You've heard of HTTPS. Now get a load of HTTPA: Web services in verified remote trusted environments?

Intel duo propose fresh use of, yes, SGX but also Arm's TrustZone and similar TEEs


Two Intel staffers believe web services can be made more secure by not only carrying out computations in remote trusted execution environments, or TEEs, but by also verifying for clients that this was done so.

Software engineer Gordon King, and Hans Wang, a research scientist at Intel Labs, proposed the protocol to make that possible. In a paper distributed this month through ArXiv, they describe a HTTP protocol called HTTPS Attestable (HTTPA) to enhance online security with remote attestation – a way for apps to obtain an assurance that data will be handled by trusted software in secure execution environments.

Essentially, it's hoped that applications can verify through certificates and cryptography that code running in a server-side TEE is precisely the code expected to be run, unmodified by a rogue administrator, hijacked OS or hypervisor, network intruder, or malware. Ideally, the TEE should prevent or detect miscreants from snooping on or altering the code and data.

The threat model is fragile with lots of requirements and caveats. If it all falls into place, "HTTPA provides an assurance to confirm the client’s workloads [will] run inside the expected enclave with expected verified software," as the duo put it in their paper [PDF].

"With HTTPA, we can provide security assurances to establish trustworthiness with web services and ensure integrity of request handling for web users," King and Wang continued. "We expect that remote attestation will become a new trend adopted to reduce web services security risks, and propose the HTTPA protocol to unify the web attestation and accessing services in a standard and efficient way."

Software services, the boffins contend, can be hijacked by network intruders, for example, and offer no real assurances about the integrity of computing workloads or communications channels. HTTPS alone, they say, isn't up to the challenge, but HTTPA perhaps can do better.

HTTPA relies on a TEE and Intel just happens to offer such a thing: Software Guard Extensions, or SGX.

SGX can be used by applications to form what's called enclaves in memory in which computations on sensitive information can occur in private from all other software thanks to automatic in-memory encryption of data and code as well as other protections. It should be possible to cryptographically check that all is as expected within an enclave; essentially, SGX provides the ingredients for the pair's proposed remote attestation system.

The neutral zone

In an email to The Register, King and Wang said while their proposal focused on how SGX could be used for more secure web interaction, the protocol accommodates TEEs from other vendors, such as Arm's TrustZone.

"The protocol is neutral and open to all the industrial participants," they wrote.

TEEs have been utilized to protect web services before, say King and Wang, but they've been deployed to address specific concerns. "We propose a general solution to standardize attestation over HTTPS and establish multiple trusted connections to protect and manage requested data for selected HTTP domains," they say.

HTTPA assumes the client is trusted and the server is not. So the client can use HTTPA to obtain a guarantee the server can be trusted to handle the requested computation within a TEE. HTTPA, however, doesn't extend beyond the TEE to vouch for the trustworthiness of the server overall.

Put another way, it takes the security benefits of TLS – certificate-based server authentication, integrity guarantees, forward secrecy and session replay prevention – and extends protection to data at rest and during computation.

HTTPA requires extending the HTTPS handshake process, the networking back-and-forth by which the client and server talk to one another. The protocol calls for three sets of HTTP methods: HTTP preflight request and response; HTTP attest request and response; and HTTP trusted session request and response.

"Preflight request checks if the attestation protocol is accepted by the server for using the 'ATTEST' method and headers," the authors explain in their paper. "It is an 'OPTIONS request,' using one HTTP request headers: Access-Control-Request-Method."

The HTTP attest and HTTP trusted session methods that follow are new; HTTP preflight is an existing mechanism used with Cross-origin resource sharing (CORS) for checking to see whether a server can handle a specific protocol.

A two-way street

For scenarios where two-way attestation is necessary, the authors describe a variant called Mutual HTTPA, or mHTTPA. It's a bit more complicated however as both the client and the server need to include two pre-session secrets for deriving session keys in their own TEEs.

King and Wang said, "We believe that [HTTPA] could be potentially beneficial to some industries, eg., fintech and healthcare."

Asked whether the protocol might interfere with services that have stringent bandwidth or latency requirements, they replied, "Further exploration would be needed to confirm any performance impact; however, we do not anticipate any significant performance change from other HTTPS protocols."

As to whether or when HTTPA might actually be adopted, that's not clear. Asked whether there's any plan to submit the spec as an RFC or to undertake some other form of standardization, they said, "We have some ongoing discussions that need to be reviewed by [Intel's] legal team before [disclosure]." ®


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021