Aritra Dhar, ETH Zurich
From 12.00 until 13.30
At CNB/F/110 (Lunch) + CAB/F/100.9 (Seminar), ETH Zurich
Universitätstrasse 6, 8092 Zurich
Intel SGX enables protected enclaves on untrusted computing platforms. An important part of SGX is its remote attestation mechanism that allows a remote verifier to check that an enclave was correctly constructed before provisioning secrets to it. However, SGX attestation is vulnerable to relay attacks where the attacker, such as malicious OS, redirects the attestation and therefore the provisioning of confidential data to a platform that he physically controls. Given this redirection, the attacker has unlimited time to mount side-channel, micro-architectural and physical attacks to compromise the enclave.
We propose ProximiTEE, a novel solution to prevent relay attacks. Our solution is based on a simple embedded device, and it is best suited to deployments where the deployment cost of such a device is minor compared to its security benefit. During attestation, the embedded device that is attached to the target platform verifies the proximity of the attested enclave using distance bounding, thus allowing secure attestation regardless of a compromised OS. The device also performs periodic proximity verification which enables secure enclave revocation by simply detaching the device. Our evaluation shows that proximity verification is secure and reliable for SGX, even using a slow prototype device and assuming very fast adversaries.
Additionally, we consider a stronger adversary that has a leaked, but not yet revoked, SGX attestation key and emulates an enclave on the target platform. To address such emulation attacks, we propose a solution where the target platform is securely initialized by booting it from the attached embedded device. Finally, we show how our hardened attestation mechanisms can be used to build a trusted path for SGX.