TreVisor - Cryptography & Security Department
TreVisor - Cryptography & Security Department
TreVisor - Cryptography & Security Department
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>TreVisor</strong><br />
OS-Independent Software-Based Full Disk Encryption<br />
Secure Against Main Memory Attacks<br />
June 26 - 29 • ACNS 2012 • Singapore<br />
Tilo Müller, Benjamin Taubmann, and Felix C. Freiling<br />
<strong>Department</strong> of Computer Science<br />
Friedrich-Alexander University of Erlangen-Nuremberg
Contents<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design<br />
• TRESOR Runs Encryption Securely Outside RAM<br />
• <strong>TreVisor</strong>: The TRESOR Hypervisor<br />
• BitVisor: A Thin Hypervisor for Enforcing I/O Device <strong>Security</strong><br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Part I<br />
Motivation<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design: TRESOR, <strong>TreVisor</strong>, BitVisor<br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion
Disk Encryption<br />
● Full disk encryption (FDE) protects data against physical loss<br />
and theft of the hard drive.<br />
● It does generally not protect against remote attacks.<br />
Source: http://bvinews.com/bvi/wp-content/uploads//2011/07/laptop-theft-in-action.jpg<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Disk Encryption<br />
But current (software-based) FDE solutions do not protect data<br />
effectively if an adversary gains physical access!<br />
Why?<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Software Disk Encryption<br />
RAM<br />
(unencrypted) CPU<br />
en/decrypt<br />
HDD<br />
(encrypted)<br />
● Software-based disk encryption stores necessary keys in RAM<br />
● Including BitLocker, FileVault, dm-crypt, and TrueCrypt<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Attacks on Main Memory<br />
Problem: main memory is no secure storage<br />
for cryptographic keys.<br />
1) DMA Attacks via Firewire, Thunderbolt, PCIe, etc.<br />
2) Cold Boot Attacks on Encryption Keys<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
DMA Attacks<br />
Direct Memory Access is exploitable:<br />
2004: Firewire<br />
0wned by an iPod from Maximilian Dornseif -- All Your Memory<br />
Are Belong To Us<br />
... PC Card / ExpressCard / PCIe / more Firewire ...<br />
2012: Thunderbolt<br />
Adventures with Daisy in Thunderbolt-DMA-land: Hacking Macs<br />
through the Thunderbolt interface<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Cold Boot Attacks<br />
● Remanence effect of DRAM:<br />
● 2008: Lest We Remember: Cold Boot Attacks on Encryption Keys<br />
Source: https://citp.princeton.edu/research/memory/media/<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Attacks on Main Memory<br />
Memory attacks require target systems to be<br />
running or in suspended mode<br />
● Lost and theft of suspended laptops at<br />
public places<br />
● Confiscation of running servers by law<br />
enforcement authorities<br />
Source: http://i.dailymail.co.uk<br />
Source: http://gottabemobile.wpengine.netdna-cdn.com<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Attacks on Main Memory<br />
Basically all memory contents can be read out.<br />
We focus on the security of<br />
disk encryption keys<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Disk Encryption Solutions<br />
Software FDE Hardware FDE TRESOR/<strong>TreVisor</strong><br />
RAM<br />
HDD<br />
CPU<br />
RAM<br />
HDD<br />
CPU<br />
RAM<br />
HDD<br />
CPU<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Part II<br />
Background & Design<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design: TRESOR, <strong>TreVisor</strong>, BitVisor<br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion
TRESOR<br />
TRESOR Runs Encryption Securely Outside RAM<br />
● Published at USENIX 2011<br />
● Keys are stored in CPU registers (dr0-dr3) rather than in RAM<br />
● All intermediate states / runtime variables are stored only in CPU<br />
registers as well<br />
● Challenges:<br />
● No use of stack and heap<br />
● Scheduling, hardware interrupts, and context switches<br />
● Userland access to debug registers (dr0-dr3)<br />
● Swapping and Suspend-to-Disk / RAM<br />
● ...<br />
● Linux kernel patch (originally for 2.6.36); dm-crypt support<br />
● AES-128, -192, and -256 accelerated by Intel's AES-NI<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
TRESOR Problems<br />
● TRESOR effectively defeats cold boot attacks, but<br />
is still vulnerable to:<br />
● write-able DMA attacks on running machines (code infiltration)<br />
● local privilege escalations (loadable kernel modules and /dev/kmem)<br />
● buggy drivers can lead to data corruption<br />
● full disk encryption (FDE) is tricky to set up<br />
● works for Linux only; no other OS supported<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
<strong>TreVisor</strong><br />
The TRESOR HyperVisor<br />
● <strong>TreVisor</strong> is a ``thin hypervisor`` that encrypts hard<br />
disks transparently for the guest OS.<br />
● one unmodified guest, including Linux and Windows.<br />
● Most devices are just passed through, except<br />
● hard disk: hook into file access in order to en-/decrypt data<br />
transparently with TRESOR technology.<br />
● DMA devices: filter memory transfers by means of the<br />
IOMMU ; access to hyperspace is disallowed.<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
TRESOR vs. <strong>TreVisor</strong><br />
App App<br />
TRESOR patched Linux<br />
HDD<br />
(a) TRESOR<br />
unused<br />
unused<br />
App<br />
App<br />
Other Hardware<br />
ring 3<br />
ring 1+2<br />
ring 0<br />
ring -1<br />
App App<br />
Any Operating System<br />
<strong>TreVisor</strong><br />
HDD<br />
(b) <strong>TreVisor</strong><br />
unused<br />
App<br />
Other Hardware<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling<br />
App
BitVisor<br />
A Secure and Lightweight Hypervisor<br />
● University of Tsukuba ; published at VEE '09<br />
● Thin hypervisor that implements various security<br />
features: FDE, VPN, VT-d/IOMMU, TCG, etc.<br />
● Parapass-through architecture<br />
� no drivers required for most devices<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Tresor + BitVisor = <strong>TreVisor</strong><br />
We use BitVisor as a basis for <strong>TreVisor</strong><br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Part III<br />
Implementation Details<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design: TRESOR, <strong>TreVisor</strong>, BitVisor<br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion
Registers<br />
Debug registers: SSE Registers: General Purpose:<br />
dr0 (64-bit)<br />
dr1 (64-bit)<br />
dr2 (64-bit)<br />
dr3 (64-bit)<br />
xmm0 (128-bit)<br />
xmm1 (128-bit)<br />
...<br />
xmm15 (128-bit)<br />
● dr0 to dr3 are exclusively reserved as key storage ; hardware<br />
breakpoints cannot be set by userland applications anymore<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling<br />
rax (64-bit)<br />
rbx (64-bit)<br />
rcx (64-bit)<br />
rdx (64-bit)<br />
● xmm0 to xmm15 and GPRs are used only temporarily inside<br />
atomic sections
Key Storage Registers<br />
● Usually, debug registers (dr0 - dr7) can be accessed with<br />
ring 0 privileges from guest OS<br />
● Now we need exclusive access from ring -1 (VMM)<br />
● We must protect the debug registers from guest OS:<br />
● Throw VMEXIT exception when the guest tries to access<br />
debug registers (virtualization control: "MOV-DR exiting")<br />
● Exception handler: ignore instruction (increment IP), don't<br />
throw exception to guest, mirror guest debug regs in RAM<br />
� Changes privilege level of debug regs from ring 0 to -1<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Key Management<br />
● Every CPU core should be able to do encryption<br />
� Key has to be present in every single core<br />
� Use Inter-Processor Interrupts (IPIs) to distribute the<br />
key<br />
(For key distribution, RAM is used briefly but cleared<br />
thoroughly afterwards)<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Disk Encryption<br />
