make use of DsbDtech in the 5G context. |
Collaborator Contribution | Led and contributed to the proposal submission. |
Impact | No outputs yet as the proposal is still under review. |
Start Year | 2021 |
Title | Morello baremetal examples |
Description | This repository contains example code for bare metal development on the Morello Platform. More information regarding these examples can be found in the CAP-TEE Morello Getting Started Guide. https://github.com/cap-tee/cheri-docs/blob/main/morello-getting-started.md. |
Type Of Technology | Webtool/Application |
Year Produced | 2021 |
Open Source License? | Yes |
Impact | So far, the software was used in internal research projects, leading to a joint paper with KU Leuven currently under submission |
URL | https://github.com/cap-tee/morello-baremetal-examples |
Title | PoC for PMFault |
Description | This software checks and demonstrates the vulnerabilities reported in the paper "PMFault: Faulting and Bricking Server CPUs through Management Interfaces", to appear at TCHES 2023. |
Type Of Technology | Software |
Year Produced | 2023 |
Open Source License? | Yes |
Impact | Media coverage in the New Scientist |
URL | https://github.com/zt-chen/PMFault |
Description | All hands DsbD workshop |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Jackson and Oswald participated in the DsbD all-hands event on 8 September and presented the project results so far. |
Year(s) Of Engagement Activity | 2021 |
Description | All hands DsbD workshop |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | Several members of the project team (Jackson, Henes, Bowden, Oswald) attended the DsbD all-hands event in Wolverhampton in Oct and presented a demo of the OP-TEE port as well as a poster. We also ran a workshop on TEEs and capabilities. |
Year(s) Of Engagement Activity | 2022 |
URL | https://www.dsbd.tech/events/ |
Description | Article published in The Register |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published in The Register titled: Intel's SGX cloud-server security defeated by $30 chip, electrical shenanigans |
Year(s) Of Engagement Activity | 2020 |
URL | https://www.theregister.com/2020/11/14/intel_sgx_physical_security/ |
Description | CARDIS conference including CHERI/capability architecture tutorial |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | A CHERI/capability architecture half-day tutorial was successfully held at the CARDIS conference in Nov 2022 (approx. 60 participants) hosted by Oswald in Birmingham. This allowed the project team to introduce capabilities and CHERI/Morello to a broad academic and industrial audience, serving as the project's mid-term evaluation event. Industry attendees included large employees from large semiconductor vendors and security companies |
Year(s) Of Engagement Activity | 2022 |
URL | https://events.cs.bham.ac.uk/cardis2022/ |
Description | Delivered a Talk at HP Labs |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Co-I Ryan delivered a tutorial talk at HP Labs 22 October 2020, "Intro to Keystone (an enclave system for RISC-V)" |
Year(s) Of Engagement Activity | 2020 |
Description | Delivered a Talk at Huawei Security Advisory Board |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Co-I Ryan delivered a Talk at Huawei Security Advisory Board 27 November 2020, "An overview of hardware security anchors for IoT and embedded applications" |
Year(s) Of Engagement Activity | 2020 |
Description | Engagement with RazorSecure on CAP-TEE |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | Local |
Primary Audience | Industry/Business |
Results and Impact | Thomas engaged several times with RazorSecure on CAP-TEE in a digital safety context. |
Year(s) Of Engagement Activity | 2021 |
Description | Help Net Security Article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published on Help Net Security titled: 'Researchers break Intel SGX by creating $30 device to control CPU voltage' |
Year(s) Of Engagement Activity | 2020 |
URL | https://www.helpnetsecurity.com/2020/11/16/break-intel-sgx/ |
Description | Kick-off Project Workshop |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | We organised a virtual kick-off project workshop where we invited project partners from Thales, HP, Horiba Mira, Innovate UK, EPSRC and University of Cambridge CHERI project members. The workshop included internal talks on project such as Plundervolt as well as external speakers from the CHERI group followed by a two-group discussion session for those interested in different applications of the research. |
Year(s) Of Engagement Activity | 2020 |
