We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt. We discussed SGX optimizations that could be attempted in newer releases but were found in the study by the authors. We continue to review the SGX hardware notes in the paper. We were reviewing shielded VMs. Now we look at shielding without information leakage. The intermediate state of Haven is saved in encrypted form on disk so that the host does not know. But SGX shares information with the host such as exceptions and page faults. This becomes necessary for dynamic management of resources.Had they been static, the host need not observe guest states. Faulting addresses are important for the OS to use proper page replacement algorithm to manage physical memory. The OS multiplexes resources over varying demands from the application.
This can still work with shielded execution. Just the role of the resource manager needs to change. Presently the resource manager determines the quantity of resources such as the number of physical pages to allocate with the selection of specific resources namely the virtual to physical mapping. The authors say that if these were decoupled, it would give the host control only over resource quantities and allow the guest to choose specific resources to release when the allocations change. For example, memory would be managed by allocating physical pages in the host, but allow the guest to control its virtual mappings, and use self-paging to permit over-subscription. The host may ask a guest to release pages or release it all. The hardware could also support cache partitioning and discriminate the cache as similar to coloring or tagging the pages. This does not restrain physical allocations and the cache can be flushed and repartitioned. This therefore does not leak the guest state.
There are other kind of hardware that also support such security. Hardware security modules (HSM) are one such. They are used to protect high-value secrets such as keys in the cloud. An HSM is a computing element that is tamperproof because it uses a physical barrier and a self destruct mechanism to erase data when the barrier is compromised. AWS offers this module and there are APIs for key manipulation, signing and encryption. As a result the cloud users keys are protected but other data must still be transiently decrypted in a general purpose node in order to use it. This reduces the attack surface but does not eliminate it when compared to storing data in the clear. Since it involves a dedicated hardware, HSMs are expensive.
This can still work with shielded execution. Just the role of the resource manager needs to change. Presently the resource manager determines the quantity of resources such as the number of physical pages to allocate with the selection of specific resources namely the virtual to physical mapping. The authors say that if these were decoupled, it would give the host control only over resource quantities and allow the guest to choose specific resources to release when the allocations change. For example, memory would be managed by allocating physical pages in the host, but allow the guest to control its virtual mappings, and use self-paging to permit over-subscription. The host may ask a guest to release pages or release it all. The hardware could also support cache partitioning and discriminate the cache as similar to coloring or tagging the pages. This does not restrain physical allocations and the cache can be flushed and repartitioned. This therefore does not leak the guest state.
There are other kind of hardware that also support such security. Hardware security modules (HSM) are one such. They are used to protect high-value secrets such as keys in the cloud. An HSM is a computing element that is tamperproof because it uses a physical barrier and a self destruct mechanism to erase data when the barrier is compromised. AWS offers this module and there are APIs for key manipulation, signing and encryption. As a result the cloud users keys are protected but other data must still be transiently decrypted in a general purpose node in order to use it. This reduces the attack surface but does not eliminate it when compared to storing data in the clear. Since it involves a dedicated hardware, HSMs are expensive.
No comments:
Post a Comment