SlideShare una empresa de Scribd logo

Attestation Mechanisms for Trusted Execution Environments Demystified - Presentation slides

Jämes Ménétrey
Jämes Ménétrey

The presentation slides of the paper Attestation Mechanisms for Trusted Execution Environments Demystified, published in the proceedings of the 22nd IFIP International Conference on Distributed Applications and Interoperable Systems, June 2022. Read the publication here: https://arxiv.org/abs/2206.03780 This publication incorporates results from the VEDLIoT project, which received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 957197.

Software
1 de 21
Descargar para leer sin conexión
Attestation Mechanisms for Trusted Execution Environments Demystified Jämes Ménétrey1 Christian Göttel1 Anum Khurshid2 Marcelo Pasin1 Pascal Felber1 Valerio Schiavoni1 Shahid Raza2 1 University of Neuchâtel, Switzerland 2 RISE Research Institutes of Sweden June 13-17, 2022 17th International Conference on Distributed Applications and Interoperable Systems (DAIS ’22), Lucca, Italy 🇮🇹
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Context Hardware VMM Company OS Software stack Trusted by cloud providers Your apps Trusted by you Developers Cloud providers Your apps Attack surface of your apps • We process and store sensitive data in clouds or on IoT edge devices. • Developers deploy trusted apps on systems they assume to be trustworthy. • TEEs reduce the attack surface and help obtaining remote attestation. 2
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Remote attestation primer (ietf-rats) Attester Veri fi er Relying party Evidence Attestation result Claims H( ) Reference values Reference Value Provider = ? • The attester issues an evidence, which is examined by a verifier and reports to a relying party. • An evidence is a set of claims (e.g., code measurement). 3 Code measurement ② Sending quote ① Provision references values ③ Verification result
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Scope of this survey: available technologies 4 TEEs Intel AMD Arm RISC-V Sanctum LIRA-V
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation 5 Enclave Process Operating system Hardware High-level architecture of Intel SGX • The enclave are located within the process that spawn it. • Split the application into two parts: secure and unsecure.
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation (EPID) 6 Enclave (Attester) SGX quoting enclave ② Local attestation ① Challenge Trusted service (Veri fi er) ③ Quote (evidence) Report (claims) ④ Send evidence Intel attestation (Verifier) ⑤ Validate evidence ⑥ Provision data Enclave Process Operating system Hardware High-level architecture
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation (DCAP) 7 Enclave (Attester) SGX quoting enclave ② Local attestation ① Challenge Trusted service (Veri fi er) ③ Quote (evidence) Report (claims) ④ Send evidence Intel attestation (Verifier) ⑤ Validate evidence ⑥ Provision data Enclave Process Operating system Hardware High-level architecture Intel SGX Certi fi cation Service NEW: ⓪ Download certificates for Intel SGX CPUs
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-A 8 TA Process OS Secure monitor High-level architecture of TrustZone-A Trusted OS Normal world Secure world • Available on processors of Cortex-A series. • Split the devices into two worlds.
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-A TA Process OS Secure monitor High-level architecture Trusted OS • TrustZone does not provide a built-in remote attestation mechanism. • We demonstrate an extension found in literature [1]. 9 1Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution Environments, Shepherd C. et al., ARES ’17 *Evidence = System state + H( ) TA Endorser OP-TEE Trusted Measurer TA TA Authenticated boot Signing keys Trusted Measurer OP-TEE TA TA System A System B ① Challenge ② Evidence* B ③ Evidence* A Signing keys
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-M 10 TA Process OS Hardware High-level architecture of TrustZone-M Firmware Normal world Secure world • Designed for very small devices. • Available on processors of Cortex-M series.
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 AMD SEV-SNP 11 Process Process OS Hypervisor High-level architecture of AMD SEV-SNP OS Firmware/Hardware Secure virtual machine (TEE) • Secure code execution using virtual machines.
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 AMD SEV-SNP 12 Process Process OS Hypervisor High-level architecture OS Firmware/Hardware Verifier SNP Guest (Attester) AMD Firmware AMD Hardware ① Challenge Challenge (claims) ② IOCTL request ③ Report (evidence) ④ Send evidence ⑤ Provision data
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: general purpose TEEs Keystone • Sanctum is a TEE construction that mimics Intel SGX. • Keystone is a composable framework for TEEs with enclaves comprised of a runtime and an enclave apps. • TEE enforced using a secure monitor and PMP. • Measurements are made by the secure monitor, based on the application code during initialisation. • Remote attestation: similar to Intel SGX. 13 Eapp Process OS Secure monitor Keystone Hardware (PMP) Runtime Enclave Enclave Process Operating system Secure monitor Sanctum Hardware (PMP)
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: IoT edge tailored TEEs (1) • TIMBER-V uses memory tagging to instantiate TEEs for small devices. • Measurements are made by Tag root, based on the application code during initialisation. • Remote attestation: Tag root signs the evidence using a MAC (symmetric crypto). 14 Process OS TIMBER-V Hardware Tag root Process
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: IoT edge tailored TEEs (2) • LIRA-V works with programs in supervisor and machine RISC-V modes and attest regions of memory. • Measurements are made by the Root of trust and measures at runtime. • Remote attestation: mutual, similarly to the Arm TrustZone’s state-of- the-art. 15 Process Root of trust (ROM) LIRA-V Hardware (PMP) Process Mem
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Which TEE is the best fit for me? It depends on the deployment scenarios. 16
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 TEEs characteristics Server-grade General purpose IoT Industrial TEEs Many domains Mutual attestation Encrypted DRAM Local attestation Find more criteria in the paper. 17 LIRA-V Sanctum
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Future perspective 18
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Perspectives for the future: Intel TDX • Intel TDX deploys hardware-isolated virtual machines: Trust Domains (TD). • TDX runs legacy applications on regular OSes, similarly to AMD SEV. • The TDX module isolates the TD thanks to new CPU instructions. • TDX reuses the SGX attestation to support remote attestation: • Initial measurement during TD build process • Can be extended to measure additional data at run-time 19 Regular Virtual Machines Secure Trust Domains TDX module VM TDX-aware VMM Hardware VM TD TD TD VM High-level architecture of Intel TDX
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Perspectives for the future: Arm CCA • Arm CCA deploys hardware-isolated virtual machines: Realm VM. • RME is the hardware extension that introduce a new world: the Realm. • Unlike TrustZone, the Realm has shielded memory (encryption + integrity). • CCA provides attestation of the platform & initial state of the realm. 20 TA Process OS Secure monitor High-level architecture of Arm CCA Trusted OS Realm VM Hypervisor RMM Realm VM SPM Realm Realm Management Monitor Secure Partition Manager Normal Secure
Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Thanks for your attention! Takeaway • Remote attestation ensures the genuineness of deployed applications in TEEs. • There are many TEEs, but no “one size fits all” TEE, it depends on the usage. • Industrial solutions have well-documented (and undiscovered?) flaws. Emerging solutions lack hindsight. • New TEEs design tend to be VM-based (AMD SEV, Intel TDX, Arm CCA). 21 Read me online!

