MOAT

Towards Safe BPF Kernel Extensions

We present MOAT, a system that isolates potentially malicious BPF programs using Intel Memory Protection Keys (MPK). Enforcing BPF program isolation with MPK is not straightforward; MOAT is designed to alleviate technical obstacles, such as limited hardware keys and the need to protect a wide variety of BPF helper functions. We implement MOAT on Linux (ver. 6.1.38), and our evaluation shows that MOAT delivers low-cost isolation of BPF programs under mainstream use cases, such as isolating a BPF packet filter with only 3% throughput loss.
This work is partly supported by :
The National Natural Science Foundation of China under Grant No.62372218
Shenzhen Science and Technology Program under Grant No.SGDX20201103095408029
RGC CRF grant under the contract C6015-23G

CAGE

Complementing Arm CCA with GPU Extensions

We present CAGE to support confidential GPU computing for Arm CCA. By leveraging the existing security features in Arm CCA, CAGE ensures data security during confidential computing on unified-memory GPUs, the mainstream accelerators in Arm devices. To adapt the GPU workflow to CCA's realm-style architecture, CAGE proposes a novel shadow task mechanism to manage confidential GPU applications flexibly. Additionally, CAGE leverages the memory isolation mechanism in Arm CCA to protect data confidentiality and integrity from the strong adversary. Based on this, CAGE also optimizes security operations in memory isolation to mitigate performance overhead. Without hardware changes, our approach uses the generic hardware security primitives in Arm CCA to defend against a privileged adversary.
This work is partly supported by :
The National Natural Science Foundation of China under Grant No. 62372218, No. 62002151 and No. 62102175
Shenzhen Science and Technology Program under Grant No. SGDX20201103095408029
HK RGC General Research Fund No. PolyU 15220020
HK RGC Collaborative Research Fund No. C2004-21GF
The Research Institute for Artificial Intelligence of Things, The Hong Kong Polytechnic University
Ant Group


Shelter

A user-level enclave as an extension of CCA’s primary Realm VM-style architecture

We propose Shelter as a complement to CCA’s primary Realm VM-style architecture, aiming to allow third-party developers to deploy their applications with isolation in userspace as SApp. Shelter is designed by cooperating with Arm CCA hardware primitive to provide hardware-based isolation while removing the need for software workloads to trust their data to a Host OS, hypervisor, or privileged software.
This work is partly supported by :
The National Natural Science Foundation of China under Grant No.62002151 and No. 62102175
Shenzhen Science and Technology Program under Grant No. SGDX20201103095408029 and No. ZDSYS20210623092007023
PolyU Grant (ZVG0) and Hong Kong RGC Project (No. PolyU15222320).

StrongBox

A GPU TEE on Arm Endpoints

To address the security problems, we present StrongBox, the first GPU TEE for secured general computation on Arm endpoints. StrongBox leverages the existing Arm hardware features to protect the GPU memory and GPU device, and perform necessary checks for the GPU device and memory content. Under a compromised operating system, StrongBox provides an isolated execution environment for sensitive GPU computation, ensuring data confidentiality and code integrity.
This work is partly supported by :
The National Natural Science Foundation of China under Grant No.62002151 and No. 62102175
Science, Technology and Innovation Commission of Shenzhen Municipality under Grant No. SGDX20201103095408029
The Research Institute for Artificial Intelligence of Things
The Hong Kong Polytechnic University
HK RGC General Research Fund No. PolyU 15220020


Nailgun

Break the privilege isolation in ARM devices

Processors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, but the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model.
The idea of Nailgun Attack is to misuse the debugging architecture with the inter-processor debugging model. In the inter-processor debugging model, a processor (debug host) is able to pause and debug another processor (debug target) on the same chip even when the debug target owns a higher privilege. With Nailgun, we are able to obtain sensitive information (e.g., AES encryption key and fingerprint image) and achieve arbitrary payload execution in a high-privilege mode.
This work is partly supported by :
The National Science Foundation Grant No. OAC-1738929 and IIS-1724227