A. Our Contributions

Fidelius contains three components, discussed in detail in the following sections: (1) a small trusted functionality running inside an isolated hardware enclave, (2) a trusted path to I/O devices like the keyboard and the display, and (3) a small browser component that interacts with the hardware enclave.

A trusted path from the hardware enclave to I/O devices is essential for a system like Fidelius. First, this is needed to prevent an OS-level malware from intercepting the data on its way to and from the I/O device. More importantly, the system must prevent out-of-enclave malware from displaying UI elements that fool the user into entering sensitive data where the malware can read it. Beyond protecting web input fields, the system must protect the entire web form to ensure that the malware does not, for example, swap the “username” and “password” labels and cause the user to enter her password into the username field.

We implement a prototype trusted path to the keyboard using a Raspberry Pi Zero that sits between the user’s machine and the keyboard and implements a secure channel between the keyboard and the hardware enclave. We implement a trusted path to the display using a Raspberry Pi 3 that sits between the graphics card and the display. The Raspberry Pi 3 overlays a trusted image from the hardware enclave on top of the standard HDMI video sent to the display from the graphics card. We discuss details in Section IX-A. Our trusted path system is open source and available for other projects to use. We note that we can not use SGXIO [16], an SGX trusted I/O project, because that system uses hypervisors, which may be compromised in our threat model.

Another complication is the need to run client-side JavaScript on sensitive form fields. For example, a web site may use client-side JavaScript to ensure that a credit card checksum is valid, and alert the user if not. Similarly, many sites use client-side JavaScript to display a password strength meter. Fidelius should not prevent these scripts from performing as intended. Several projects have already explored running a JavaScript interpreter in a hardware enclave. Examples include TrustJS [17] and Secureworker [18]. Our work uses the ability to run JavaScript in an enclave as a building block to enable privacy for user inputs in web applications. The challenge is to do so while keeping the trusted enclave – the TCB – small.

To address all these challenges, this paper makes the following contributions:

• The design of Fidelius, a system for protecting user secrets entered into a browser in a fully-compromised environment.

• A simple interface for web developers to enable Fidelius’s security features.

• The first open design and implementation of a trusted path enabling a hardware enclave to interact with I/O devices such as a display and a keyboard from a fully compromised machine.

• A browser component that enables a hardware enclave to interact with protected DOM elements while keeping the enclave component small.

• An open-source implementation and evaluation of Fidelius for practical use cases.

A. Trusted User I/O Path

The trusted user I/O path consists of a keyboard and display with a trusted dongle placed between them and the computer running Fidelius. Each device consists of trusted and untrusted modes. The untrusted modes operate exactly the same as in an unmodified system. The trusted keyboard mode, when activated, sends a constant stream of encrypted keystrokes to the enclave. The enclave decrypts and updates the state of the relevant trusted input field. The trusted and untrusted display modes are active in parallel, and the trusted mode consists of a series of overlays sent encrypted from the enclave to the display. Overlays include rendered DOM subtrees (including, if any, the protected user inputs) placed over the untrusted display output as well as a dedicated portion of the screen inaccessible to untrusted content. We cover these functionalities and details of the protocols used to secure them in Section VI. Finally, both trusted devices have LEDs that notify the user when a trusted path is established and ready to collect user input. Our system relies, in part, on users not typing secrets on the keyboard when these security indicator lights are off. This ensures that only the enclave has access to secrets entered on the keyboard. We note, however, that several works have studied the effectiveness of security indicators in directing user behavior [24], [25] and found that users often ignore them. We briefly discuss potential alternatives in Section XI, but leave the orthogonal problem of designing a better user interface – one that is more difficult to ignore – to future work.

B. Web Enclave

A web enclave is essentially a hardware enclave running a minimalistic, trusted browser engine bound to a single web origin. A browser using a web enclave delegates the management and rendering of portions of a DOM tree and the execution of client-side scripts, e.g. JavaScript and Web Assembly, to the enclave. In addition, the web enclave can send and receive encrypted messages to and from trusted devices and the origin server. Finally, the web enclave provides client-side script APIs to access the DOM subtree, secure storage, and secure HTTP communication.

