Why is hypervisor/OS not trustable The TCB of hypervisor contains virtualization stack larger than 9 Million LOCs TCB Size of Xen System growing ■Xen2.0 10000 ■Xen30 Contro vn Tools ■Xen4.0 5000 Kernel VMM Xen's TcB o= VMM TCB Kernel
Why is hypervisor/OS not trustable • The TCB of hypervisor • contains virtualization stack • larger than 9 Million LOCs • growing … 0 5000 10000 VMM Dom0 Kernel Tools TCB KLOCs TCB Size of Xen System Xen 2.0 Xen 3.0 Xen 4.0 VMM Xen’s TCB Control VM Tools Kernel Guest VM
Outline Cloud environment Security problems in cloud How to protect applications against Hypervisor/OS in cloud Intel SGX, protecting applications against OS SCONE(OSDI'16), using Intel SGX How to protect user data against applications in cloud yoan(OSDI'16), using Nacl (s&P09)and Intel SGX How to verify network security in cloud TenantGuard(NDSS'17), verifying network isolation in cloud
Outline • Cloud environment & Security problems in cloud • How to protect applications against Hypervisor/OS in cloud • Intel SGX, protecting applications against OS • SCONE (OSDI’16), using Intel SGX • How to protect user data against applications in cloud • Ryoan (OSDI’16), using NaCl (S&P’09) and Intel SGX • How to verify network security in cloud • TenantGuard (NDSS’17), verifying network isolation in cloud
How to protect applications against Hypervisor/Os in cloud Dilemma: Hypervisor/os has privileges and absolute control over computing resources Solution: using hardware to fight against OS Intel Software Guard eXtensions, SGX
How to protect applications against Hypervisor/OS in cloud • Dilemma: Hypervisor/OS has privileges and absolute control over computing resources. • Solution: using hardware to fight against OS. • Intel Software Guard eXtensions, SGX
Intel SG×, key idea New processor mode: enclave untrusted trusted Execute App can create a HW enforced trusted Return environment enclave. not accessibl EENTER for OS prⅳ ileged access from App only trust Intel and SGX OS,ⅥMM,SMM forbidden Implementation
Intel SGX, key idea • New processor mode: enclave • App can create a HW enforced trusted environment, enclave, not accessible for OS • App only trust Intel and SGX implementation
Intel SGX, runtime example ① Application 1. App is built with trusted and untrusted parts Untrusted Part Trusted Part of App of App Call Gate 2. App create enclave, enclave is a memory ared protected by CPU, and OS is blind for it, privileged Process software cannot access it 2 Create Enclave 3. App call trusted part, and run in protected security environment CallTrusted0 Return (5 4. Data in enclave is plaintext, cannot be accessed from outside, and will be encrypted once move out enclave Privileged system Code 5. App finished task in enclave and return OS, VMM, BIOS, SMM App runs in common environment
Intel SGX, runtime example 1. App is built with trusted and untrusted parts 2. App create enclave, enclave is a memory area protected by CPU, and OS is blind for it, privileged software cannot access it. 3. App call trusted part, and run in protected security environment 4. Data in enclave is plaintext, cannot be accessed from outside, and will be encrypted once move out enclave 5. App finished task in enclave and return 6. App runs in common environment