User-mode Secret Protection (SP) architecture Paper and slides from: Ruby Lee, Peter Kwan, Patrick McGregor, Jeffrey Dwoskin and Zhenghong Wang, “Architecture for Protecting Critical Secrets in Microprocessors”, IEEE/ACM International Symposium on Computer Architecture (ISCA), June 2005. Princeton Architecture Laboratory for Multimedia and Security (PALMS), Princeton University

One User, Many Documents/Keys, Multiple Devices 1

Reduced security perimeter: From the box to the chip Attacks on Devices Reduced security perimeter: From the box to the chip Physical probing Processor chip Registers On-chip cache Video Off-chip cache Main memory Network Other I/O Disk SW Access to hard disk Secure I/O SW Access in supervisor mode SW Access in OS Interrupt Handler Security vulnerabilities: Software Physical (device theft) 2

Distributed software-based key management Past Work Distributed software-based key management Involves multiple servers Secure coprocessors and crypto tokens (deployed) Tamper-resistant crypto modules (IBM’s 4758) and smartcards Trusted Computing Group (TPM recently available) Industry: Microsoft NGSCB, Intel LaGrande. Recent secure processor proposals (research) XOM, AEGIS, VSCoP Our approach Lower cost, high performance, no auxiliary hardware, no permanent secret and requires minimal trusted software 3

Secret Protected (SP) Architecture Security Goal: Keep user’s keys private to the user 1. New Trust Model Most SW and HW untrusted 2. Trusted software module (TSM) Securely perform operations using the keys 3. Encrypted keychain Reduce the amount of secrets needing protection 4. Concealed execution mode (CEM) Protect the execution environment of TSM 5. New processor features Very small additions to ISA Secure I/O – input of the user key. 4

Disjoint region of trust wrt CPU protection rings New Trust Model TSM API Unprivileged Software Privileged Software OS Kernel Trusted Software Module User Secrets User Secrets Disjoint region of trust wrt CPU protection rings 6

1,000’s keys are secured by protecting 1 Hash() Pass- phrase User Master Key K1 K2 K3 K4 K5 7

HW Supporting the Key Chain Core L1 instr. Cache L2 unified cache Encryption/ hashing engine External memory L1 data cache New registers: CEM Status Flags (2) User Master Key (128) Device Master Key (128) CEM Return Address (64) CEM Interrupt Hash (128) Secure I/O logic LEDs, buttons, keyboard 8

Secret Protected (SP) Architecture New Trust Model Orthogonal to protection rings 2. Hierarchical keychain Reduce amount of secrets needing protection 3. Trusted software module (TSM) Carry out operations using the keys 4. Concealed execution mode (CEM) – isolation Protect TSM program integrity Protect TSM data in main memory and caches Protect registers on interrupts 5. New processor features Very little addition to achieve the goal 9

Protect TSM program integrity TSM code TSM code Code address Device Master Key Keyed_hash() MAC MAC Instructions MAC 16 48 bytes ……. 64-byte cache line Device Master Key Provide keyed hash (Message Authentication Code) per cache line 10

Basic Approach for protecting TSM data Outside security perimeter: data exists as ciphertext Use Encryption and hashing Processor chip On-chip cache DRAM Off-chip cache Inside security perimeter: data exists as plaintext Use Tagging 11

Protection over the entire memory hierarchy Secure Instruction Tags L2 Unified Cache Main Memory Secure Code 2 Code 3 Secure Code 1 Secure Code 1 Secure Code 1 L1 Instr Cache Secure Code 2 Secure Data 2 Secure Code 1 Secure Code 1 Decryption and hashing Secure Code 2 Secure Code 2 Secure Code 1 Code 3 Code 3 Code 3 Code 3 Secure Data 2 Data 3 Data 3 = N L1 Data Cache Secure Data 2 Secure Data 2 Secure Data 2 Secure Data 2 Y Data 3 Data 1 Data 1 Data 1 Data 1 Data 1 Secure Data Tags Data 3 Data 3 Secure Code 2 Secure Code 2 Cache line tagging – separating secure from nonsecure, and data from code. 12

HW Supporting memory protection Core L1 instr. Cache L2 unified cache Encryption/ hashing engine External memory Registers L1 data cache New registers: CEM Status Flags (2) User Master Key (128) Device Master Key (128) CEM Return Address (64) CEM Interrupt Hash (128) Secure I/O logic LEDs, buttons, keyboard 13

Protecting register values during interrupts New registers: ...... ...... R0 R0 R1 R1 R2 R2 R31 R31 CEM Status Flags (2) ...... CEM Return Address (64) CEM Return Address (64) R0 One Plaintext message R1 R2 R31 Encryption() One Ciphertext message User Master Key (128) Device Master Key (128) Device Master Key (128) CEM Interrupt Hash (128) CEM Interrupt Hash (128) R0 R1 R2 R31 Hash() ...... R0 R1 R2 R31 “In situ” registers encryption no change required in OS interrupt handler Store hash on-chip Return address trigger 14

Architectural summary User Master Key protects Secure I/O Trusted software module Operates upon Execution environment on device Code Memory Registers Device Master Key Device initialization protects 15

Small additions to the processor Core L1 instr. Cache L2 unified cache Core L2 unified cache L1 data L1 instr. Cache New registers: CEM Status Flags (2) User Master Key (128) Device Master Key (128) CEM Return Address (64) CEM Interrupt Hash (128) Encryption/ hashing engine Secure I/O logic Encryption/ hashing engine External memory L1 data cache New registers: CEM Status Flags (2) User Master Key (128) Device Master Key (128) CEM Return Address (64) CEM Interrupt Hash (128) Secure I/O logic LEDs, buttons, keyboard 5

Contributions and Conclusions Minimalist SP-architecture protects critical secrets (keys) which then protect other sensitive data Decouples users from devices more convenient and realistic usage model No permanent secret defends against factory database compromise Master keys are symmetric keys faster and less storage Security without compromising performance, cost, usability Core L2 unified cache L1 data L1 instr. Cache 16