DOCSLIB.ORG

Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX TEEREX: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves Tobias Cloosters, Michael Rodler, and Lucas Davi, University of Duisburg-Essen https://www.usenix.org/conference/usenixsecurity20/presentation/cloosters This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. TEEREX: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves Tobias Cloosters, Michael Rodler, Lucas Davi University of Duisburg-Essen, Germany {tobias.cloosters, michael.rodler, lucas.davi}@uni-due.de Abstract allows a user to establish a secure channel directly to the SGX enclave (which potentially runs in an untrusted cloud environ- Intel’s Software Guard Extensions (SGX) introduced new ment) and perform remote attestation to ensure the integrity instructions to switch the processor to enclave mode which of the remote SGX hardware and enclave. That said, SGX is protects it from introspection. While the enclave mode a strong isolation mechanism for sensitive data (e.g., personal strongly protects the memory and the state of the proces- information or cryptographic keys) as well as security-critical sor, it cannot withstand memory corruption errors inside the code (e.g., for the sake of intellectual property protection). enclave code. In this paper, we show that the attack surface It also found its way into commercial applications, e.g., fin- of SGX enclaves provides new challenges for enclave devel- gerprint sensor software (Section5), DRM protection [20], opers as exploitable memory corruption vulnerabilities are and privacy-preserving applications like Signal [48]. As such easily introduced into enclave code. We develop TEEREX to a promising technology, SGX has been used and targeted automatically analyze enclave binary code for vulnerabilities extensively in previous research. Many projects propose to introduced at the host-to-enclave boundary by means of sym- utilize SGX for enhanced security guarantees, e.g., processing bolic execution. Our evaluation on public enclave binaries re- private data in public clouds [6, 55]. veal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform From its infancy, it was clear that SGX cannot withstand all flavors of attacks [40]. In particular, SGX cannot protect arbitrary memory writes. As we will show, TEEREX features a specifically tailored framework for SGX enclaves that al- against two classes of attacks: (1) side-channel attacks and lows simple proof-of-concept exploit construction to assess (2) memory corruption attacks inside the enclave. The former the discovered vulnerabilities. Our findings reveal vulnerabil- attack technique exploits shared resources (e.g., cache) to ities in multiple enclaves, including enclaves developed by steal secret information from within an enclave. This line Intel, Baidu, and WolfSSL, as well as biometric fingerprint of research has become a very active research field [65, 70]. software deployed on popular laptop brands. Especially micro-architectural side-channels have been shown to be effective for attacking SGX enclaves due to the shared micro-architectural state of enclaves and untrusted code [62]. 1 Introduction To our surprise, memory corruption attacks have been rarely investigated in the context of SGX. These attacks ex- Intel recently introduced a sophisticated trusted execu- ploit programming errors (e.g., a buffer overflow) allowing tion environment (TEE) called Software Guard Extensions an attacker to take over the enclave, hijacking the enclave’s (SGX) [30, 37, 50]. SGX allows application developers to control-flow, and perform code-reuse attacks such as return- create so-called enclaves to encapsulate sensitive application oriented programming (ROP) [57]. Further, the attacker can code and data inside a TEE that is completely isolated from also exploit these errors to corrupt enclave data variables and other applications, operating systems, and hypervisors. The pointers to launch data-oriented attacks such as information only trusted component in the SGX setting is the Intel CPU leaks or data-oriented programming (DOP) [33]. Prior re- itself. Most prominently, SGX features confidentiality and search studied the applicability of offensive and defensive integrity protection for any data that is written to its main techniques against memory corruption exploits. For instance, memory. In addition, SGX implements well-known Trusted Lee et al. [44] presented DARKROP, a code-reuse attack tech- Computing concepts such as data binding and sealing as well nique, which shows that the enclave code must not be known as remote attestation, i.e., ensuring the remote SGX enclave is to an attacker to successfully launch ROP attacks against the in a trustworthy state. Putting all these features together, this enclave. Biondo et al. [7] showed that it is easily possible to USENIX Association 29th USENIX Security Symposium 841 launch powerful code-reuse attacks due to particularities of Using TEEREX, we identified several vulnerabilities in the Intel SGX SDK bypassing existing ASLR defenses such publicly available enclave binaries developed at major compa- as SGX-Shield [56]. nies such as Intel, Baidu, and Synaptics (see Section5). Our However, prior research on memory corruption attacks al- framework features detailed vulnerability reports significantly ways assumed the existence of memory errors, but did not simplifying the construction of proof-of-concept exploits to investigate whether or to which