● BitVisor already knows about FDE<br />
● drivers for ATA and USB disks<br />
● routines for hooking disk accesses<br />
● So what is missing?<br />
● the "TRESOR" crypto module<br />
● e.g.: implement crypto_tresor_init(),<br />
crypto_tresor_encrypt(), and crypto_tresor_decrypt()<br />
● most of the routines implemented in assembly (AES-NI)<br />
● Important: TRESOR code must run atomically and zero-fill<br />
used registers (SSE + GPRs) before exiting<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Availability<br />
http://www1.cs.fau.de/trevisor<br />
● In active development by Benjamin Taubmann<br />
● Latest patch from mid of June<br />
● 3.800 lines of code, mixture of C and assembly<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Part IV<br />
Evaluation<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design: TRESOR, <strong>TreVisor</strong>, BitVisor<br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion
<strong>TreVisor</strong> Performance<br />
Linux (write)<br />
Linux (read)<br />
Windows<br />
10 20 30 40 50 60 MB/s<br />
59.3 MB/s<br />
54.4 MB/s<br />
56.0 MB/s<br />
38.8 MB/s<br />
36.3 MB/s<br />
32.5 MB/s<br />
43.3 MB/s<br />
39.4 MB/s<br />
35.3 MB/s<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling<br />
AES-128<br />
AES-192<br />
AES-256
Linux Performance<br />
No<br />
VMM<br />
No<br />
Crypto<br />
AES-NI<br />
256<br />
StdAES<br />
256<br />
TRESOR<br />
256<br />
10 20 30 40 50 60 MB/s<br />
60.7 MB/s<br />
63.7 MB/s<br />
59.9 MB/s<br />
63.2 MB/s<br />
59.2 MB/s<br />
62.9 MB/s<br />
57.6 MB/s<br />
37.8 MB/s<br />
56.0 MB/s<br />
32.5 MB/s<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling<br />
write<br />
read
Compatibility: Hardware<br />
● CPU requirements:<br />
● x86-64<br />
● Multimedia Extensions (SSE / AVX / ...)<br />
● Virtualization (VT-x)<br />
● VT-d/IOMMU<br />
● Hardware Encryption (AES-NI)<br />
● Those are currently:<br />
● Intel Core-i5<br />
● Intel Core-i7<br />
● Many upcoming CPUs, also from AMD<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Compatibility: Software<br />
● Operating systems: basically all x86 OSs. Most<br />
noteworthy:<br />
● LINUX<br />
● WINDOWS<br />
● Userland<br />
● Debuggers: Yes, but without hardware breakpoints.<br />
● Virtualization: Yes, but without hardware acceleration.<br />
● Everything else: w/o restrictions<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
<strong>Security</strong> Overview<br />
Threat Model Hard Disk Encryption<br />
Memory<br />
Attack<br />
cold boot<br />
DMA *<br />
System<br />
State<br />
off<br />
running<br />
suspend<br />
off<br />
running<br />
suspend<br />
OS independent<br />
BitLocker<br />
/ dmcrypt<br />
*) running on a CPU with VT-d/IOMMU support<br />
TRESOR BitVisor <strong>TreVisor</strong><br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
<strong>Security</strong> Analysis<br />
● We spent considerable effort to ensure that no key<br />
data enters RAM<br />
● Methods we used to dump RAM<br />
● cold boot attacks<br />
● BitVisor debugging shell<br />
● virtualization<br />
● DMA attacks (Firewire; IOMMU switched off)<br />
● We were not able to recover any keybits<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
Part V<br />
Conclusion<br />
I. Motivation: Memory Attacks on Full Disk Encryption<br />
II. Background & Design: TRESOR, <strong>TreVisor</strong>, BitVisor<br />
III. Implementation Details: The BitVisor Patch<br />
IV. Evaluation: Performance, Compatibility, <strong>Security</strong><br />
V. Conclusion
Conclusion<br />
We solved the main drawbacks of<br />
TRESOR<br />
● secure against local privilege escalations<br />
● secure against data corruption through buggy<br />
drivers<br />
● secure against write-able DMA attacks<br />
● easy to set up full disk encryption<br />
● Windows support (and many other OSs)<br />
June 26 - 29, 2012 · ACNS '12 Singapore · <strong>TreVisor</strong> · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling
The End<br />
Thank you for your attention!