Integration of User Specific Hardware for SecureCore Cryptographic Services (original) (raw)

Secure Kernel Execution with Intel SGX

Anais Estendidos do X Simpósio Brasileiro de Engenharia de Sistemas Computacionais (SBESC Estendido 2020)

Intel SGX is not accessible from the most privileged execution level, known as ring zero, where the operating system kernel is placed. However, it is possible to split the execution responsibility between kernel and userspace by creating a dependency among these two levels that allow internal kernel data to be stored or processed within SGX private enclaves. In this paper we present SKEEN, an enhanced way to isolate internal operating system components and structures with Intel SGX technology, preventing information leak to different components of the same operating system. A proof-of-concept is provided to exemplify its usage.

Hardware Foundation for Secure Computing

2020

Software security solutions are often considered to be more adaptable than their hardware counterparts. However, software has to work within the limitations of the system hardware platform, of which the selection is often dictated by functionality rather than security. Performance issues of security solutions without proper hardware support are easy to understand. The real challenge, however, is in the dilemma of “what should be done?” vs. “what could be done?” Security software could become ineffective if its “liberal” assumptions, e.g., the availability of a substantial trusted computing base (TCB) on the hardware platform, are violated. To address this dilemma, we have been developing and prototyping a security-by-design hardware foundation platform that enhances mainstream microprocessors with proper hardware security primitives to support and enhance software security solutions. This paper describes our progress in the use of a customized security co-processor to provide security

Hardware-based Security for Virtual Trusted Platform Modules

Virtual Trusted Platform modules (TPMs) were proposed as a software-based alternative to the hardware-based TPMs to allow the use of their cryptographic functionalities in scenarios where multiple TPMs are required in a single platform, such as in virtualized environments. However, virtualizing TPMs, especially virutalizing the Platform Configuration Registers (PCRs), strikes against one of the core principles of Trusted Computing, namely the need for a hardware-based root of trust. In this paper we show how strength of hardware-based security can be gained in virtual PCRs by binding them to their corresponding hardware PCRs. We propose two approaches for such a binding. For this purpose, the first variant uses binary hash trees, whereas the other variant uses incremental hashing. In addition, we present an FPGA-based implementation of both variants and evaluate their performance.