Haven: Shielding applications from an untrusted cloud
Andrew Baumann from Microsoft Research gave a talk at the security seminar this past week on his paper “Haven: Shielding applications from an untrusted cloud.” It won best paper at OSDI 2014. I thought this paper was very interesting and would definitely recommend reading his paper.
Before the widespread usage of the cloud, a server had an operating system and an application like the Microsoft SQL server with top secret data. The owner of the data just had to build a firewall and protect the server from outside threats. Now, many companies run the operating system and application on the cloud. However, we have another threat vector—the cloud. There might be an exploit in a cloud that the user does not control.
The goals for Haven is to have secure, private execution of unmodified applications (bugs and all) in an untrusted cloud on commodity hardware (Intel SGX).
The main question is if we can trust the cloud. It has a huge trusted computing base: privileged software, management stack, staff, law enforcement, etc. It has a hierarchical security model — it can observe or modify any data even if it is encrypted on the disk/net.
One current approach is to use hardware security modules. However, dedicated cryptography hardware is expensive, has a limited set of APIs, and protects just the most sensitive parts, not meant for general-purpose use. Another approach is to have a trusted hypervisor, which ensures basic security with strong isolation. Remote attestation with trusted hardware (TPM chip) is another option. The basic idea is to have a signed measurement (hash) of the privileged software. A remote user checks the hash, and an incorrect attestation indicates compromised software. The problem with using this in the cloud is that provider applies updates and patches. Also, a user must trust the provider for the current hash value.
What we really want is shielded execution. We want to protect a specific program from the rest of the system. We do not want to modify the program, and we want to ensure the confidentiality and integrity of the program and its intermediate states. Although a host can deny service, it cannot alter behavior.
His work assumes a malicious cloud provider. All the provider’s software is malicious, and all the hardware is untrusted except the CPU. However, they do not prevent denial of service and side channel attacks.
Before I continue, here is some background on Intel SGX. The main features are hardware isolation for an enclave, which protects sensitive data, and remote attestation.
In order to prevent against Iago attacks, they just admit the whole operating system into the trusted computing base. Here is an overview of the Haven architecture.
There is mutual distrust between the host and guest. The virtual resource policy is in the guest (virtual address allocation, threads). The physical resource policy is in the host (physical pages, VCPUs).
The shield module contains a memory allocator, region manager, private file system, scheduler, exception handler, and sanity-check of untrusted inputs. Interestingly, there were some limitations with Intel SGX, but in collaboration with Intel, Microsoft was able to remove those limitations in SGX version 2.
There are no accurate performance results because there is no implementation for SGX yet. However, they attempt to model the overhead of SGX. I refer you to the paper for more detailed evaluation numbers. In the worst case, if they assume 10k cycles for SGX instructions and 30% slower RAM, there is a 35% slowdown on Apache and 65% slowdown on the SQL Server vs. the VM. Although the penalty seems heavy, you do not have to trust the cloud.
I think this work is an important first step toward exploring the potential uses of SGX. It is known that trusting the CPU can lead to huge performance gains for certain security applications. The main question is where SGX can provide the most interesting security applications.
