CRISP: Confidentiality, Rollback, and Integrity Storage Protection for Confidential Cloud-Native Computing

TL;DR

CRISP is a novel mechanism that enhances cloud-native security by preventing rollback attacks on confidential data stored in TEEs, specifically targeting Intel SGX environments, with minimal performance impact.

Contribution

CRISP introduces a transparent rollback protection mechanism for Intel SGX that limits attack windows and integrates seamlessly with cloud-native orchestration systems.

Findings

CRISP effectively prevents rollback attacks in SGX-based cloud applications.

The resource overhead of CRISP is manageable with only minor performance penalties.

CRISP constrains the attack window, enhancing confidentiality and integrity in cloud-native environments.

Abstract

Trusted execution environments (TEEs) protect the integrity and confidentiality of running code and its associated data. Nevertheless, TEEs' integrity protection does not extend to the state saved on disk. Furthermore, modern cloud-native applications heavily rely on orchestration (e.g., through systems such as Kubernetes) and, thus, have their services frequently restarted. During restarts, attackers can revert the state of confidential services to a previous version that may aid their malicious intent. This paper presents CRISP, a rollback protection mechanism that uses an existing runtime for Intel SGX and transparently prevents rollback. Our approach can constrain the attack window to a fixed and short period or give developers the tools to avoid the vulnerability window altogether. Finally, experiments show that applying CRISP in a critical stateful cloud-native application may incur a resource increase but only a minor performance penalty.