PixelVault

Using GPUs for securing cryptographic operations

Giorgos Vasiliadis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

29 Citations (Scopus)

Abstract

Protecting the confidentiality of cryptographic keys in the event of partial or full system compromise is crucial for containing the impact of attacks. The Heartbleed vulnerability of April 2014, which allowed the remote leakage of secret keys from HTTPS web servers, is an indicative example. In this paper we present PixelVault, a system for keeping cryptographic keys and carrying out cryptographic operations exclusively on the GPU, which allows it to protect secret keys from leakage even in the event of full system compromise. This is possible by exposing secret keys only in GPU registers, keeping PixelVault's critical code in the GPU instruction cache, and preventing any access to both of them from the host. Due to the non-preemptive execution mode of the GPU, an adversary that has full control of the host cannot tamper with PixelVault's GPU code, but only terminate it, in which case all sensitive data is lost. We have implemented a PixelVault-enabled version of the OpenSSL library that allows the protection of existing applications with minimal modifications. Based on the results of our evaluation, PixelVault not only provides secure key storage using commodity hardware, but also significantly speeds up the processing throughput of cryptographic operations for server applications. Copyright is held by the owner/author(s).

Original languageEnglish
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1131-1142
Number of pages12
ISBN (Electronic)9781450329576, 9781450329576, 9781450331470, 9781450331500, 9781450331517, 9781450331524, 9781450331531, 9781450331548, 9781450331555, 9781450332392
DOIs
Publication statusPublished - 3 Nov 2014
Externally publishedYes
Event21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States
Duration: 3 Nov 20147 Nov 2014

Other

Other21st ACM Conference on Computer and Communications Security, CCS 2014
CountryUnited States
CityScottsdale
Period3/11/147/11/14

Fingerprint

Servers
Throughput
Graphics processing unit
Hardware
Processing

Keywords

  • GPU
  • Isolation
  • SSL/TLS
  • Tamper resistance
  • Trusted execution

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Vasiliadis, G., Athanasopoulos, E., Polychronakis, M., & Ioannidis, S. (2014). PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 1131-1142). Association for Computing Machinery. https://doi.org/10.1145/2660267.2660316

PixelVault : Using GPUs for securing cryptographic operations. / Vasiliadis, Giorgos; Athanasopoulos, Elias; Polychronakis, Michalis; Ioannidis, Sotiris.

Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, 2014. p. 1131-1142.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vasiliadis, G, Athanasopoulos, E, Polychronakis, M & Ioannidis, S 2014, PixelVault: Using GPUs for securing cryptographic operations. in Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, pp. 1131-1142, 21st ACM Conference on Computer and Communications Security, CCS 2014, Scottsdale, United States, 3/11/14. https://doi.org/10.1145/2660267.2660316
Vasiliadis G, Athanasopoulos E, Polychronakis M, Ioannidis S. PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery. 2014. p. 1131-1142 https://doi.org/10.1145/2660267.2660316
Vasiliadis, Giorgos ; Athanasopoulos, Elias ; Polychronakis, Michalis ; Ioannidis, Sotiris. / PixelVault : Using GPUs for securing cryptographic operations. Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, 2014. pp. 1131-1142
@inproceedings{fcd496ef4eaf4f5cb8da68f01e768920,
title = "PixelVault: Using GPUs for securing cryptographic operations",
abstract = "Protecting the confidentiality of cryptographic keys in the event of partial or full system compromise is crucial for containing the impact of attacks. The Heartbleed vulnerability of April 2014, which allowed the remote leakage of secret keys from HTTPS web servers, is an indicative example. In this paper we present PixelVault, a system for keeping cryptographic keys and carrying out cryptographic operations exclusively on the GPU, which allows it to protect secret keys from leakage even in the event of full system compromise. This is possible by exposing secret keys only in GPU registers, keeping PixelVault's critical code in the GPU instruction cache, and preventing any access to both of them from the host. Due to the non-preemptive execution mode of the GPU, an adversary that has full control of the host cannot tamper with PixelVault's GPU code, but only terminate it, in which case all sensitive data is lost. We have implemented a PixelVault-enabled version of the OpenSSL library that allows the protection of existing applications with minimal modifications. Based on the results of our evaluation, PixelVault not only provides secure key storage using commodity hardware, but also significantly speeds up the processing throughput of cryptographic operations for server applications. Copyright is held by the owner/author(s).",
keywords = "GPU, Isolation, SSL/TLS, Tamper resistance, Trusted execution",
author = "Giorgos Vasiliadis and Elias Athanasopoulos and Michalis Polychronakis and Sotiris Ioannidis",
year = "2014",
month = "11",
day = "3",
doi = "10.1145/2660267.2660316",
language = "English",
pages = "1131--1142",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - PixelVault

T2 - Using GPUs for securing cryptographic operations

AU - Vasiliadis, Giorgos

AU - Athanasopoulos, Elias

AU - Polychronakis, Michalis

AU - Ioannidis, Sotiris

PY - 2014/11/3

Y1 - 2014/11/3

N2 - Protecting the confidentiality of cryptographic keys in the event of partial or full system compromise is crucial for containing the impact of attacks. The Heartbleed vulnerability of April 2014, which allowed the remote leakage of secret keys from HTTPS web servers, is an indicative example. In this paper we present PixelVault, a system for keeping cryptographic keys and carrying out cryptographic operations exclusively on the GPU, which allows it to protect secret keys from leakage even in the event of full system compromise. This is possible by exposing secret keys only in GPU registers, keeping PixelVault's critical code in the GPU instruction cache, and preventing any access to both of them from the host. Due to the non-preemptive execution mode of the GPU, an adversary that has full control of the host cannot tamper with PixelVault's GPU code, but only terminate it, in which case all sensitive data is lost. We have implemented a PixelVault-enabled version of the OpenSSL library that allows the protection of existing applications with minimal modifications. Based on the results of our evaluation, PixelVault not only provides secure key storage using commodity hardware, but also significantly speeds up the processing throughput of cryptographic operations for server applications. Copyright is held by the owner/author(s).

AB - Protecting the confidentiality of cryptographic keys in the event of partial or full system compromise is crucial for containing the impact of attacks. The Heartbleed vulnerability of April 2014, which allowed the remote leakage of secret keys from HTTPS web servers, is an indicative example. In this paper we present PixelVault, a system for keeping cryptographic keys and carrying out cryptographic operations exclusively on the GPU, which allows it to protect secret keys from leakage even in the event of full system compromise. This is possible by exposing secret keys only in GPU registers, keeping PixelVault's critical code in the GPU instruction cache, and preventing any access to both of them from the host. Due to the non-preemptive execution mode of the GPU, an adversary that has full control of the host cannot tamper with PixelVault's GPU code, but only terminate it, in which case all sensitive data is lost. We have implemented a PixelVault-enabled version of the OpenSSL library that allows the protection of existing applications with minimal modifications. Based on the results of our evaluation, PixelVault not only provides secure key storage using commodity hardware, but also significantly speeds up the processing throughput of cryptographic operations for server applications. Copyright is held by the owner/author(s).

KW - GPU

KW - Isolation

KW - SSL/TLS

KW - Tamper resistance

KW - Trusted execution

UR - http://www.scopus.com/inward/record.url?scp=84910670651&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84910670651&partnerID=8YFLogxK

U2 - 10.1145/2660267.2660316

DO - 10.1145/2660267.2660316

M3 - Conference contribution

SP - 1131

EP - 1142

BT - Proceedings of the ACM Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -