Publication: Automatic Enforcement of Expressive Security Policies using Enclaves
Open/View Files
Date
2016-07-25
Published Version
Published Version
Journal Title
Journal ISSN
Volume Title
Publisher
The Harvard community has made this article openly available. Please share how this access benefits you.
Citation
Gollamudi, Anitha and Stephen Chong. 2016. Automatic Enforcement of Expressive Security Policies using Enclaves. Harvard Computer Science Group Technical Report TR-02-16.
Research Data
Abstract
Hardware-based enclave protection mechanisms, such as Intel’s SGX, ARM’s TrustZone, and Apple’s Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong applicationspecific information security policies. We present IMPE, a novel calculus that captures the essence of SGX-like enclave mechanisms, and show that a security-type system for IMPE can enforce expressive confidentiality policies (including erasure policies and delimited release policies) against powerful low-level attackers, including attackers that can arbitrarily corrupt non-enclave code, and, under some circumstances, corrupt enclave code. We present a translation from an expressive securitytyped calculus (that is not aware of enclaves) to IMPE. The translation automatically places code and data into enclaves to enforce the security policies of the source program.
Description
Other Available Sources
Keywords
enclave programs, information erasure, declassification, security-type system, information-flow control, language-based security
Terms of Use
This article is made available under the terms and conditions applicable to Other Posted Material (LAA), as set forth at Terms of Service