Einladung zum Statusvortrag im Promotionsver­fahren von Herrn Gabriel Fernandez

Abstract:

Cloud computing has become the standard model of ownership for Information Technology assets throughout the 2010s decade and into the 2020s due to the advantages that this model offers, namely: ease of management, standardization of security practices, and, above all, a large volume of computing, networking, and storage. However, the migration of institutions to this ownership model came with the disruption of traditional data custody assumptions -- access to user data was no longer available only to the service provider but now to the cloud provider too. Furthermore, increased security pressure was exerted over these providers as breaches that lead to privilege escalation could compromise hundreds of applications.

Prior to the cloud migration era, solutions to provide robust threat model resistance have been proposed in the literature. In particular, several works have attempted to create trusted computing stacks by measuring their components before executions. These solutions saw limited use due to exploits discovered. The introduction of commodity hardware security extensions, or Trusted Execution Environments (TEE), such as Intel SGX and AMD SED, contributed to changing that landscape with the surge of several frameworks that simplified the development process and the appearance of TEE cloud products. This novel trusted infrastructure stack, sometimes understood as a universal solution to execution in untrusted environments, still suffers from limitations to the breadth of its threat model.

In this thesis, we point out three key shortcomings that the SGX-era trusted execution model presents and that a malicious, powerful, and determined adversary can exploit to disrupt client application's invariants: Firstly, the difficulty in maintaining the freshness of persistent state. Despite the ability to leverage trusted cryptographic primitives, identifying the stale states while maintaining desirable capabilities in cloud environments, like durability and migration, has been revealed to be a challenge. Secondly, control over instantiation allows an adversary to perform Fork and Sybil attacks, which are ultimately equivalent to rollback attacks. Finally, TEE-based applications cannot ascertain time passage due to the lack of time measurement primitives. We strive to amend these often intertwined weaknesses, respectively, with VMCaaS, a cloud-native rollback resistance mechanism; LLD, an anti-fork attack platform for cloud environments; and Triad, a trusted, distributed clock protocol to provide absolute timestamps to client applications.

These works expand on existing literature and provide the tooling for building architectures that deny adversaries access to relatively simple exploits, relegating them to perform less productive, speculative attacks against TEE's primitives that rely on favorable conditions to succeed.