When a user loads a web page, Fidelius checks whether the page contains HTML tags that need to be protected, e.g., secure HTML forms. If it does, it initiates a web enclave, runs remote attestation between that enclave and the server, and validates the identity of the server. Once this process completes, Fidelius loads the HTML tags it needs to protect into the web enclave and verifies their signatures. Then, when the user accesses a protected tag, e.g. with a mouse click, Fidelius gives control to the enclave, which in turn activates the devices’ trusted mode. The trusted mode LEDs are turned on, informing the user that the trusted path is ready to securely collect user input.

Web enclaves provide two main ways to send protected messages to a remote server: directly through an encrypted form submission or programmatically via an XMLHttpRequest API. When a user clicks a form’s submit button, the web browser notifies the enclave of this event. Then, the web enclave encodes the form data following HTML form norms¹, encrypts that data, and signs it. The encrypted form is passed to the web browser, which sends it to the remote server. When a script needs to send messages to the server, it can use the XMLHttpRequest web API. The web enclave XMLHttpRequest API interface is similar to that implemented by web browsers; however, it encrypts sensitive fields such as the request body and custom HTTP headers. HTTP responses are sent by the server in encrypted form. The enclave will automatically decrypt responses and resume execution of the JavaScript function waiting for the response.

Fig. 2.

Design of Fidelius’s user interface. The green area is the trusted display overlay.

Show All

A. User Interface

The primary challenge in designing an interface for a system with a mix of trusted and untrusted components lies in distinguishing the trusted parts from the untrusted parts in a way that cannot be faked by an attacker. Our solution is to dedicate a small part of the screen to the web enclave, rendering that portion of the screen inaccessible to the OS while the trusted display is active, as indicated by an LED outside the display. Outside of this region, user interaction with Fidelius does not differ at all from interactions with a typical web application. Figure 2 shows the design of Fidelius’s user interface in use on a sample payment page. Trusted input fields do not have any special visual features that distinguish them from other inputs. Instead, the dedicated trusted region of the screen displays information that defends against attacks which make use of UI manipulation to fool a user into giving sensitive data to an attacker.

There are two important pieces of information shown in the protected display region. First, we must ensure that the user sends sensitive information only to the intended destination and avoids attacks like changing the contents of the url bar or picture-in-picture attacks [26]. We achieve this by including the origin of the web enclave in the trusted region. In Figure 2, the trusted region shows that the web enclave is connected to pay.site.com.

Second, we must ensure that users can distinguish real trusted inputs from untrusted ones and that an attacker cannot fool the user by changing the untrusted text surrounding a trusted input field. This could include attacks where untrusted input fields are made to look just like trusted ones (which in fact is the case by default in Fidelius) or, for example, where the username and password prompts before two inputs are switched, causing the user’s password to be processed as a username, which potentially receives far less protection after being sent to the server. We protect against this class of attacks by displaying a name for each trusted input in the dedicated display region when that field has focus. This serves to indicate to the user that the current input field is trusted. It also protects against any attack involving shuffling of input field labels to fool a user or cause incorrect data to be sent to the server because the descriptive name for each input field lies outside the reach of an attacker.

B. Developer Interface

Design of a developer interface must provide an easy to use and backwards compatible way for developers to access the features of Fidelius. Our developer interface requires no changes for pages or components of pages that do not make use of Fidelius’s features. Developers who wish to provide stronger security guarantees to Fidelius users include additional attributes in existing HTML tags directing Fidelius to use the web enclave in rendering and interacting with the content of those tags. Listing 1 shows an example of an HTML page supporting Fidelius.

Listing 1.

Fidelius-enabled code for the online payment web page. In red, the new HTML attributes required by Fidelius.

Show All

Fidelius currently supports <form>, <input>, and <script> tags. To mark any of these tags as compatible with Fidelius, developers add a secure attribute to the tag. In the case of <script> and <form> tags, a signature over the content of the tag is included in a sign attribute, to be verified with respect to the server’s public key inside the enclave as described in Section VII. The signature ensures that the form and script contents have not been modified by malware before they were passed to the enclave. The signature is not needed for <input> tags because the signature on a form includes the inputs contained within it. <input> tags also require a name attribute to be shown in the trusted component of the display when that input has focus.

JavaScript included in secure <script> tags runs on an interpreter inside the web enclave with different scope than untrusted code running in the browser. Trusted JavaScript has access to its own memory and its own web APIs for secure storage and secure HTTP requests, but it cannot directly access the memory or web APIs available to untrusted JavaScript. Trusted and untrusted JavaScript can, however, make calls to each other and pass information between each other as needed using an interface similar to the postMessage cross-origin message passing API.

