SPECIAL ISSUE PAPER
A framework for application partitioning using trusted execution environments
Ahmad Atamli-Reineh,
Andrew Paverd,
Giuseppe Petracca,
Andrew Martin,
Corresponding Author
Ahmad Atamli-Reineh
Department of Computer Science, University of Oxford, Oxford, UK
Correspondence to: Ahmad Atamli-Reineh, Department of Computer Science, University of Oxford, Oxford, UK.
E-mail: [email protected]
Search for more papers by this authorAndrew Paverd
Department of Computer Science, Aalto University, Espoo, Finland
Search for more papers by this authorGiuseppe Petracca
Department of Computer Science and Engineering, Pennsylvania State University, State College, PA, USA
Search for more papers by this authorAndrew Martin
Department of Computer Science, University of Oxford, Oxford, UK
Search for more papers by this authorAhmad Atamli-Reineh,
Andrew Paverd,
Giuseppe Petracca,
Andrew Martin,
Corresponding Author
Ahmad Atamli-Reineh
Department of Computer Science, University of Oxford, Oxford, UK
Correspondence to: Ahmad Atamli-Reineh, Department of Computer Science, University of Oxford, Oxford, UK.
E-mail: [email protected]
Search for more papers by this authorAndrew Paverd
Department of Computer Science, Aalto University, Espoo, Finland
Search for more papers by this authorGiuseppe Petracca
Department of Computer Science and Engineering, Pennsylvania State University, State College, PA, USA
Search for more papers by this authorAndrew Martin
Department of Computer Science, University of Oxford, Oxford, UK
Search for more papers by this authorSummary
The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes.
To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse-grained partitioning, in which the whole application is included in a single TEE, through to ultra-fine partitioning, in which each piece of security-sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application specific, we establish application-independent relationships between the types we have defined. Because these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely used software packages, the Apache Web server and the OpenSSL library. In each case study, we provide four high-level partitioning schemes—one for each of the types in our framework. We also systematically review the related work on hardware-enforced partitioning by categorising previous research efforts according to our framework. Copyright © 2017 John Wiley & Sons, Ltd.
References
- 1Misra SC, Bhavsar VC. Relationships between selected software measures and latent bug-density: guidelines for improving quality. Proceedings of the International Conference on Computational Science and Its Applications ICCSA 2003, Lecture Notes in Computer Science, vol. 2667. Springer, Berlin, Heidelberg; 2003: 724–732.
- 2One A. Smashing the stack for fun and profit. Phrack Magazine. 1996; 7(49): 14–16.
- 3Sullivan N. Staying ahead of OpenSSL vulnerabilities—CloudFlare blog. Available from: http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities. [Accessed on 30 December 2015]; [09 September 2014].
- 4England P, Lampson B, Manferdelli J, Peinado M, Willman B. A trusted open platform. IEEE Computer. 2003; 36(7): 55–62.
- 5Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J, Ports DRK. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ACM, New York, NY, USA; 2008: 2–13.
- 6Martignoni L, Poosankam P, Zaharia M, Han J, McCamant S, Song D, Paxson V, Perrig A, Shenker S, Stoica I. Cloud terminal: secure access to sensitive applications from untrusted systems. Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12, Boston, MA, USA; 2012: 14–14.
- 7Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D. Terra: A virtual machine-based platform for trusted computing. Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP '03, The Sagamore, Bolton Landing (Lake George), New York, USA; 2003: 193–206.
- 8Ta-Min R, Litty L, Lie D. Splitting interfaces: making trust between applications and operating systems configurable. Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI '06, Seattle, Washington, USA; 2006: 279–292.
- 9Paverd AJ, Martin AP. Hardware security for device authentication in the smart grid. Smart Grid Security: First International Workshop, SmartGridSec 2012, Berlin, Germany, December 3, 2012, Revised Selected Papers, Springer, Berlin, Heidelberg; 2013: 72–84.
- 10Li Y, McCune J, Newsome J, Perrig A, Baker B, Drewry W. MiniBox: a two-way sandbox for x86 native code. Proceedings of the 2014 USENIX Conference on USENIX Annual Technical Conference, USENIX ATC'14, Philadelphia, PA, USA; 2014: 409–420.
