

### AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing

G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas

**Massachusetts Institute of Technology** 





- Applications on untrusted hosts with untrusted owners
  - Digital Rights Management (DRM), Software licensing
  - Distributed computation on Internet
  - Mobile agents
- New challenges
  - Untrusted OS
  - Physical attacks



### **Conventional Tamper-Proof Packages**

- Processing system in a tamper-proof package (IBM 4758)
  - Expensive: many detecting sensors
  - Needs to be continuously powered: battery-backed RAM



Source: IBM website

MIT PROJECT OXYGEN

**Single-Chip Secure Processors** 

- Only trust a single chip: tamper-resistant
  - Off-chip memory: verify the integrity and encrypt
  - Untrusted OS: identify a core part or protect against OS attacks
- Cheap, Flexible, High Performance

MIT PROJECT OXYGEN





- XOM (eXecution Only Memory): David Lie et al
  - Stated goal: Protect integrity and privacy of code and data
  - Operating system is completed untrusted
  - Memory integrity checking does not prevent replay attacks
  - Privacy is expensive but not necessary for all applications
- Palladium/NGSCB: Microsoft
  - Stated goal: Protect from software attacks
  - Combination of hardware and software mechanisms
  - Adds "curtained" memory to avoid DMA attacks
  - Uses a security kernel (Nexus)
  - Memory integrity and privacy are assumed (only software attacks).



## AEGIS: High-Level Architecture





LCS

**Secure Execution Environments** 

- Tamper-Evident (TE) environment
  - Guarantees a valid execution and the identity of a program; no privacy
  - Any software or physical tampering to alter the program behavior should be detected
- Private Tamper-Resistant (PTR) environment
  - TE environment + privacy
  - Encrypt instructions and data
  - Assume programs do not leak information via memory access patterns
- Implementation

MIT PROJECT OXYGEN

– Either have a trusted part of the OS or completely untrust the OS



Secure context manager, encryption and integrity verification #



# MIT PROJECT OXYGEN Secure Context Manager (SCM)

- A specialized module in the processor
- Assign a secure process ID (SPID) for each secure process
- Implements new instructions
  - enter\_aegis
  - set\_aegis\_mode
  - random
  - sign\_msg
- Maintains a secure table
  - Even operating system cannot modify





- 'enter\_aegis': TE mode
  - Start protecting the integrity of a program
  - Compute and store the hash of the stub code: H(Prog)
    - → Tampering of a program results in a different hash
  - Stub code verifies the rest of the code and data



Protected Table

- 'set\_aegis\_mode'
  - Start PTR mode on top of the TE mode



- Registers on interrupts
  - SCM saves Regs on interrupts, and restore on resume
- On-chip caches
  - Need to protect against software attacks
  - Use SPID tags and virtual memory address
  - Allow accesses from the cache only if both SPID and the virtual address match







- Encrypt on an L2 cache block granularity
  - Use symmetric key algorithms with CBC mode
  - Randomize initial vectors





Cannot simply MAC on writes and check the MAC on reads

#### → Replay attacks

#### Hash trees for integrity verification









MIT PROJECT/OXYGEN MORSSage Authentication

- Processor  $\rightarrow$  Other systems
  - The processor signs a message for a program
    - → sign\_msg M: {H(Prog), M}<sub>SKproc</sub>
  - Unique for each program because H(Prog) is always included
- Other systems → Processor
  - Embed the user's public key in a program
  - Incoming messages are signed with the user's private key





## Applications







L C S



- Execution certified by the secure processor
  - Dispatcher provides a program and data
  - Processor returns the results with the signature
- Requires the TE environment



MIT PROJECT OXYGEN COMPUTE DIgital Rights Management

- Protects digital contents from illegal copying
  - Trusted software (player) on untrusted host
  - Content provider only gives contents to the trusted player
- Requires the PTR environment





## Performance



### **Performance Implication: TE processing**

- Major performance degradation is from off-chip integrity checking
  - Start-up and context switches are infrequent
  - no performance overhead for on-chip tagging



MIT PROJECT OXYGEN



 Major performance degradation is from off-chip integrity checking and encryption





- Physical attacks are becoming more prevalent
  - DRM, software licensing, distributed computing, etc.
- Single-chip secure processors provide trusted execution environments with acceptable overhead
  - Tamper-Evident environment, Private Tamper-Resistant environment
  - Simulation results show 25-50% overhead for TE, 40-60% overhead for PTR processing
  - New mechanisms can reduce the overhead to 5-15% for TE, and 10-25% for PTR processing (CSG Memo 465)
- Significant development effort underway
  - FPGA/ASIC implementation of AEGIS processor





#### More Information at www.csg.lcs.mit.edu