Fidelius enforces a strict same-origin policy for web enclaves, so network communication originating or ending in an enclave can only come from its specified origin. By default, the origin of HTML tags is inherited from the web page. In general, the origin is derived from the initial URL of the page. However, for tags such as <form> and <script>, the origin is derived from the action and src attributes respecively. The origin specified here is not authenticated and therefore susceptible to tampering. We discuss the process by which a web enclave connects to remote servers and verifies their legitimacy in Section VII.

A. Setup

In order to securely communicate, the web enclave and peripherals (or the dongles connected to them) must have a shared key. One option is to operate in a threat model with an initial trusted phase where we assume the computer is not yet compromised. Pre-shared keys are exchanged when the user configures the computer for the first time. Devices store the key in an internal memory, and the enclave seals the shared keys for future retrieval. The key can be accessed only by the enclave directly and not by user-provided JavaScript running inside it.

In the more realistic setting where new peripherals can be introduced to a computer over time, we must protect against attacks that involve introduction of malicious periphal devices. In this setting, we need Fidelius-compatible devices to include a trusted component that can perform an attestation with the enclave to prove its legitimacy before exchanging keys. Note that this attestation must occur in both directions – from enclave to keyboard and from keyboard to enclave – or the device that does not attest can be faked by an attacker.

B. Trusted Communication

The process of switching between trusted and untrusted modes presents an interesting security challenge. An authentication procedure between the enclave and the trusted devices can ensure that only the enclave initiates switches between trusted and untrusted modes, but this ignores the larger problem that the enclave must rely on the untrusted OS to inform it when an event has happened that necessitates switching modes. Avoiding that necessity would require moving a prohibitively large fraction of the browser and UI into an enclave. Our solution has two parts and relies on making the user aware of when key presses produce trusted or untrusted input. First, we include a light on each dongle that turns on only when the keyboard or display are in trusted mode. This alone, however, does not suffice to solve the problem, as an attacker could mount a “rapid switching” attack where it jumps in and out of trusted mode faster than the user can perceive or react, leading to parts of the user’s input being leaked by untrusted input. Even worse, rapid switching between modes may occur quickly enough to not be noticable to a user monitoring the lights. To prevent this attack, we force a short delay when switching out of trusted mode. This ensures the user will have time to notice and react when a switch occurs.

The enclave switches devices in and out of trusted mode by sending one of two reserved messages which are simply fixed strings that they interpret as commands to change the trust setting. When in trusted mode, messages between the enclave and the peripherals are encrypted as described in Section VI-C.

Since the timing of key presses can reveal sensitive information about what keys are being pressed [27], we must also avoid leaking timing information while in trusted input mode. We do this by having the keyboard send a constant stream of key presses where most contain only an encryption of a dummy value that indicates no key pressed. As long as the fixed frequency of key presses exceeds the pace at which a user types, the user experience is unaffected by this protection. Since user key presses typically result in changes on the display, we update the display contents at the same rate as we read keyboard inputs.

Our trusted input design in many ways mirrors that of Bumpy [28] and SGX-USB [29], which also provide generic trusted user input using similar techniques but do not provide the web functionality that we do. In contrast to our work, Bumpy does not display any trusted user input. SGX-USB allows for generic I/O but does not solve the problem of mixing trusted and untrusted content in a user interface as we do in both our keyboard and display. Neither system has source code available. We improve on the features of both works by protecting against timing attacks on encrypted data sent from trusted input devices.

C. Message structure

Messages sent in the trusted communication protocol described above must include safeguards against replay attacks. To do this, we include a counter in every message sent, so that the same count never repeats twice. Counters are maintained on a per-device and per-origin basis, so every message between the enclave and the keyboard or display must include a counter value and the name of the origin in addition to the encrypted key press or overlay itself.

A. Web Enclave State Machine

The web enclave implements the state machine in Figure 3. At any point, it can be in one of the following five states: initial, authenticated, ready, end, and fail. Transitions are caused by ECALLs. Each state has a list of accepted ECALLs. For example, the initial state accepts only ECALLs for the remote attestation and origin validation. Other ECALLs bring the web enclave to the fail state. No other transition is possible from this state, and the enclave needs to be terminated after reaching it.

