Christof Fetzer

Robert Krahn, Donald Dragoti, Franz Gregor et al.

Trusted Execution Environments (TEEs), such as Intel Software Guard eXtensions (SGX), are considered as a promising approach to resolve security challenges in clouds. TEEs protect the confidentiality and integrity of application code and data even against privileged attackers with root and physical access by providing an isolated secure memory area, i.e., enclaves. The security guarantees are provided by the CPU, thus even if system software is compromised, the attacker can never access the enclave's content. While this approach ensures strong security guarantees for applications, it also introduces a considerable runtime overhead in part by the limited availability of protected memory (enclave page cache). Currently, only a limited number of performance measurement tools for TEE-based applications exist and none offer performance monitoring and analysis during runtime. This paper presents TEEMon, the first continuous performance monitoring and analysis tool for TEE-based applications. TEEMon provides not only fine-grained performance metrics during runtime, but also assists the analysis of identifying causes of performance bottlenecks, e.g., excessive system calls. Our approach smoothly integrates with existing open-source tools (e.g., Prometheus or Grafana) towards a holistic monitoring solution, particularly optimized for systems deployed through Docker containers or Kubernetes and offers several dedicated metrics and visualizations. Our evaluation shows that TEEMon's overhead ranges from 5% to 17%.

Do Le Quoc, Christof Fetzer

Federated Learning (FL) is an emerging machine learning paradigm that enables multiple clients to jointly train a model to take benefits from diverse datasets from the clients without sharing their local training datasets. FL helps reduce data privacy risks. Unfortunately, FL still exist several issues regarding privacy and security. First, it is possible to leak sensitive information from the shared training parameters. Second, malicious clients can collude with each other to steal data, models from regular clients or corrupt the global training model. To tackle these challenges, we propose SecFL - a confidential federated learning framework that leverages Trusted Execution Environments (TEEs). SecFL performs the global and local training inside TEE enclaves to ensure the confidentiality and integrity of the computations against powerful adversaries with privileged access. SecFL provides a transparent remote attestation mechanism, relying on the remote attestation provided by TEEs, to allow clients to attest the global training computation as well as the local training computation of each other. Thus, all malicious clients can be detected using the remote attestation mechanisms.

Saidgani Musaev, Christof Fetzer

Recent years have brought microarchitectural security intothe spotlight, proving that modern CPUs are vulnerable toseveral classes of microarchitectural attacks. These attacksbypass the basic isolation primitives provided by the CPUs:process isolation, memory permissions, access checks, andso on. Nevertheless, most of the research was focused on In-tel CPUs, with only a few exceptions. As a result, few vulner-abilities have been found in other CPUs, leading to specula-tions about their immunity to certain types of microarchi-tectural attacks. In this paper, we provide a black-box anal-ysis of one of these under-explored areas. Namely, we inves-tigate the flaw of AMD CPUs which may lead to a transientexecution hijacking attack. Contrary to nominal immunity,we discover that AMD Zen family CPUs exhibit transient ex-ecution patterns similar for Meltdown/MDS. Our analysisof exploitation possibilities shows that AMDs design deci-sions indeed limit the exploitability scope comparing to In-tel CPUs, yet it may be possible to use them to amplify othermicroarchitectural attacks.

Oleksii Oleksenko, Christof Fetzer, Boris Köpf et al.

Speculative vulnerabilities such as Spectre and Meltdown expose speculative execution state that can be exploited to leak information across security domains via side-channels. Such vulnerabilities often stay undetected for a long time as we lack the tools for systematic testing of CPUs to find them. In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We build on speculation contracts, which we employ to specify the permitted side effects of program execution on the CPU's microarchitectural state. We propose a Model-based Relational Testing (MRT) technique to empirically assess the CPU compliance with these specifications. We implement MRT in a testing framework called Revizor, and showcase its effectiveness on real Intel x86 CPUs. Revizor automatically detects violations of a rich set of contracts, or indicates their absence. A highlight of our findings is that Revizor managed to automatically surface Spectre, MDS, and LVI, as well as several previously unknown variants.

Wojciech Ozga, Do Le Quoc, Christof Fetzer

Trust is of paramount concern for tenants to deploy their security-sensitive services in the cloud. The integrity of VMs in which these services are deployed needs to be ensured even in the presence of powerful adversaries with administrative access to the cloud. Traditional approaches for solving this challenge leverage trusted computing techniques, e.g., vTPM, or hardware CPU extensions, e.g., AMD SEV. But, they are vulnerable to powerful adversaries, or they provide only load time (not runtime) integrity measurements of VMs. We propose WELES, a protocol allowing tenants to establish and maintain trust in VM runtime integrity of software and its configuration. WELES is transparent to the VM configuration and setup. It performs an implicit attestation of VMs during a secure login and binds the VM integrity state with the secure connection. Our prototype's evaluation shows that WELES is practical and incurs low performance overhead.