extent such errors exist in assess the reported vulnerability. Even if no information on real-world enclaves. Due to the rather slow adoption of the the enclave is available, we are able to construct exploits (see SGX technology, this is not an easy question to answer. Ide- the fingerprint enclaves analyzed in Section 5.5 and 5.6). Our ally, SGX enclaves contain only a minimal amount of code, exploits hijack the enclave’s control-flow, effectively bypass- which can be manually audited or even formally verified to ing all security guarantees of the SGX technology. By per- not contain any programming mistakes. However, in our ex- forming root-cause analysis we identified five vulnerability perience, legacy code bases are often ported to SGX enclaves. classes that repeatedly occur in our dataset: Passing Data- These ports are often not revised to handle the specialties of Structures with Pointers (P1), Returning pointers to enclave SGX enclaves and inherit security vulnerabilities from the memory (P2), Pointers to Overlapping Memory (P3), NULL- legacy code base or introduce new security vulnerabilities Pointer Dereferences (P4), and Time-of-Check Time-of-Use particular to SGX enclaves. This is similar for newly written (P5). SGX code by developers not familiar with the peculiarities of Interestingly, among the enclaves we found vulnerable is SGX. one enclave written by Intel engineers and published as an One common aspect of all SGX enclaves is that they always open-source example enclave on Intel’s GitHub page [34]. link to an untrusted host application. The host application Another interesting finding is a vulnerability in a sample SGX loads an SGX enclave into its address space as it would do in enclave originally developed at Baidu with the Rust SGX SDK case of a shared library. Indeed, the Intel SGX SDK offers a (now an Apache Incubator project). Rust features memory C-function like interface allowing bidirectional communica- safety and as such has the potential to eradicate memory tion from the host application to the enclave. This interface is corruption attacks. However, the host-to-enclave boundary is highly critical as invalid input may lead to a privilege escala- inherently memory unsafe and as such, using memory-safe tion attack. As shown by prior research in the context of other programming languages in SGX does not automatically result privilege separation technologies, this is especially true when in secure enclave code. software is partitioned into privilege levels [13, 32]. That said, whenever an enclave is called, it must take special care to 2 Memory Corruption in SGX validate any input, particularly when the input contains code or data pointers. The lack of built-in memory safety in the common system- Contributions. In this paper, we demonstrate that the attack level programming languages C/C++ has led to a multi- surface of SGX enclaves provides new challenges for enclave tude of memory corruption vulnerabilities in the last three developers as exploitable memory corruption vulnerabilities decades [60]. These vulnerabilities allow an attacker to per- are easily introduced into enclave code due to a combina- form a limited or (often) arbitrary write to memory. Such tion of the unique threat model of SGX enclaves and the malicious writes manipulate (1) control-flow information on current prevalent programming model for SGX (i.e., the Intel stack and heap (e.g., return addresses and function pointers) SGX SDK). We introduce the first SGX vulnerability analysis or (2) so-called non-control data (e.g., decision-making vari- framework, called TEEREX, to automatically analyze enclave ables). In both cases, the attacker influences the program’s binary code based on symbolic execution (see Section4). We execution flow and eventually executes a malicious sequence implement vulnerability detectors in TEEREX that take all the of instructions.
Load more

Recommended publications
  • Effective Virtual CPU Configuration with QEMU and Libvirt
    Effective Virtual CPU Configuration with QEMU and libvirt Kashyap Chamarthy <[email protected]> Open Source Summit Edinburgh, 2018 1 / 38 Timeline of recent CPU flaws, 2018 (a) Jan 03 • Spectre v1: Bounds Check Bypass Jan 03 • Spectre v2: Branch Target Injection Jan 03 • Meltdown: Rogue Data Cache Load May 21 • Spectre-NG: Speculative Store Bypass Jun 21 • TLBleed: Side-channel attack over shared TLBs 2 / 38 Timeline of recent CPU flaws, 2018 (b) Jun 29 • NetSpectre: Side-channel attack over local network Jul 10 • Spectre-NG: Bounds Check Bypass Store Aug 14 • L1TF: "L1 Terminal Fault" ... • ? 3 / 38 Related talks in the ‘References’ section Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications What this talk is not about 4 / 38 Related talks in the ‘References’ section What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications 4 / 38 What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications Related talks in the ‘References’ section 4 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP QEMU QEMU VM1 VM2 Custom Disk1 Disk2 Appliance ioctl() KVM-based virtualization components Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP Custom Appliance KVM-based virtualization components QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) Custom Appliance KVM-based virtualization components libvirtd QMP QMP QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 libguestfs (guestfish) Custom Appliance KVM-based virtualization components OpenStack, et al.
