Automatic Enforcement of Expressive Security Policies Using Enclaves
| Title | Automatic Enforcement of Expressive Security Policies Using Enclaves |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Gollamudi, Anitha, Chong, Stephen |
| Conference Name | Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4444-9 |
| Keywords | composability, declassification, Enclave Programs, information erasure, information-flow control, language-based security, Metrics, object oriented security, pubcrawl, Resiliency, security-type system |
| Abstract | Hardware-based enclave protection mechanisms, such as Intelas SGX, ARMas TrustZone, and Appleas Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information security policies. We present IMPE, a novel calculus that captures the essence of SGX-like enclave mechanisms, and show that a security-type system for IMPE can enforce expressive confidentiality policies (including erasure policies and delimited release policies) against powerful low-level attackers, including attackers that can arbitrarily corrupt non-enclave code, and, under some circumstances, corrupt enclave code. We present a translation from an expressive security-typed calculus (that is not aware of enclaves) to IMPE. The translation automatically places code and data into enclaves to enforce the security policies of the source program. |
| URL | http://doi.acm.org/10.1145/2983990.2984002 |
| DOI | 10.1145/2983990.2984002 |
| Citation Key | gollamudi_automatic_2016 |