Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HPCCFA: Leveraging Hardware Performance Counters for Control Flow Attestation

Claudius Pott, Luca Wilke, Jan Wichelmann, Thomas Eisenbarth

Abstract

Trusted Execution Environments (TEEs) allow the secure execution of code on remote systems without the need to trust their operators. They use static attestation as a central mechanism for establishing trust, allowing remote parties to verify that their code is executed unmodified in an isolated environment. However, this form of attestation does not cover runtime attacks, where an attacker exploits vulnerabilities in the software inside the TEE. Control Flow Attestation (CFA), a form of runtime attestation, is designed to detect such attacks. In this work, we present a method to extend TEEs with CFA and discuss how it can prevent exploitation in the event of detected control flow violations. Furthermore, we introduce HPCCFA, a mechanism that uses HPCs for CFA purposes, enabling hardware-backed trace generation on commodity CPUs. We demonstrate the feasibility of HPCCFA on a proof-of-concept implementation for Keystone on RISC-V. Our evaluation investigates the interplay of the number of measurement points and runtime protection, and reveals a trade-off between detection reliability and performance overhead.

HPCCFA: Leveraging Hardware Performance Counters for Control Flow Attestation

Abstract

Trusted Execution Environments (TEEs) allow the secure execution of code on remote systems without the need to trust their operators. They use static attestation as a central mechanism for establishing trust, allowing remote parties to verify that their code is executed unmodified in an isolated environment. However, this form of attestation does not cover runtime attacks, where an attacker exploits vulnerabilities in the software inside the TEE. Control Flow Attestation (CFA), a form of runtime attestation, is designed to detect such attacks. In this work, we present a method to extend TEEs with CFA and discuss how it can prevent exploitation in the event of detected control flow violations. Furthermore, we introduce HPCCFA, a mechanism that uses HPCs for CFA purposes, enabling hardware-backed trace generation on commodity CPUs. We demonstrate the feasibility of HPCCFA on a proof-of-concept implementation for Keystone on RISC-V. Our evaluation investigates the interplay of the number of measurement points and runtime protection, and reveals a trade-off between detection reliability and performance overhead.

Paper Structure

This paper contains 43 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Our Contribution
  3. Background
  4. Runtime Attestation
  5. Trusted Execution Environments
  6. Keystone
  7. Hardware Performance Counters
  8. System Design
  9. Threat Model
  10. General Runtime Attestation Concept
  11. Trace Generation
  12. Verification Workflow
  13. Attestation Mechanism
  14. Call Stack
  15. Loops
  16. ...and 28 more sections

Figures (3)

  • Figure 1: Verification workflow for a tracee tracer tandem. When the tracee performs an ecall, the sm ensures that the shared memory region is only accessible after the control flow has been verified by the tracer.
  • Figure 2: Example section of a cfg with a simple path and transitively connected loops.
  • Figure 3: Overview of our tracer tracee architecture implementation in Keystone. We modified the enclave API (A) to add support for different roles and the transfer of control flow information to a tracer controlled buffer (B). The tracer and tracee enclaves communicate via ipc (C) and the shared memory of the tracee enclave with the host (D) is only unlocked after the control flow verification succeeded.