- 11Hofmann OS, Kim S, Dunn AM, Lee MZ, Witchel E. InkTag: secure applications on an untrusted operating system. SIGPLAN Notices. 2013; 48(4): 265–278.
- 12Atamli AW, Martin A. Threat-based security analysis for the internet of things. Proceedings of the 2014 International Workshop on Secure Internet of Things, SIOT '14. IEEE Computer Society, Washington, DC, USA; 2014: 35–43.
- 13McCune JM, Parno BJ, Perrig A, Reiter MK, Isozaki H. Flicker: an execution infrastructure for TCB minimization. Proceedings of the 3rd ACM SIGOPS/EUROSYS European Conference on Computer Systems 2008, Eurosys '08. ACM, New York, NY, USA; 2008: 315–328.
- 14McCune JM, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A. TrustVisor: efficient TCB reduction and attestation. Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, Oakland, California, USA; 2010: 143–158.
- 15Azab AM, Ning P, Zhang X. SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms. Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, Chicago, IL, USA; 2011: 375–388.
- 16Sahita R, Warrier U, Dewan P. Protecting critical applications on mobile platforms. Intel Technology Journal. 2009; 13(2): 16–35.
- 17Yee B, Sehr D, Dardyk G, Chen JB, Muth R, Ormandy T, Okasaka S, Narula N, Fullagar N. Native client: a sandbox for portable, untrusted x86 native code. Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP '09, Oakland, California, USA; 2009: 79–93.
- 18Dewan P, Durham D, Khosravi H, Long M, Nagabhushan G. A hypervisor-based system for protecting software runtime memory and persistent storage. Proceedings of the 2008 Spring Simulation Multiconference, SpringSim '08, Ottawa, ON, Canada; 2008: 828–835.
- 19Singaravelu L, Pu C, Härtig H, Helmuth C. Reducing TCB complexity for security-sensitive applications: three case studies. Proceedings of the 1st ACM SIGOPS/EUROSYS European Conference on Computer Systems 2006, EuroSys '06. ACM, New York, NY, USA; 2006: 161–174.
- 20Cheng Y, Ding X, Deng R. AppShield: protecting applications against untrusted operating system. SMU-SIS-13; 101, Singapore, Singapore Management University; 2013.
- 21 ARM. ARM TrustZone. Available from: http://www.arm.com/products/processors/technologies/trustzone/index.php. [Accessed on 30 December 2015].
- 22McCune JM, Parno B, Perrig A, Reiter MK, Seshadri A. How low can you go? Recommendations for hardware-supported minimal TCB code execution. SIGARCH Computer Architecture News. 2008; 36(1): 14–25.
10.1145/1353534.1346285 Google Scholar
- 23McKeen F, Alexandrovich I, Berenzon A, Rozas CV, Shafi H, Shanbhogue V, Savagaonkar UR. Innovative instructions and software model for isolated execution. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP '13. ACM, New York, NY, USA; 2013: 10:1–10:1.
- 24Hoekstra M, Lal R, Pappachan P, Phegade V, Del Cuvillo J. Using innovative instructions to create trustworthy software solutions. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, ACM, New York, NY, USA; 2013: 11:1–11:1.
- 25Vasiliadis G, Athanasopoulos E, Polychronakis M, Ioannidis S. PixelVault: using GPUs for securing cryptographic operations. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, Scottsdale, Arizona, USA; 2014: 1131–1142.
- 26Liu Y, Zhou T, Chen K, Chen H, Xia Y. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15; 2015: 1607–1619.
- 27Gudka K, Watson RNM, Anderson J, Chisnall D, Davis B, Laurie B, Marinos I, Neumann PG, Richardson A. Clean application compartmentalization with SOAAP. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, Denver, CO, USA; 2015: 1016–1031.
- 28Saltzer JH, Schroeder MD. The protection of information in computer systems. Proceedings of the IEEE. 1975; 63(9): 1278–1308.
- 29Murray DG, Hand S. Privilege separation made easy: trusting small libraries not big processes. Proceedings of the 1st European Workshop on System Security, EUROSEC '08, Paris, France; 2008: 40–46.
- 30Ekberg J-E, Kostiainen K, Asokan N. The untapped potential of trusted execution environments on mobile devices. IEEE Security & Privacy. 2014; 12(4): 29–37.
