ProximiTEE: Hardened SGX Attestation by Proximity Verification

Authors: Aritra Dhar, Ivan Puddu, Kari Kostiainen, and Srdjan Čapkun

CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

Abstract

Intel SGX enables protected enclaves on untrusted computing platforms. An important part of SGX is its remote attestation mechanism that allows a remote verifier to check that the expected enclave was correctly initialized before provisioning secrets to it. However, SGX attestation is vulnerable to relay attacks where the attacker, using malicious software on the target platform, redirects the attestation and therefore the provisioning of confidential data to a platform that he physically controls. Although relay attacks have been known for a long time, their consequences have not been carefully examined. In this paper, we analyze relay attacks and show that redirection increases the adversary’s abilities to compromise the enclave in several ways, enabling for instance physical and digital side-channel attacks that would not be otherwise possible.

We propose ProximiTEE, a novel solution to prevent relay attacks. Our solution is based on a trusted embedded device that is attached to the target platform. Our device verifies the proximity of the attested enclave, thus allowing attestation to the intended enclave regardless of malicious software, such as a compromised OS, on the target platform. The device also performs periodic proximity verification which enables secure enclave revocation by detaching the device. Although proximity verification has been proposed as a defense against relay attacks before, this paper is the first to experimentally demonstrate that it can be secure and reliable for TEEs like SGX. Additionally, we consider a stronger adversary that has obtained leaked SGX attestation keys and emulates an enclave on the target platform. To address such emulation attacks, we propose a second solution where the target platform is securely initialized by booting it from the attached embedded device.

Research Area: Trusted Computing

People

Dr. Aritra Dhar

Doctoral Student (2016 – 2021)

Huawei Research Labs Zurich

Dr. Ivan Puddu

Post-doc

Dr. Kari Kostiainen

Senior Scientist

Prof. Srdjan Čapkun

Group Leader

BibTex

@INPROCEEDINGS{dhar2020proximitee,
	isbn = {978-1-4503-7107-0},
	copyright = {In Copyright - Non-Commercial Use Permitted},
	doi = {10.3929/ethz-b-000411757},
	year = {2020-03},
	booktitle = {CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy},
	type = {Conference Paper},
	author = {Dhar, Aritra and Puddu, Ivan and Kostiainen, Kari and Capkun, Srdjan},
	abstract = {Intel SGX enables protected enclaves on untrusted computing platforms. An important part of SGX is its remote attestation mechanism that allows a remote verifier to check that the expected enclave was correctly initialized before provisioning secrets to it. However, SGX attestation is vulnerable to relay attacks where the attacker, using malicious software on the target platform, redirects the attestation and therefore the provisioning of confidential data to a platform that he physically controls. Although relay attacks have been known for a long time, their consequences have not been carefully examined. In this paper, we analyze relay attacks and show that redirection increases the adversary's abilities to compromise the enclave in several ways, enabling for instance physical and digital side-channel attacks that would not be otherwise possible.We propose ProximiTEE, a novel solution to prevent relay attacks. Our solution is based on a trusted embedded device that is attached to the target platform. Our device verifies the proximity of the attested enclave, thus allowing attestation to the intended enclave regardless of malicious software, such as a compromised OS, on the target platform. The device also performs periodic proximity verification which enables secure enclave revocation by detaching the device. Although proximity verification has been proposed as a defense against relay attacks before, this paper is the first to experimentally demonstrate that it can be secure and reliable for TEEs like SGX. Additionally, we consider a stronger adversary that has obtained leaked SGX attestation keys and emulates an enclave on the target platform. To address such emulation attacks, we propose a second solution where the target platform is securely initialized by booting it from the attached embedded device.},
	language = {en},
	address = {New York, NY},
	publisher = {Association for Computing Machinery},
	title = {ProximiTEE: Hardened SGX Attestation by Proximity Verification},
	PAGES = {5 - 16},
	Note = {10th ACM Conference on Data and Application Security and Privacy (CODASPY '20); Conference Location: New Orleans, LA, USA; Conference Date: August 3-4, 2020; Due to the Coronavirus (COVID-19) the conference was conducted virtually.}
}

Research Collection: 20.500.11850/411757