Recomendados

NGINX Plus on AWS
NGINX Plus on AWSNGINX Plus on AWS
NGINX Plus on AWSAmazon Web Services
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Linux host orchestration with Foreman, Puppet and Gitlab
Linux host orchestration with Foreman, Puppet and GitlabLinux host orchestration with Foreman, Puppet and Gitlab
Linux host orchestration with Foreman, Puppet and GitlabBen Tullis
 
VMWARE ESX
VMWARE ESXVMWARE ESX
VMWARE ESXYogeshwaran R
 
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorld
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldDell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorld
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldKemp
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Veeam Solutions for SMB_2022.pptx
Veeam Solutions for SMB_2022.pptxVeeam Solutions for SMB_2022.pptx
Veeam Solutions for SMB_2022.pptxPrince Joseph
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 

Recomendados

NGINX Plus on AWS
NGINX Plus on AWSNGINX Plus on AWS
NGINX Plus on AWSAmazon Web Services
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Linux host orchestration with Foreman, Puppet and Gitlab
Linux host orchestration with Foreman, Puppet and GitlabLinux host orchestration with Foreman, Puppet and Gitlab
Linux host orchestration with Foreman, Puppet and GitlabBen Tullis
 
VMWARE ESX
VMWARE ESXVMWARE ESX
VMWARE ESXYogeshwaran R
 
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorld
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldDell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorld
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldKemp
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Veeam Solutions for SMB_2022.pptx
Veeam Solutions for SMB_2022.pptxVeeam Solutions for SMB_2022.pptx
Veeam Solutions for SMB_2022.pptxPrince Joseph
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
OpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayOpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayArthur Berezin
 
Veean Backup & Replication
Veean Backup & ReplicationVeean Backup & Replication
Veean Backup & ReplicationArnaud PAIN
 
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Nalee Jang
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyGabriell Nascimento
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Jorge Cardoso
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기Hyperledger Korea User Group
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentZane Williamson
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixZabbix
 
Veeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMwareVeeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMwareArnaud_Quenum
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsKubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsTomasz Cholewa
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...Jämes Ménétrey
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationVEDLIoT Project
 