Fidelius creates a web enclave when it finds any <form> or <script> tags with the secure attribute set. Then it derives the origin of the tags that need to be protected. By default, the origin of the tags are inherited from the web page they belong to, i.e., the domain and port of the URL. However, for tags such as <form> and <script>, the origin is derived from the action and src attributes respecively. Tags can have different origins. While it is possible to create one web enclave for each origin, the current version of the web enclave assumes that all protected components on a page communicate with the same origin.

Once the origin has been determined, Fidelius passes the origin to the web enclave and performs remote attestation and origin validation, after which the enclave and the origin can share a symmetric key. This key will be used to encrypt any communication between the enclave and the origin, so any network manipulation or monitoring will only result in an attacker recovering encrypted data for which it does not have the key. As a result, the rest of the network stack can remain outside the enclave in untrusted code. In order to verify an origin, the enclave must have the corresponding public key, either as a hard-coded value or, more realistically, by verifying a certificate signed by a hard-coded authority.

Fig. 3.

Finite state machine representing web enclave behavior.

Show All

At this point, the web enclave is in the authenticated state. Fidelius retrieves the tags with the secure attribute set and loads them into the enclave. These operations do not cause a state transition. The only ECALL that causes a valid transition from this state is verification of the signatures. If the validation of all signatures succeeds, the enclave enters the ready state. From this point on, the enclave is fully operational and can decrypt keyboard inputs, prepare encrypted outputs for the display, execute JavaScript functions, and take/release control of the trusted path upon focus and blur events respectively.

B. Features

Once an enclave has successfully entered the ready state, the full functionality of Fidelius becomes available to the web application. Fidelius supports secure HTML forms, JavaScript execution, secure network communication, and persistent protected storage.

2) Javascript:

We run a JavaScript interpreter inside the enclave but leave out heavy components like the event loop. When a trusted JavaScript function is called, the enclave provides the interpreter with function inputs and any other state that should be available to the code about to run.

Javascript running in the enclave can access the content of protected HTML forms via the the global variable forms. The forms variable contains a property for each form name. For example, with reference to the HTML code in Listing 1 the payment form can be accessed via forms.payment where payment is the value of the attribute name of the <form> tag. Developers can implement custom input validation procedures. For example, a very simple form of validation can be checking if the credit card field contains forbidden characters such as white spaces. The JavaScript function that verifies the presence of white spaces can be implemented as shown in Listing 2.

Listing 2.

Simple form validation

Show All

3) Network Communication:

In order for protection of user data on the local machine to translate into a useful web application, there must be a mechanism for transmitting data out from the enclave without tampering by the compromised browser or OS. We provide a basic mechanism for doing this by supporting HTML forms, but web applications in general need to send back data to the server programmatically in a variety of contexts, not just when a user submits a form. To support this need, we provide support for XMLHttpRequests (as shown in Listing 3) where requests are encrypted inside the enclave using the shared key from the attestation process before leaving the enclave.

Listing 3.

XMLHTTPRequest example

Show All

The problem of defending against replay of messages over the network is not unique to the trusted hardware setting and must be handled separately by applications built on Fidelius.

4) Persistent Storage:

Fidelius provides developers with a web storage abstraction similar to the standard web storage provided by unmodified web browsers. Secure web storage can be accessed via localStorage, as shown in Listing 4.

Listing 4.

Web storage

Show All

When the need for persistent storage arises, Fidelius encrypts the data to be stored using a sealing key and stores it on disk (it could equivalently use existing browser storage mechanisms to hold the encrypted data). The sealing key is a feature provided by SGX to an enclave in order to store persistent data across multiple runs of the enclave.

This approach raises two problems we must resolve. First, every instance of the same enclave shares the same sealing key, so we must ensure that different enclaves created by the same browser cannot read each others’ secrets. We can prevent this problem by including the associated origin as additional authenticated data with the encrypted data to be stored. This way an enclave can find and restore data associated with the origin it connects to but, as a matter of policy, does not allow the user to access data associated with any other origin. The integrity guarantees of our trusted hardware platform ensure that our code will abide by this policy.

The second issue is that of rollback attacks. A malicious operating system could roll back or delete data that is stored to disk, so, for applications that rely on maintaining sensitive state, the enclave must have a way to determine whether it has the most up-to-date stored data. A generic solution to this problem, such as ROTE [30], would suffice, but ROTE requires a distributed setting which may not be available to a user browsing the web from home. We can solve this problem by enlisting the assistance of the server to ensure protection against rollbacks, especially in situations where an enclave is connected to a server that already keeps information about the user. The idea is to keep a revision number, one for each origin, that gets sent from the server to the enclave at the end of the attestation process and is incremented whenever changes are made to locally stored data. Since the attacker cannot change the number stored on the server or in the enclave during execution, we can detect whenever a rollback attack has been launched or stored data has been deleted by observing a mismatch between the number on the data reloaded by the enclave and the number sent by the server.

Our generic approach for storage of user secrets and network connections could easily be extended to include storage of cookies, resulting in a separate cookie store, accessible only to the enclave, that otherwise provides the same functionality available from cookies in unmodified browsers.

A. Attacks on Core Features

Enclave omission attack. An attacker with full control of the sofware running on a system may manipulate the browser extension and enclave manager software to pretend to use an enclave when in fact it does not. This attack will, however, fail because of defenses built into our user interface via the keyboard and display dongles. Absent a connection to a real enclave, the trusted input lights on the keyboard and display will not light, alerting the user that entered data is unprotected.

Enclave misuse attack. A more subtle attack of this form uses the enclave for some tasks but fakes it for others. For example, to circumvent the defense above, trusted input from the user could use the real enclave functionality, but trusted output on the display could be spoofed without the enclave. As such, it is necessary for each I/O device to separately defend against fake use of an enclave. The defenses described for the previous attack suffice to protect against this attack as well, but both lights are needed.

An attacker could also use the genuine trusted I/O path but attempt to omit use of the enclave when running JavaScript inside the browser. This attacker could clearly not access persistent storage, trusted network communication, or user inputs because those features require keys only available inside the enclave. On the other hand, the JavaScript to be run inside the enclave is not encrypted, so an attacker could potentially also run it outside the enclave, so long as it does not make use of any other resources or features offered by Fidelius. At this point, however, the JavaScript becomes entirely benign because it cannot give the attacker running it any new information or convince the user or remote server of any falsehoods because the trusted paths to all private information or trusted parties are barred.

A last variant of this attack would omit certain ECALLs that perform necessary setup operations like initializing a form and its inputs before the user begins to enter data. Omission of these ECALLs would result in the system crashing but would not leak secrets in the process. As mentioned before, we cannot conceivably protect against a denial of service attack where the compromised OS refuses to allow any access to the system. We can only ensure that normal or abnormal use of the enclave does not leak user secrets.

Page tampering attack. Failing to omit an enclave entirely or even partially, the attacker can turn to modifying the inputs given to various ecalls. In particular, the names and structure of forms and their inputs or the JavaScript to be run inside the enclave could be modified. Mounting this attack, however, would require an adversary who can break the unforgeability property of the signatures used to sign secure <form> and <script> tags. Those tags are verified with an origin-specific public key (either hard-coded in the enclave or verified with a certificate) that lies out of reach of our attacker.

Since trusted JavaScript is the only way to access trusted user inputs from within the browser, the fact that we have separate scope for execution of trusted and untrusted JavaScript means that any attempt to directly access user secrets stored in protected inputs will necessarily be thwarted.

Redirection attack. This attack resembles a straightforward phishing attempt. Instead of tampering with the operation of Fidelius, a browser could navigate to a malicious website designed to look legitimate in an attempt to send user secrets to an untrusted server. Here again the persistent overlay added by our display dongle prevents an attack by displaying the origin to which the enclave has connected. The strict same-origin policy within the enclave means that the origin displayed in the trusted portion of the screen is the only possible destination for network connections originating withing the enclave. While an attacker could establish a connection with a server other than the declared origin, the data sent to that server will be encrypted with a key known only to the intended origin, rendering the data useless to others. As such, the only way for an attacker to have legitimate-looking text appear there is to send user data only to legitimate destinations.

Storage tampering attack. Although authenticated encryption with a sealing key tied to the enclave protects persistently stored data from tampering, an attacker can still delete or roll back the state of stored data. We detail our solution to protect against this attack in Section VII-B4, where we enlist the assistance of the server to keep an up-to-date revision number for the enclave’s data out of reach of the attacker. Attacks where the browser connects to a malicious site whose trusted JavaScript tries to read or modify persistent storage for other sites are prevented by our policy of strict separation between stored data associated with different origins.