Wojciech Ozga, Do Le Quoc, Christof Fetzer

Confidential multi-stakeholder machine learning (ML) allows multiple parties to perform collaborative data analytics while not revealing their intellectual property, such as ML source code, model, or datasets. State-of-the-art solutions based on homomorphic encryption incur a large performance overhead. Hardware-based solutions, such as trusted execution environments (TEEs), significantly improve the performance in inference computations but still suffer from low performance in training computations, e.g., deep neural networks model training, because of limited availability of protected memory and lack of GPU support. To address this problem, we designed and implemented Perun, a framework for confidential multi-stakeholder machine learning that allows users to make a trade-off between security and performance. Perun executes ML training on hardware accelerators (e.g., GPU) while providing security guarantees using trusted computing technologies, such as trusted platform module and integrity measurement architecture. Less compute-intensive workloads, such as inference, execute only inside TEE, thus at a lower trusted computing base. The evaluation shows that during the ML training on CIFAR-10 and real-world medical datasets, Perun achieved a 161x to 1560x speedup compared to a pure TEE-based approach.

Do Le Quoc, Franz Gregor, Sergei Arnautov et al.

Data-driven intelligent applications in modern online services have become ubiquitous. These applications are usually hosted in the untrusted cloud computing infrastructure. This poses significant security risks since these applications rely on applying machine learning algorithms on large datasets which may contain private and sensitive information. To tackle this challenge, we designed secureTF, a distributed secure machine learning framework based on Tensorflow for the untrusted cloud infrastructure. secureTF is a generic platform to support unmodified TensorFlow applications, while providing end-to-end security for the input data, ML model, and application code. secureTF is built from ground-up based on the security properties provided by Trusted Execution Environments (TEEs). However, it extends the trust of a volatile memory region (or secure enclave) provided by the single node TEE to secure a distributed infrastructure required for supporting unmodified stateful machine learning applications running in the cloud. The paper reports on our experiences about the system design choices and the system deployment in production use-cases. We conclude with the lessons learned based on the limitations of our commercially available platform, and discuss open research problems for the future work.

Bohdan Trach, Rasha Faqeh, Oleksii Oleksenko et al.

A lease is an important primitive for building distributed protocols, and it is ubiquitously employed in distributed systems. However, the scope of the classic lease abstraction is restricted to the trusted computing infrastructure. Unfortunately, this important primitive cannot be employed in the untrusted computing infrastructure because the trusted execution environments (TEEs) do not provide a trusted time source. In the untrusted environment, an adversary can easily manipulate the system clock to violate the correctness properties of lease-based systems. We tackle this problem by introducing trusted lease -- a lease that maintains its correctness properties even in the presence of a clock-manipulating attacker. To achieve these properties, we follow a "trust but verify" approach for an untrusted timer, and transform it into a trusted timing primitive by leveraging two hardware-assisted ISA extensions (Intel TSX and SGX) available in commodity CPUs. We provide a design and implementation of trusted lease in a system called T-Lease -- the first trusted lease system that achieves high security, performance, and precision. For the application developers, T-Lease exposes an easy-to-use generic APIs that facilitate its usage to build a wide range of distributed protocols.

Wojciech Ozga, Do Le Quoc, Christof Fetzer

Trusted computing defines how to securely measure, store, and verify the integrity of software controlling a computer. One of the major challenges that make them hard to be applied in practice is the issue with software updates. Specifically, an operating system update causes the integrity violation because it changes the well-known initial state trusted by remote verifiers, such as integrity monitoring systems. Consequently, the integrity monitoring of remote computers becomes unreliable due to the high amount of false positives. We address this problem by adding an extra level of indirection between the operating system and software repositories. We propose a trusted software repository (TSR), a secure proxy that overcomes the shortcomings of previous approaches by sanitizing software packages. Sanitization consists of modifying unsafe installation scripts and adding digital signatures in a way software packages can be installed in the operating system without violating its integrity. TSR leverages shielded execution, i.e., Intel SGX, to achieve confidentiality and integrity guarantees of the sanitization process. TSR is transparent to package managers, and requires no changes in the software packages building and distributing processes. Our evaluation shows that running TSR inside SGX is practical; since it induces only ~1.18X performance overhead during package sanitization compared to the native execution without SGX. TSR supports 99.76% of packages available in the main and community repositories of Alpine Linux while increasing the total repository size by 3.6%.

Franz Gregor, Wojciech Ozga, Sébastien Vaucher et al.

