Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dorami: Privilege Separating Security Monitor on RISC-V TEEs

Mark Kuhne, Stavros Volos, Shweta Shinde

TL;DR

Dorami is presented - a privilege separation approach that isolates the SM from the firmware thus reducing the attack surface on TEEs and achieves its goals without large overheads.

Abstract

TEE implementations on RISC-V offer an enclave abstraction by introducing a trusted component called the security monitor (SM). The SM performs critical tasks such as isolating enclaves from each other as well as from the OS by using privileged ISA instructions that enforce the physical memory protection. However, the SM executes at the highest privilege layer on the platform (machine-mode) along side firmware that is not only large in size but also includes third-party vendor code specific to the platform. In this paper, we present Dorami - a privilege separation approach that isolates the SM from the firmware thus reducing the attack surface on TEEs. Dorami re-purposes existing ISA features to enforce its isolation and achieves its goals without large overheads.

Dorami: Privilege Separating Security Monitor on RISC-V TEEs

TL;DR

Dorami is presented - a privilege separation approach that isolates the SM from the firmware thus reducing the attack surface on TEEs and achieves its goals without large overheads.

Abstract

TEE implementations on RISC-V offer an enclave abstraction by introducing a trusted component called the security monitor (SM). The SM performs critical tasks such as isolating enclaves from each other as well as from the OS by using privileged ISA instructions that enforce the physical memory protection. However, the SM executes at the highest privilege layer on the platform (machine-mode) along side firmware that is not only large in size but also includes third-party vendor code specific to the platform. In this paper, we present Dorami - a privilege separation approach that isolates the SM from the firmware thus reducing the attack surface on TEEs. Dorami re-purposes existing ISA features to enforce its isolation and achieves its goals without large overheads.
Paper Structure (66 sections, 10 figures, 10 tables)

This paper contains 66 sections, 10 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Results.
  3. Contributions.
  4. Motivation
  5. Firmware vs. Security Monitor
  6. Challenges in Privilege Separation
  7. Problem Statement
  8. Threat Model & Scope.
  9. Existing Approaches
  10. Rationale for using ePMP
  11. Background: Physical Memory Protection (PMP).
  12. Problem 1: Default access permissions of M-mode.
  13. Problem 2: M-mode PMP configurations are permanent.
  14. Enhanced PMP (ePMP).
  15. Dorami Compartments & Interfaces
  16. ...and 51 more sections

Figures (10)

  • Figure 1: Software stack on RISC-V systems.
  • Figure 2: The system memory is divided into 3 memory regions, one each for SM, host-OS, and enclave. With PMP-based isolation, host-OS and enclave cannot access each others region, but the SM always has access to both, regardless of the configuration in the pmpXcfg registers, where X is a placeholder for a specific entry. With ePMP-based isolation, the SM can also only access the memory in its own region.
  • Figure 3: Dorami access permissions when executing core. P=PMP compartment, F=Firmware compartment, OS=Host OS, E=Enclave; C=code region, D=data region; white=access allowed, grey=access denied. (a)-(c): Same memory view as in Dorami and legacy deployment: (a): Core operates in M-mode; (b): Core executes Host-OS in S/U-mode; (c): Core executes enclave in S/U-mode. (d)-(e): Memory views added by Dorami: (d): Core operates in M-mode and the PMP compartment executes; (e): Core operates in M-mode and the Firmware compartment executes.
  • Figure 4: Transition P to F. P updates trap vector to F's view and then reconfigures access permissions for code and data regions of P and F atomically using static configuration value.
  • Figure 5: Unsafe Transition from F to P. F reconfigures ePMP with static value to deny access to F's regions and grant access to P's regions. ROP can exploit this transition as a gadget by jumping between lines 3-4.
  • ...and 5 more figures