B. Attacks on Trusted I/O Path and UI

We now consider attacks against the trusted I/O path to the user. Direct reading of private key presses and display outputs is prevented by encryption of data between the enclave and keyboard/display dongles, but we also consider a number of more sophisticated attacks. Since the I/O path to the user closely relates to the user interface, we discuss attacks against both the protocols and the interface together. We discuss security considerations involved in the setup of trusted I/O devices in Section VI-A.

Mode switching attack. As discussed in Section VI, the decision to switch between trusted and untrusted modes ultimately lies with the untrusted browser because it decides when an input field receives focus or blurs or when to activate Fidelius in the first place. We defend against this type of tampering with the light on the dongles and the delay when switching from trusted to untrusted modes. These defenses protect against both a standard unauthorized exit from the enclave as well as a rapid switching attack that tries to capture some key presses by quickly switching between modes.

Replay attack. We defend against replay of trusted communications between the enclave and display by including a non-repeating count in every message that is always checked to make sure an old count does not repeat. An attacker could, however, eavesdrop on key presses destined for one enclave, switch to a second enclave connected with a site it controls, and replay the key presses to the second enclave in an attempt to read trusted key presses. We defend against this attack by including the name of the origin along with the count in encrypted messages, so they cannot be replayed across different enclaves. Likewise, since the keyboard and display use different keys to encrypt communications with the enclave(s), messages cannot be replayed across sources.

Input manipulation attack. Attackers can attempt to make untrusted input fields appear where a user might expect trusted input fields and thereby fool users into typing trusted information in untrusted fields. Since the attacker has almost full control of what gets placed on the display, this grants considerable freedom in manipulating the display to mimic visual queues that would indicate secure fields. Fortunately, our display dongle reserves a strip at the bottom of the screen for trusted content directly from the enclave. This area informs the user what trusted input is currently focused, if any.

An attacker could also manipulate the placement of actual trusted input fields or the labels that precede them on a page in order to confuse or mislead a user as to the purpose of each field. By using the trusted display area to show which trusted input currently has focus, if any, we give developers the opportunity to assign inputs descriptive trusted names that will alert a user if there is a mismatch between an input’s name and its stated purpose in the untrusted section of the display.

Timing attack. The fact that key presses originate with the user means that the timing of presses and associated updates to content on the screen may leak information about user secrets [27]. We close this timing side channel by having the keyboard send encrypted messages to the enclave at a constant rate while in trusted mode, sending null messages if the user does not press a key during a given time period and queueing key presses that appear in the same time period. A high enough frequency for this process ensures that the user experience is not disrupted by a backlog of key presses. Updates to display overlay contents also happen at a constant rate, so timing channels through key presses and display updates cannot leak information about user secrets.

Multi-Enclave Attacks. As mentioned in Section III, Fidelius does not aim to protect against attacks mounted by incorrect or privacy-compromising code provided by an origin that has already been authenticated. That said, we briefly discuss here some attacks that could be launched by collaboration between a malicious OS and a malicious remote origin that is trusted by Fidelius (for example, in case of a maliciously issued certificate) and which tries to steal data a user meant to send to a different trusted origin. An attacker who has compromised a trusted site could always ask for data from a user directly, rendering these attacks less important in practice, but there may be some kinds of data a user would only want to reveal to one trusted origin and not others, e.g. a password for a particular site.

First we consider an enclave-switching attack, a more involved variant of the mode-switching attack described above. In this attack, the untrusted sytem rapidly switches between different enclaves, one connecting to a legitimate site and the other to a malicious site controlled by the attacker. Fidelius’s existing mode-switching delay also protects against this variant of the attack because the display always shows the origin associated with the enclave currently in use.

A more complicated attack could run one honest, uncompromised enclave concurrently with an enclave connected to an malicious origin. The uncompromised enclave would feed its overlays to the display while the compromised enclave would receive inputs from the keyboard. This may be noticed by users in the current Fidelius design because anything typed would not appear on the display, but by the time a user notices this, secrets may have already been compromised. To defend against this, the keyboard and display dongles could be configured to only connect to one enclave at a time (not connecting to another enclave until the first enclave declares it has entered the end state) and to check that they have connected to the same enclave at setup by using the enclave to send each other hashes of fresh origin-specific secrets.