Trust is arguably the most important challenge for critical services both deployed as well as accessed remotely over the network. These systems are exposed to a wide diversity of threats, ranging from bugs to exploits, active attacks, rogue operators, or simply careless administrators. To protect such applications, one needs to guarantee that they are properly configured and securely provisioned with the "secrets" (e.g., encryption keys) necessary to preserve not only the confidentiality, integrity and freshness of their data but also their code. Furthermore, these secrets should not be kept under the control of a single stakeholder - which might be compromised and would represent a single point of failure - and they must be protected across software versions in the sense that attackers cannot get access to them via malicious updates. Traditional approaches for solving these challenges often use ad hoc techniques and ultimately rely on a hardware security module (HSM) as root of trust. We propose a more powerful and generic approach to trust management that instead relies on trusted execution environments (TEEs) and a set of stakeholders as root of trust. Our system, PALAEMON, can operate as a managed service deployed in an untrusted environment, i.e., one can delegate its operations to an untrusted cloud provider with the guarantee that data will remain confidential despite not trusting any individual human (even with root access) nor system software. PALAEMON addresses in a secure, efficient and cost-effective way five main challenges faced when developing trusted networked applications and services. Our evaluation on a range of benchmarks and real applications shows that PALAEMON performs efficiently and can protect secrets of services without any change to their source code.

Christof Fetzer

Microservices - combined with secure containers - facilitate new ways to build critical applications. These applications will benefit from many tools and services built for less critical software. The more stringent requirements of critical applications are addressed with the help of secure containers and compiler extensions. While this approach is sufficient for implementing fail-stop applications, there are still several open research questions regarding if and how fail-operational applications could be supported using this approach.

Oleksii Oleksenko, Bohdan Trach, Mark Silberstein et al.

SpecFuzz is the first tool that enables dynamic testing for speculative execution vulnerabilities (e.g., Spectre). The key is a novel concept of speculation exposure: The program is instrumented to simulate speculative execution in software by forcefully executing the code paths that could be triggered due to mispredictions, thereby making the speculative memory accesses visible to integrity checkers (e.g., AddressSanitizer). Combined with the conventional fuzzing techniques, speculation exposure enables more precise identification of potential vulnerabilities compared to state-of-the-art static analyzers. Our prototype for detecting Spectre V1 vulnerabilities successfully identifies all known variations of Spectre V1 and decreases the mitigation overheads across the evaluated applications, reducing the amount of instrumented branches by up to 77% given a sufficient test coverage.

Roland Kunkel, Do Le Quoc, Franz Gregor et al.

Machine learning has become a critical component of modern data-driven online services. Typically, the training phase of machine learning techniques requires to process large-scale datasets which may contain private and sensitive information of customers. This imposes significant security risks since modern online services rely on cloud computing to store and process the sensitive data. In the untrusted computing infrastructure, security is becoming a paramount concern since the customers need to trust the thirdparty cloud provider. Unfortunately, this trust has been violated multiple times in the past. To overcome the potential security risks in the cloud, we answer the following research question: how to enable secure executions of machine learning computations in the untrusted infrastructure? To achieve this goal, we propose a hardware-assisted approach based on Trusted Execution Environments (TEEs), specifically Intel SGX, to enable secure execution of the machine learning computations over the private and sensitive datasets. More specifically, we propose a generic and secure machine learning framework based on Tensorflow, which enables secure execution of existing applications on the commodity untrusted infrastructure. In particular, we have built our system called TensorSCONE from ground-up by integrating TensorFlow with SCONE, a shielded execution framework based on Intel SGX. The main challenge of this work is to overcome the architectural limitations of Intel SGX in the context of building a secure TensorFlow system. Our evaluation shows that we achieve reasonable performance overheads while providing strong security properties with low TCB.

Oleh Bodunov, Florian Schmidt, André Martin et al.

In this paper, we present our approach for solving the DEBS Grand Challenge 2018. The challenge asks to provide a prediction for (i) a destination and the (ii) arrival time of ships in a streaming-fashion using Geo-spatial data in the maritime context. Novel aspects of our approach include the use of ensemble learning based on Random Forest, Gradient Boosting Decision Trees (GBDT), XGBoost Trees and Extremely Randomized Trees (ERT) in order to provide a prediction for a destination while for the arrival time, we propose the use of Feed-forward Neural Networks. In our evaluation, we were able to achieve an accuracy of 97% for the port destination classification problem and 90% (in mins) for the ETA prediction.

Oleksii Oleksenko, Bohdan Trach, Tobias Reiher et al.

