使用Intel SGX对在不安全环境中运行的软件进行审计

Leonardo Winter Pereira, Luis Felipe Mazzuchetti Ortiz, Douglas Costa Rossi, M. Rosa, K. Fonseca, Charles B. Prado, L. D. C. Carmo, Andrey Elísio Monteiro-Brito, R. Riella
{"title":"使用Intel SGX对在不安全环境中运行的软件进行审计","authors":"Leonardo Winter Pereira, Luis Felipe Mazzuchetti Ortiz, Douglas Costa Rossi, M. Rosa, K. Fonseca, Charles B. Prado, L. D. C. Carmo, Andrey Elísio Monteiro-Brito, R. Riella","doi":"10.1109/CloudCom2018.2018.00054","DOIUrl":null,"url":null,"abstract":"In this work we propose a strategy using Intel SGX processors to guarantee the use of audited applications in insecure environments. A cloud-based toolchain allows auditors to assess if the user's application meets specifications and standards, to generate the final binaries, and to cryptographically sign them. It also generates a manifesto containing information to verify the authenticity of the audited software binaries. A SGX-based binary loader (inserted by the cloud-based toolchain during the applications building process) writes down auditing data that is encrypted and sealed by SGX functions to form reliable proofs that the original audited software is the one running. As a proof-of-concept, a Linux kernel was modified in order to cryptographically measure all processes being executed and send these results to a SGX application. An analysis was carried out to measure the performance of the altered system. On average, a system consistently running the audit increased the execution time of each process by 20 to 30%.","PeriodicalId":93366,"journal":{"name":"Proceedings. IEEE International Conference on Cloud Computing","volume":"1 1","pages":"243-246"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Using Intel SGX to Enforce Auditing of Running Software in Insecure Environments\",\"authors\":\"Leonardo Winter Pereira, Luis Felipe Mazzuchetti Ortiz, Douglas Costa Rossi, M. Rosa, K. Fonseca, Charles B. Prado, L. D. C. Carmo, Andrey Elísio Monteiro-Brito, R. Riella\",\"doi\":\"10.1109/CloudCom2018.2018.00054\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this work we propose a strategy using Intel SGX processors to guarantee the use of audited applications in insecure environments. A cloud-based toolchain allows auditors to assess if the user's application meets specifications and standards, to generate the final binaries, and to cryptographically sign them. It also generates a manifesto containing information to verify the authenticity of the audited software binaries. A SGX-based binary loader (inserted by the cloud-based toolchain during the applications building process) writes down auditing data that is encrypted and sealed by SGX functions to form reliable proofs that the original audited software is the one running. As a proof-of-concept, a Linux kernel was modified in order to cryptographically measure all processes being executed and send these results to a SGX application. An analysis was carried out to measure the performance of the altered system. On average, a system consistently running the audit increased the execution time of each process by 20 to 30%.\",\"PeriodicalId\":93366,\"journal\":{\"name\":\"Proceedings. IEEE International Conference on Cloud Computing\",\"volume\":\"1 1\",\"pages\":\"243-246\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings. IEEE International Conference on Cloud Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CloudCom2018.2018.00054\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. IEEE International Conference on Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CloudCom2018.2018.00054","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

在这项工作中,我们提出了一种使用英特尔SGX处理器的策略,以保证在不安全的环境中使用审计应用程序。基于云的工具链允许审计人员评估用户的应用程序是否符合规范和标准,生成最终的二进制文件,并对它们进行加密签名。它还生成一个声明,其中包含验证审计软件二进制文件的真实性的信息。基于SGX的二进制加载程序(在应用程序构建过程中由基于云的工具链插入)写入由SGX函数加密和密封的审计数据,以形成原始审计软件正在运行的可靠证据。作为概念验证,修改了Linux内核,以便加密测量正在执行的所有进程,并将这些结果发送给SGX应用程序。对改变后的系统的性能进行了分析。平均而言,持续运行审计的系统会使每个流程的执行时间增加20%到30%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Using Intel SGX to Enforce Auditing of Running Software in Insecure Environments
In this work we propose a strategy using Intel SGX processors to guarantee the use of audited applications in insecure environments. A cloud-based toolchain allows auditors to assess if the user's application meets specifications and standards, to generate the final binaries, and to cryptographically sign them. It also generates a manifesto containing information to verify the authenticity of the audited software binaries. A SGX-based binary loader (inserted by the cloud-based toolchain during the applications building process) writes down auditing data that is encrypted and sealed by SGX functions to form reliable proofs that the original audited software is the one running. As a proof-of-concept, a Linux kernel was modified in order to cryptographically measure all processes being executed and send these results to a SGX application. An analysis was carried out to measure the performance of the altered system. On average, a system consistently running the audit increased the execution time of each process by 20 to 30%.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信