- 31Schroeder MD, Saltzer JH. A hardware architecture for implementing protection rings. Communications of the ACM. 1972; 15(3): 157–170.
- 32Azfar A, Choo K-KR, Liu L. An android social app forensics adversary model. 49th Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society, Kauai, HI,USA; 2016: 5597–5606.
- 33Do Q, Martini B, Choo K-KR. Exfiltrating data from android devices. Computers & Security. 2015; 48: 74–91.
- 34Xu Y, Cui W, Peinado M. Controlled-channel attacks: deterministic side channels for untrusted operating systems. IEEE Symposium on Security and Privacy, San Jose, CA, USA; 2015: 640–656. Available from: https://doi.org/10.1109/SP.2015.45.
- 35D'Orazio C, Choo K-KR. An adversary model to evaluate {DRM} protection of video contents on iOS devices. Computers & Security. 2016; 56: 94–110.
- 36Do Q, Martini B, Choo K-KR. A forensically sound adversary model for mobile devices. PLoS ONE. 2015; 10(9): 1–15.
- 37Baumann A, Peinado M, Hunt G. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems. 2015; 33(3): 8:1–8:26.
- 38Reineh AA, Martin A. Securing application with software partitioning: a case study using SGX. 11th International Conference, SecureComm, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Dallas, TX, United States; 2015: 605–621.
- 39 OpenSSL SF. OpenSSL library version 1.0.2a. Available from: https://www.openssl.org/source/openssl-1.0.2a.tar.gz. [Accessed on 30 December 2015]; [13 April 2014].
- 40 Apache Web Server. The Apache HTTP Server Project. Available from: https://httpd.apache.org. [Accessed on 30 December 2015]; [13 April 2014].
- 41 CVE security vulnerabilities database. Available from: https://www.cvedetails.com. [Accessed on 30 December 2015]; [2016].
- 42Samantha Murphy Kelly Seth Fiegerman Lorenzo Francheschi-Bicchierai, Wagner K Adario Strange. The Heartbleed hit list: the passwords you need to change right now. Available from: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/\#BZzq5PAodaqQ. [Accessed on 30 December 2015]; [09 April 2014].
- 43 Daniel LR. Apache Overview HOWTO. Available from: http://www.tldp.org/HOWTO/Apache-Overview-HOWTO. html. [Accessed on 30 December 2015]; [10 October 2002].
- 44Mehta N, Codenomicon. The Heartbleed bug. Available from: http://heartbleed.com. [Accessed on 30 December 2015]; [13 April 2014].
- 45Geneiatakis D, Portokalidis G, Kemerlis VP, Keromytis AD. Adaptive defenses for commodity software through virtual application partitioning. Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, Raleigh, NC, USA; 2012: 133–144.
- 46Prokhorenko V, Choo K-KR, Ashman H. Web application protection techniques: a taxonomy. Journal of Network and Computer Applications. 2016; 60: 95–112.
- 47Prokhorenko V, Choo K-KR, Ashman H. Context-oriented web application protection model. Applied Mathematics and Computation. 2016; 285: 59–78.
- 48Siefers J, Tan G, Morrisett G. Robusta: taming the native beast of the JVM. Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, Chicago, IL, USA; 2010: 201–211.
- 49Belay A, Bittau A, Mashtizadeh A, Terei D, Mazières D, Kozyrakis C. Dune: safe user-level access to privileged CPU features. Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, OSDI'12, Hollywood, CA, USA; 2012: 335–348.
- 50Sun H, Sun K, Wang Y, Jing J, Wang H. TrustICE: hardware-assisted isolated computing environments on mobile devices. Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN '15, Rio de Janeiro, Brazil; 2015: 367–378.
- 51Do Q, Martini B, Choo KKR. Enhancing user privacy on android mobile devices via permissions removal. 47th Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society, Waikoloa, HI, USA; 2014: 5070–5079.
- 52Do Q, Martini B, Choo KKR. Enforcing file system permissions on android external storage: Android file system permissions (AFP) prototype and owncloud. 13th International Conference on Trust, Security and Privacy in Computing and Communications, IEEE Computer Society, Beijing, China; 2014: 949–954.
- 53Petracca G, Atamli-Reineh A, Sun Y, Grossklags J, Jaeger T. Aware: controlling app access to I/O devices on mobile platforms. CoRR. 2016; abs/1604.02171. Available from: http://arxiv.org/abs/1604.02171.