A. Trusted Path

Our prototype runs on an Intel Nuc with a 2.90 GHz Core i5-6260U Processor and 32 GB of RAM running Ubuntu 16.04.1 and SGX SDK version 2.1.2. We produced dongles to place between the Nuc and an off-the-shelf keyboard and display using a Raspberry Pi Zero with a 1 GHz single core Broadcom BCM2835 processor and 512 MB of RAM running Raspbian GNU/Linux 9 (stretch) for the keyboard and a Raspberry Pi 3 with a 1.2 GHZ quad-core ARM Cortex A53 processor and 1GB RAM running Raspbian GNU/Linux 9 (stretch) at a display resolution of 1280x720. Figures 6 and 7 show our input and output dongle devices.

Fig. 5.

Prototype of the trusted path: (a) standard USB keyboard connected to our RPI Zero dongle to encrypt keystrokes, (b) Computer with a Fidelius-enabled browser, and (c) standard HDMI display connected to our RPI 3 dongle to overlay secure frames.

Show All

Fig. 6.

Trusted keyboard dongle built from Raspberry Pi Zero. In untrusted mode, the dongle forwards key presses from the keyboard to the computer. In trusted mode, the dongle sends a constant stream of encrypted values to the enclave. The values correspond to key presses if there has been any input or null values otherwise.

Show All

Fig. 7.

Trusted display dongle built from Raspberry Pi 3. Frames arrive on the RPI3 over HDMI in, which connects through a board that treats the frames to be displayed as camera inputs. Overlays are transmitted over Bluetooth and decrypted on the RPI3. The combined frame and overlay go to the display through the HDMI out cable.

Show All

The Raspberry Pi Zero simulated two input devices to the Nuc, one standard keyboard and one secure keyboard, with only one device active at any time based on the state of the application being run. The RPI 3 uses a B101 rev. 4 HMDI to CSI-2 bridge and the Picamera Python library [31] to treat the HDMI output from the Nuc as a camera input on which it overlays trusted content before rendering to the real display. Trusted content is sent over a separate bluetooth channel. The bluetooth channel exists as a matter of convenience for implementation, as HDMI does allow for sending auxiliary data, but we were unable to programmatically access this channel through existing drivers.

When an encrypted overlay packet reaches the RPI3 display device from the Nuc, it is first decrypted and decoded from a flat black and white encoding used to transfer data back to a full RBG color representation. Next, the image is transferred from the decryption/decoding program to the rendering code, which places it on the screen. We introduce a refresh delay between sending frames to give the Picamera library adequate time to render each frame before receiving the next one.

Although we have built a working Fidelius prototype, a number of improvements could make for a more powerful and complete product. These changes include miniaturization of dongle hardware, faster transfer protocols, e.g. USB 3.0 instead of Bluetooth, and custom drivers to reduce latency between the dongles and the keyboard/display. We leave the engineering task of optimizing Fidelius to future work.

B. Browser and Web Enclave

On the Intel Nuc device, Fidelius is implemented as a Chrome browser extension running on Chrome version 67.0.3396 communicating with a native program via Chrome’s Native Messaging API³ for web enclave management. The extension activates on page load and checks whether the page contains components that need to be protected, e.g., secure HTML forms and JavaScript. If it does, it communicates with the native program to initiate the web enclave and perform remote attestation with the server. Once this process completes, the user can interact with secure components on the page, and secure JavaScript code can be run in the enclave. Since the page setup process occurs independently of the page loading in the browser, only the secure components of a page are delayed by the attestation process – non-secure elements of a page have no loading penalty as a result of running Fidelius. The majority of the work of enclave management is handled by the native code. For symmetric encryption of forms, bitmaps, and keystrokes we use AES-GCM encryption and for signing forms we use ECDSA signatures. JavaScript inside the enclave is run on a version of the tiny-js [32] interpreter that we ported to run inside the enclave.

1) TCB Size:

The trusted code base for Fidelius consists of 8,450 lines of C++ code, of which about 3200 are libraries for handling form rendering and another 3800 are our enclave port of tiny-js. This does not include native code running outside the enclave or in the browser extension because our security guarantees hold even if an attacker could compromise those untrusted components of the system. It also excludes dongle code which runs on the Raspberry Pi devices and not the computer running the web browser. Compared to the 18,800,000 lines of the Chrome project⁴, Fidelius supports many of the important functionalities one may wish to secure in a web browser while exposing an attack surface orders of magnitude smaller than a naive port of a browser into a trusted execution environment.

