Demystifying Attestation in Intel Trust Domain Extensions via Formal Verification

Demystifying Attestation in Intel Trust Domain Extensions via Formal Verification

In August 2020, Intel asked the research community for feedback on the newly offered architecture extensions, called Intel Trust Domain Extensions (TDX), which give more control to Trust Domains (TDs) over processor resources. One of the key features of these extensions is the remote attestation mec...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access Vol. 9; pp. 83067 - 83079
Main Authors: Sardar, Muhammad Usama, Musaev, Saidgani, Fetzer, Christof
Format: Journal Article
Language:English
Published: Piscataway IEEE 2021
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Analytical models
Computer bugs
Domains
Feedback
Formal specifications
Formal verification
Intel TDX
Microprocessors
ProVerif
remote attestation
Runtime
Security
Software
Specification and description languages
symbolic security analysis
trust domains
trusted execution environment
Verification
Virtual machine monitors
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In August 2020, Intel asked the research community for feedback on the newly offered architecture extensions, called Intel Trust Domain Extensions (TDX), which give more control to Trust Domains (TDs) over processor resources. One of the key features of these extensions is the remote attestation mechanism, which provides a unified report verification mechanism for TDX and its predecessor Software Guard Extensions (SGX). Based on our experience and intuition, we respond to the request for feedback by formally specifying the attestation mechanism in the TDX using ProVerif's specification language. Although the TDX technology seems very promising, the process of formal specification reveals a number of subtle discrepancies in Intel's specifications that could potentially lead to design and implementation flaws. After resolving these discrepancies, we also present fully automated proofs that our specification of TD attestation preserves the confidentiality of the secret and authentication of the report by considering the state-of-the-art Dolev-Yao adversary in the symbolic model using ProVerif. We have submitted the draft to Intel, and Intel is in the process of making the changes.
ISSN:2169-3536
2169-3536
DOI:10.1109/ACCESS.2021.3087421