A recent discovery of a new class of microarchitectural attacks called Spectre picked up the attention of the security community as these attacks can circumvent many traditional mechanisms of defense. One of the attacks---Bounds Check Bypass---can neither be efficiently solved on system nor architectural levels and requires changes in the application itself. So far, the proposed mitigations involved serialization, which reduces the usage of CPU resources and causes high overheads. In this report, we explore methods of delaying the vulnerable instructions without complete serialization. We discuss several ways of achieving it and compare them with Speculative Load Hardening, an existing solution based on a similar idea. The solutions of this type cause 60% overhead across Phoenix benchmark suite, which compares favorably to the full serialization causing 440% slowdown.

Florian Kelbert, Franz Gregor, Rafael Pires et al.

We present the SecureCloud EU Horizon 2020 project, whose goal is to enable new big data applications that use sensitive data in the cloud without compromising data security and privacy. For this, SecureCloud designs and develops a layered architecture that allows for (i) the secure creation and deployment of secure micro-services; (ii) the secure integration of individual micro-services to full-fledged big data applications; and (iii) the secure execution of these applications within untrusted cloud environments. To provide security guarantees, SecureCloud leverages novel security mechanisms present in recent commodity CPUs, in particular, Intel's Software Guard Extensions (SGX). SecureCloud applies this architecture to big data applications in the context of smart grids. We describe the SecureCloud approach, initial results, and considered use cases.

Bohdan Trach, Alfred Krohmer, Sergei Arnautov et al.

Cloud computing offers the economies of scale for computational resources with the ease of management, elasticity, and fault tolerance. To take advantage of these benefits, many enterprises are contemplating to outsource the middlebox processing services in the cloud. However, middleboxes that process confidential and private data cannot be securely deployed in the untrusted environment of the cloud. To securely outsource middleboxes to the cloud, the state-of-the-art systems advocate network processing over the encrypted traffic. Unfortunately, these systems support only restrictive middlebox functionalities, and incur prohibitively high overheads due to the complex computations involved over the encrypted traffic. This motivated the design of Slick --- a secure middlebox framework for deploying high-performance Network Functions (NFs) on untrusted commodity servers. Slick exposes a generic interface based on Click to design and implement a wide-range of NFs using its out-of-the box elements and C++ extensions. Slick leverages SCONE (a shielded execution framework based on Intel SGX) and DPDK to securely process confidential data at line rate. More specifically, Slick provides hardware-assisted memory protection, and configuration and attestation service for seamless and verifiable deployment of middleboxes. We have also added several new features for commonly required functionalities: new specialized Click elements for secure packet processing, secure shared memory packet transfer for NFs chaining, secure state persistence, an efficient on-NIC timer for SGX enclaves, and memory safety against DPDK-specific Iago attacks. Furthermore, we have implemented several SGX-specific optimizations in Slick. Our evaluation shows that Slick achieves near-native throughput and latency.

Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia et al.

Memory-safety violations are a prevalent cause of both reliability and security vulnerabilities in systems software written in unsafe languages like C/C++. Unfortunately, all the existing software-based solutions to this problem exhibit high performance overheads preventing them from wide adoption in production runs. To address this issue, Intel recently released a new ISA extension - Memory Protection Extensions (Intel MPX), a hardware-assisted full-stack solution to protect against memory safety violations. In this work, we perform an exhaustive study of the Intel MPX architecture to understand its advantages and caveats. We base our study along three dimensions: (a) performance overheads, (b) security guarantees, and (c) usability issues. To put our results in perspective, we compare Intel MPX with three prominent software-based approaches: (1) trip-wire - AddressSanitizer, (2) object-based - SAFECode, and (3) pointer-based - SoftBound. Our main conclusion is that Intel MPX is a promising technique that is not yet practical for widespread adoption. Intel MPX's performance overheads are still high (roughly 50% on average), and the supporting infrastructure has bugs which may cause compilation or runtime errors. Moreover, we showcase the design limitations of Intel MPX: it cannot detect temporal errors, may have false positives and false negatives in multithreaded code, and its restrictions on memory layout require substantial code changes for some programs.

Do Le Quoc, Martin Beck, Pramod Bhatotia et al.

How to preserve users' privacy while supporting high-utility analytics for low-latency stream processing? To answer this question: we describe the design, implementation, and evaluation of PRIVAPPROX, a data analytics system for privacy-preserving stream processing. PRIVAPPROX provides three properties: (i) Privacy: zero-knowledge privacy guarantees for users, a privacy bound tighter than the state-of-the-art differential privacy; (ii) Utility: an interface for data analysts to systematically explore the trade-offs between the output accuracy (with error-estimation) and query execution budget; (iii) Latency: near real-time stream processing based on a scalable "synchronization-free" distributed architecture. The key idea behind our approach is to marry two existing techniques together: namely, sampling (used in the context of approximate computing) and randomized response (used in the context of privacy-preserving analytics). The resulting marriage is complementary - it achieves stronger privacy guarantees and also improves performance, a necessary ingredient for achieving low-latency stream analytics.