2) Comparison to Commercial Devices:

For a standard login form with username and password fields, Fidelius’s key press to display latency is 201.8 ms. We exclude the time it takes to transfer the encrypted key press from the keyboard to the enclave over USB 2.0 (480 Mbps) and the encrypted bitmap from the enclave to the display over bluetooth (3 Mbps) from these figures. This is a reasonable omission because the size of the data being transferred is small compared to the transfer speed of these two protocols. Figure 8 compares the latency between a key press and display update in Fidelius to measurements of the display latency on several commercial mobile devices [33]. Although not competitive with high-performance devices, Fidelius performs comparably or even faster than some popular commercial devices, running $2.8 \times$ faster than the latency on the most recent Kindle. Fidelius’s efficiency arises from leaving the majority of a page unmodified and only using encrypted overlays for trusted components.

3) Comparison to Prior Work:

We also compared Fidelius to Bumpy [28], which provides a trusted input functionality but no corresponding display. For this comparison, we compared Bumpy to Fidelius’s trusted path without the display component, which accounts for the vast majority of the latency. Bumpy’s source code is not available, so we compare to the reported performance values measured on an HP dc5750 with an AMD Athlon64 X2 Processor at 2.2 GHz and a Broadcom v1.2 TPM. Fidelius outperforms Bumpy’s reported performance by $13 \times$, running with a latency of 10.59ms compared to Bumpy’s 141ms. We believe this more than compensates for differences in the computing power used to evaluate the two systems. Although SGX-USB [29], whose source code is also unavailable, was developed on more recent hardware, we cannot compare directly to their reported performance results because they report generic USB data transfer rates into an enclave whereas we care about the latency of reading and processing key presses.

4) Page Load Overhead:

Figure 9 shows the page load overhead incurred by Fidelius, not including remote attestation. Fidelius’s overhead includes the time for the browser to inform the enclave of secure components and for the enclave to verify signatures on them, totaling 35.3ms. We do not report time for remote attestation, which depends on the latency to the attestation service. Fortunately, waiting for the attestation server to respond can occur in parallel with other page load operations because notifying the enclave of the existence of trusted components and verifying signatures do not involve sensitive user data. Moreover, attestation time is independent of page content, so our measurements fully capture Fidelius’s page load time increase as trusted components are added. As seen in Figure 9, adding components does not significantly increase page load time.

5) Performance Factors:

Figure 10 shows the cost of various components of our trusted display pipeline, described in Section IX-A, which makes up almost all of Fidelius’s performance overhead. The two most expensive operations that take place on the display are rendering the overlay using the Picamera module and the refresh delay we introduce in order to allow the Picamera module to process frames without forming a queue of undisplayed frames. The Picamera module and associated hardware on the Raspberry Pi 3 is not optimized to add a dynamic overlay to the camera feed. A better approach would involve directly manipulating the data from the Nuc computer’s HDMI output instead of using it to simulate a camera and placing overlays on top of the camera feed. This could easily be achieved in a production deployment of Fidelius and would dramatically reduce display latency.

We also considered how performance varies as the size of the trusted components on a page increase. Figure 11 shows that latency increases linearly with the size of the trusted component. This happens because as the size of the overlay increases, it takes longer to decrypt, decode and transfer the overlays. Taking steps to optimize the display pipeline would further mitigate latency increase. However, even under our current implementation, for two full-page width input fields (See the two extra large input field experiments in Figure 11), Fidelius has a display latency of only 227ms. Also, a tenfold increase in pixels (from one small field to two extra large fields) results in only a 31ms latency increase.

Fig. 8.

Fidelius key press to display latency compared with the screen response time on various commercial devices.

Show All

Fig. 9.

Fidelius’s impact on page load time as the number of trusted components varies. Adding components does not significantly affect load time.

Show All

Fig. 10.

Breakdown of display costs by component. Render/refresh delays are an artifact of our hardware and could be dramatically reduced.

Show All

Fig. 11.

Key press to display latency when rendering forms. Widths are fractions of the most popular screen width $(w=1366 \mathrm{px}): \mathrm{S}=\frac{1}{8} w, \mathrm{M}=\frac{1}{4} w$, $\mathrm{L}=\frac{1}{2} w, \mathrm{XL}=\frac{2}{3} w$. Increments calculated from the previous row.

Show All