- 54Petracca G, Sun Y, Atamli-Reineh A, Jaeger T. AuDroid: preventing attacks on audio channels in mobile devices. Proceedings of the 2015 Annual Computer Security Applications Conference, ACSAC'15, Los Angeles, CA, USA; 2015.
- 55Pokharel S, Choo K-KR, Liu J. Mobile cloud security: an adversary model for lightweight browser security. Computer Standards & Interfaces. 2017; 49: 71–78.
- 56D'Orazio CJ, Lu R, Choo K-KR, Vasilakos AV. A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps. Applied Mathematics and Computation. 2017; 293: 523–544.
- 57Kim S, Shin Y, Ha J, Kim T, Han D. A first step towards leveraging commodity trusted execution environments for network applications. Proceedings of the 14th ACM Workshop on Hot Topics in Networks, HotNets-XIV, Philadelphia, PA, USA; 2015: 7:1–7:7.
- 58Watson RNM, Woodruff J, Neumann PG, Moore SW, Anderson J, Chisnall D, Dave N, Davis B, Gudka K, Laurie B, Murdoch SJ, Norton R, Roe M, Son S, Vadera M. CHERI: a hybrid capability-system architecture for scalable software compartmentalization. 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA; 2015: 20–37.
- 59Kilpatrick D. Privman: A library for partitioning applications. Usenix Annual Technical Conference, Freenix Track, Salt Lake City, Utah, USA; 2003.
- 60Strackx R, Piessens F. Fides: selectively hardening software application components against kernel-level or process-level malware. Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, Raleigh, NC, USA; 2012: 2–13.
- 61Cheng Y, Ding X, Deng RH. DriverGuard: A fine-grained protection on I/O flows. Computer Security ESORICS 2011. 16th European Symposium on Research in Computer Security, ESORICS'11, Leuven, Belgium; 2011: 227–244.
- 62Stitt G, Lysecky R, Vahid F. Dynamic hardware/software partitioning: a first approach. Proceedings of the 40th Annual Design Automation Conference, DAC '03, Anaheim, CA, USA; 2003: 250–255.
- 63 The DOD. Multilevel security in the department of defense: the basics. Available from: ftp://ftp.leeds.ac.uk/pub/ caddetc/mls-basics.txt. [Accessed on 30 December 2015]; [1 March 1995].
- 64Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A. Xen and the art of virtualization. SIGOPS Operating Systems Review. 2003; 37(5): 164–177.
10.1145/1165389.945462 Google Scholar
- 65Accetta M, Baron R, Bolosky W, Golub D, Rashid R, Tevanian A, Young M. Mach: a new kernel foundation for UNIX development. In Summer Conference Proceedings 1986, USENIX Association, Pittsburgh, USA; 1986: 93–112.
- 66Barth A, Jackson C, Reis C, Team TGC, et al.. The security architecture of the Chromium browser. Available from: http://seclah.stanford.edu/websec/chromium. [Accessed on 30 December 2015]; 2008.
- 67Bittau A, Marchenko P, Handley M, Karp B. Wedge: splitting applications into reduced-privilege compartments. Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI'08, San Francisco, California, USA; 2008: 309–322.
- 68Wu Y, Sathyanarayan S, Yap RHC, Liang Z. Codejail: application-transparent isolation of libraries with tight program interactions. Computer Security—ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, 2012. Proceedings, Springer, Berlin, Heidelberg; 2012: 859–876.
- 69O'Malley SJ, Choo K-KR. Bridging the air gap: Inaudible data exfiltration by insiders. 20th Americas Conference on Information Systems (AMCIS 2014), Social Science Electronic Publishing, Savannah, Georgia, USA; 2014: 7–10.
- 70Do Q, Martini B, Choo K-KR. Is the data on your wearable device secure? an android wear smartwatch case study. Software: Practice and Experience. 2016; 47: 391–403. SPE-15-0220.R1.
- 71Dorazio CJ, Choo KKR, Yang LT. Data exfiltration from internet of things devices: iOS devices as case studies. IEEE Internet of Things Journal. 2016; PP(99): 1–1.
Citing Literature
10 December 2017
e4130
