Understanding the Capabilities of Privileged Attackers Against Trusted Execution Environments

Abstract

Our lives today rely on the secure operation of computers in a diverse set of sectors, from energy to medicine. However, today's computers execute software bloated with complexity. Their large codebases provide a rich and versatile system, but most functionalities are often not needed in their target applications. This increases the trusted computing base (TCB) – the software and hardware that needs to be trusted for the system to work correctly. A large TCB is undesirable, as it gives attackers a higher likelihood to find and exploit vulnerabilities. Most of this complexity comes from the system software, that is, the operating system (OS) and the hypervisor. Despite this, the system software's codebase cannot generally be removed from the TCB, as it executes with the highest privileges. Thanks to additional hardware primitives, Trusted Execution Environments (TEEs) break this paradigm, allowing even system software to be removed from the TCB. Most CPU manufacturers and architectures support some form of TEE: they can be found on Intel and AMD CPUs, as well as on ARM and RISC-V architectures. Their advent is promising, as they aim to let applications operate securely both when the (more privileged) system software is malicious and when a physical attacker can tamper with the system. Arguably, however, the guarantees that can be provided against such a strong and privileged attacker are not fully understood and often lead to TEE designs that make compromises invalidating the protections that they aim to provide. For example, previous work shows that the OS can abuse the CPU memory management interface to get notified when the TEE accesses attacker-specified memory regions, breaking data confidentiality. Understanding the capabilities of privileged attackers thus leads to more accurate designs and a more secure computing environment for everyone. In this thesis, we contribute to the efforts of understanding the capabilities of privileged attackers in the context of TEEs in four main directions. First, we develop the Frontal attack, which shows that leveraging the OS to issue interrupts frequently leads to the CPU exposing detailed instruction execution timings, which can be used as a side channel. This side channel is detailed enough to leak encryption keys from a TEE and thus break data confidentiality. Second, we show that current commercial TEEs struggle to provide code confidentiality against a privileged attacker. Notably, we observe that using interpreters or JIT compilers inside TEEs – a popular choice due to their convenience and flexibility – leaks significantly more confidential instructions compared to a baseline where native instructions are used instead. The third and fourth contributions relate to attestation protocols, which are used to verify that a TEE is protecting a given application. We emphasize the impact of previously neglected aspects in attestation protocols in both these contributions. In the third contribution, we highlight that relay attacks, while once thought to be tolerable given the TEE protections, enhance the capabilities of a privileged attacker. Finally, in the fourth contribution, we show that current attestation protocols implicitly assume trust in the TEE manufacturer at runtime – despite the manufacturers often claiming otherwise. While this implicit trust in the TEE manufacturer is often overlooked, our analysis shows that it is a concrete threat in practice and should thus be accounted for in future attestation protocols.