Más contenido relacionado

La actualidad más candente

OpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayOpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayArthur Berezin
 
Veean Backup & Replication
Veean Backup & ReplicationVeean Backup & Replication
Veean Backup & ReplicationArnaud PAIN
 
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Nalee Jang
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyGabriell Nascimento
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Jorge Cardoso
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기Hyperledger Korea User Group
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentZane Williamson
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixZabbix
 
Veeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMwareVeeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMwareArnaud_Quenum
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsKubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsTomasz Cholewa
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 

La actualidad más candente (20)

OpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayOpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations - terasky tech day
 
Veean Backup & Replication
Veean Backup & ReplicationVeean Backup & Replication
Veean Backup & Replication
 
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차Red Hat OpenStack 17 저자직강+스터디그룹_1주차
Red Hat OpenStack 17 저자직강+스터디그룹_1주차
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easy
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVM
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
[2019.04] 쿠버네티스 기반 하이퍼레저 패브릭 네트워크 구축하기
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With Zabbix
 
Veeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMwareVeeam - Les meilleurs outils de gestion d'infrastructure VMware
Veeam - Les meilleurs outils de gestion d'infrastructure VMware
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsKubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 

Similar a Attestation Mechanisms for Trusted Execution Environments Demystified - Presentation slides

WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...Jämes Ménétrey
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationVEDLIoT Project
 
IoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentationIoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentationVEDLIoT Project
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsEurotech
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Srinivasa Addepalli
 
People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013Eurotech
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorSafety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorStefano Stabellini
 
[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical DeviceICS
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7CCNA (R & S) Module 02 - Connecting Networks - Chapter 7
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7Waqas Ahmed Nawaz
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Codit
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEEMEMTECHSTUDENTPROJECTS
 
Vindicator Overview
Vindicator OverviewVindicator Overview
Vindicator Overviewdp3b58
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 

Similar a Attestation Mechanisms for Trusted Execution Environments Demystified - Presentation slides (20)

WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
 
IoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentationIoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentation
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorSafety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
 
[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7CCNA (R & S) Module 02 - Connecting Networks - Chapter 7
CCNA (R & S) Module 02 - Connecting Networks - Chapter 7
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
 
Vindicator Overview
Vindicator OverviewVindicator Overview
Vindicator Overview
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 

Último

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 

Último (20)

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 

Attestation Mechanisms for Trusted Execution Environments Demystified - Presentation slides