Description | Lecture to TUV Rhineland on software security issues in the rail industry |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Thomas gave a lecture to TUV Rhineland on software security issues in the rail industry and spoke about CAP-TEE and Capability Architectures in April 2022. |
Year(s) Of Engagement Activity | 2022 |
Description | Media coverage in New Scientist |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Public/other audiences |
Results and Impact | The New Scientist covered our recent work on CPU under/overvolting through the PMBus. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.newscientist.com/article/2354844-hackers-can-make-computers-destroy-their-own-chips-with... |
Description | Phoronix Article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published online in Phoronix titled ' VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack' |
Year(s) Of Engagement Activity | 2021 |
URL | https://www.phoronix.com/scan.php?page=news_item&px=VoltPillager-HW-Undervolt |
Description | Presentation to the Rail Safety and Standards Board |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | Thomas presented the goals of CAP-TEE to the Rail Safety and Standards Board and to Rock Rail. |
Year(s) Of Engagement Activity | 2021 |
Description | Talk at CheriTech22 workshop |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Jackson gave a talk on "CHERI and Trusted Execution Environments" at the CheriTech22 workshop hosted by King's College in September 2022. |
Year(s) Of Engagement Activity | 2022 |
URL | https://soft-dev.org/events/cheritech22/ |
Description | UKRRIN CEDS technical cyber security presentation |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Thomas' UKRRIN CEDS technical cyber security presentation to UKRRIN CEDS universities included CAP-TEE as a project. Thomas' presentation at the UKRRIN CEDS Research Open Day included a section on CAP-TEE. |
Year(s) Of Engagement Activity | 2021 |
Description | World Congress on Rail Research |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Thomas attended the World Congress on Rail Research, presented CAP-TEE as part of a talk on 'the future'. |
Year(s) Of Engagement Activity | 2022 |
Description | invited talk at STW'2021 |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Ryan had an invited talk at STW'2021 (Huawei Security and Technology Workshop, October 2021). |
Year(s) Of Engagement Activity | 2021 |
Description | invited talk at the Shonan seminar |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Ryan gave an invited talk called "Hardware technologies for making privacy violations transparent and accountable" at the Shonan seminar (Japan) on the theme of "Biggest failures in privacy" on 28 Sept. |
Year(s) Of Engagement Activity | 2021 |
Description | invited talk at workshop on the Security of Software / Hardware Interfaces (SILM 2021) |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Garcia gave an invited talk on the hardware attack aspects of our work: "Plundering and Pillaging with Voltage: Software and Hardware-based Fault-injection Attacks against SGX", 3rd edition of workshop on the Security of Software / Hardware Interfaces (SILM 2021). Co-located with EuroS&P. |
Year(s) Of Engagement Activity | 2021 |
Description | keynote talk at 14th International Conference on Security for Information Technology and Communications |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Ryan gave a keynote talk at 14th International Conference on Security for Information Technology and Communications |
Year(s) Of Engagement Activity | 2021 |
Description | panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security) |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Policymakers/politicians |
Results and Impact | Ryan was invited as panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security, 300 delegates), December 2021. |
Year(s) Of Engagement Activity | 2021 |
Description | showcase for National Cyber Strategy 2022 |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | Oswald and other project members (virtually) attended the National Cyber Strategy 2022 on Wednesday 15 December. We had prepared a CAP-TEE showcase for the in-person event, but due to the Covid situation the event was made virtually at short notice. |
Year(s) Of Engagement Activity | 2021 |
Description | talk at hardwear.io |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Future CAP-TEE / DsbDtech contributions to TEE security and work around hardware undervolting highlighted in Oswald's talks at hardwear.io |
Year(s) Of Engagement Activity | 2021 |
Description | virtual seminar talk at Infineon |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Oswald gave a virtual seminar talk at Infineon, relating to fault injection and the hardware attack aspects of the project. |
Year(s) Of Engagement Activity | 2021 |