  • 1. Attestation Mechanisms for Trusted Execution Environments Demystified Jämes Ménétrey1 Christian Göttel1 Anum Khurshid2 Marcelo Pasin1 Pascal Felber1 Valerio Schiavoni1 Shahid Raza2 1 University of Neuchâtel, Switzerland 2 RISE Research Institutes of Sweden June 13-17, 2022 17th International Conference on Distributed Applications and Interoperable Systems (DAIS ’22), Lucca, Italy 🇮🇹
  • 2. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Context Hardware VMM Company OS Software stack Trusted by cloud providers Your apps Trusted by you Developers Cloud providers Your apps Attack surface of your apps • We process and store sensitive data in clouds or on IoT edge devices. • Developers deploy trusted apps on systems they assume to be trustworthy. • TEEs reduce the attack surface and help obtaining remote attestation. 2
  • 3. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Remote attestation primer (ietf-rats) Attester Veri fi er Relying party Evidence Attestation result Claims H( ) Reference values Reference Value Provider = ? • The attester issues an evidence, which is examined by a verifier and reports to a relying party. • An evidence is a set of claims (e.g., code measurement). 3 Code measurement ② Sending quote ① Provision references values ③ Verification result
  • 4. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Scope of this survey: available technologies 4 TEEs Intel AMD Arm RISC-V Sanctum LIRA-V
  • 5. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation 5 Enclave Process Operating system Hardware High-level architecture of Intel SGX • The enclave are located within the process that spawn it. • Split the application into two parts: secure and unsecure.
  • 6. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation (EPID) 6 Enclave (Attester) SGX quoting enclave ② Local attestation ① Challenge Trusted service (Veri fi er) ③ Quote (evidence) Report (claims) ④ Send evidence Intel attestation (Verifier) ⑤ Validate evidence ⑥ Provision data Enclave Process Operating system Hardware High-level architecture
  • 7. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Intel SGX remote attestation (DCAP) 7 Enclave (Attester) SGX quoting enclave ② Local attestation ① Challenge Trusted service (Veri fi er) ③ Quote (evidence) Report (claims) ④ Send evidence Intel attestation (Verifier) ⑤ Validate evidence ⑥ Provision data Enclave Process Operating system Hardware High-level architecture Intel SGX Certi fi cation Service NEW: ⓪ Download certificates for Intel SGX CPUs
  • 8. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-A 8 TA Process OS Secure monitor High-level architecture of TrustZone-A Trusted OS Normal world Secure world • Available on processors of Cortex-A series. • Split the devices into two worlds.
  • 9. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-A TA Process OS Secure monitor High-level architecture Trusted OS • TrustZone does not provide a built-in remote attestation mechanism. • We demonstrate an extension found in literature [1]. 9 1Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution Environments, Shepherd C. et al., ARES ’17 *Evidence = System state + H( ) TA Endorser OP-TEE Trusted Measurer TA TA Authenticated boot Signing keys Trusted Measurer OP-TEE TA TA System A System B ① Challenge ② Evidence* B ③ Evidence* A Signing keys
  • 10. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Arm TrustZone-M 10 TA Process OS Hardware High-level architecture of TrustZone-M Firmware Normal world Secure world • Designed for very small devices. • Available on processors of Cortex-M series.
  • 11. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 AMD SEV-SNP 11 Process Process OS Hypervisor High-level architecture of AMD SEV-SNP OS Firmware/Hardware Secure virtual machine (TEE) • Secure code execution using virtual machines.
  • 12. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 AMD SEV-SNP 12 Process Process OS Hypervisor High-level architecture OS Firmware/Hardware Verifier SNP Guest (Attester) AMD Firmware AMD Hardware ① Challenge Challenge (claims) ② IOCTL request ③ Report (evidence) ④ Send evidence ⑤ Provision data
  • 13. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: general purpose TEEs Keystone • Sanctum is a TEE construction that mimics Intel SGX. • Keystone is a composable framework for TEEs with enclaves comprised of a runtime and an enclave apps. • TEE enforced using a secure monitor and PMP. • Measurements are made by the secure monitor, based on the application code during initialisation. • Remote attestation: similar to Intel SGX. 13 Eapp Process OS Secure monitor Keystone Hardware (PMP) Runtime Enclave Enclave Process Operating system Secure monitor Sanctum Hardware (PMP)
  • 14. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: IoT edge tailored TEEs (1) • TIMBER-V uses memory tagging to instantiate TEEs for small devices. • Measurements are made by Tag root, based on the application code during initialisation. • Remote attestation: Tag root signs the evidence using a MAC (symmetric crypto). 14 Process OS TIMBER-V Hardware Tag root Process
  • 15. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 RISC-V: IoT edge tailored TEEs (2) • LIRA-V works with programs in supervisor and machine RISC-V modes and attest regions of memory. • Measurements are made by the Root of trust and measures at runtime. • Remote attestation: mutual, similarly to the Arm TrustZone’s state-of- the-art. 15 Process Root of trust (ROM) LIRA-V Hardware (PMP) Process Mem
  • 16. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Which TEE is the best fit for me? It depends on the deployment scenarios. 16
  • 17. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 TEEs characteristics Server-grade General purpose IoT Industrial TEEs Many domains Mutual attestation Encrypted DRAM Local attestation Find more criteria in the paper. 17 LIRA-V Sanctum
  • 18. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Future perspective 18
  • 19. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Perspectives for the future: Intel TDX • Intel TDX deploys hardware-isolated virtual machines: Trust Domains (TD). • TDX runs legacy applications on regular OSes, similarly to AMD SEV. • The TDX module isolates the TD thanks to new CPU instructions. • TDX reuses the SGX attestation to support remote attestation: • Initial measurement during TD build process • Can be extended to measure additional data at run-time 19 Regular Virtual Machines Secure Trust Domains TDX module VM TDX-aware VMM Hardware VM TD TD TD VM High-level architecture of Intel TDX
  • 20. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Perspectives for the future: Arm CCA • Arm CCA deploys hardware-isolated virtual machines: Realm VM. • RME is the hardware extension that introduce a new world: the Realm. • Unlike TrustZone, the Realm has shielded memory (encryption + integrity). • CCA provides attestation of the platform & initial state of the realm. 20 TA Process OS Secure monitor High-level architecture of Arm CCA Trusted OS Realm VM Hypervisor RMM Realm VM SPM Realm Realm Management Monitor Secure Partition Manager Normal Secure
  • 21. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21 Thanks for your attention! Takeaway • Remote attestation ensures the genuineness of deployed applications in TEEs. • There are many TEEs, but no “one size fits all” TEE, it depends on the usage. • Industrial solutions have well-documented (and undiscovered?) flaws. Emerging solutions lack hindsight. • New TEEs design tend to be VM-based (AMD SEV, Intel TDX, Arm CCA). 21 Read me online!