    [Show full text]
  • Undocumented CPU Behavior: Analyzing Undocumented Opcodes on Intel X86-64 Catherine Easdon Why Investigate Undocumented Behavior? the “Golden Screwdriver” Approach
    Undocumented CPU Behavior: Analyzing Undocumented Opcodes on Intel x86-64 Catherine Easdon Why investigate undocumented behavior? The “golden screwdriver” approach ● Intel have confirmed they add undocumented features to general-release chips for key customers "As far as the etching goes, we have done different things for different customers, and we have put different things into the silicon, such as adding instructions or pins or signals for logic for them. The difference is that it goes into all of the silicon for that product. And so the way that you do it is somebody gives you a feature, and they say, 'Hey, can you get this into the product?' You can't do something that takes up a huge amount of die, but you can do an instruction, you can do a signal, you can do a number of things that are logic-related." ~ Jason Waxman, Intel Cloud Infrastructure Group (Source: http://www.theregister.co.uk/2013/05/20/intel_chip_customization/ ) Poor documentation ● Intel has a long history of withholding information from their manuals (Source: http://datasheets.chipdb.org/Intel/x86/Pentium/24143004.PDF) Poor documentation ● Intel has a long history of withholding information from their manuals (Source: https://stackoverflow.com/questions/14413839/what-are-the-exhaustion-characteristics-of-rdrand-on-ivy-bridge) Poor documentation ● Even when the manuals don’t withhold information, they are often misleading or inconsistent Section 22.15, Intel Developer Manual Vol. 3: Section 6.15 (#UD exception): Poor documentation leads to vulnerabilities ● In operating systems ○ POP SS/MOV SS (May 2018) ■ Developer confusion over #DB handling ■ Load + execute unsigned kernel code on Windows ■ Also affected: Linux, MacOS, FreeBSD..
    [Show full text]
  • Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 3C: System Programming Guide, Part 3
    Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 3C: System Programming Guide, Part 3 NOTE: The Intel® 64 and IA-32 Architectures Software Developer's Manual consists of seven volumes: Basic Architecture, Order Number 253665; Instruction Set Reference A-M, Order Number 253666; Instruction Set Reference N-Z, Order Number 253667; Instruction Set Reference, Order Number 326018; System Programming Guide, Part 1, Order Number 253668; System Programming Guide, Part 2, Order Number 253669; System Programming Guide, Part 3, Order Number 326019. Refer to all seven volumes when evaluating your design needs. Order Number: 326019-049US February 2014 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDI- TIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRAN- TY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
    [Show full text]
  • The Microarchitecture of the Pentium 4 Processor
    The Microarchitecture of the Pentium 4 Processor Glenn Hinton, Desktop Platforms Group, Intel Corp. Dave Sager, Desktop Platforms Group, Intel Corp. Mike Upton, Desktop Platforms Group, Intel Corp. Darrell Boggs, Desktop Platforms Group, Intel Corp. Doug Carmean, Desktop Platforms Group, Intel Corp. Alan Kyker, Desktop Platforms Group, Intel Corp. Patrice Roussel, Desktop Platforms Group, Intel Corp. Index words: Pentium® 4 processor, NetBurst™ microarchitecture, Trace Cache, double-pumped ALU, deep pipelining provides an in-depth examination of the features and ABSTRACT functions of the Intel NetBurst microarchitecture. This paper describes the Intel® NetBurst™ ® The Pentium 4 processor is designed to deliver microarchitecture of Intel’s new flagship Pentium 4 performance across applications where end users can truly processor. This microarchitecture is the basis of a new appreciate and experience its performance. For example, family of processors from Intel starting with the Pentium it allows a much better user experience in areas such as 4 processor. The Pentium 4 processor provides a Internet audio and streaming video, image processing, substantial performance gain for many key application video content creation, speech recognition, 3D areas where the end user can truly appreciate the applications and games, multi-media, and multi-tasking difference. user environments. The Pentium 4 processor enables real- In this paper we describe the main features and functions time MPEG2 video encoding and near real-time MPEG4 of the NetBurst microarchitecture. We present the front- encoding, allowing efficient video editing and video end of the machine, including its new form of instruction conferencing. It delivers world-class performance on 3D cache called the Execution Trace Cache.
    [Show full text]
  • FRVT General Evaluation Specifications
    Face Recognition Vendor Test Ongoing General Evaluation Specifications VERSION 1.1 Patrick Grother Mei Ngan Kayee Hanaoka Information Access Division Information Technology Laboratory Contact via [email protected] September 9, 2020 1 FRVT Ongoing 2 Revision History 3 4 Date Version Description April 1, 2019 1.0 Initial document September 9, 2020 1.1 Update operating system to CentOS 8.2 and compiler to g++ 8.3.1 Adjust the legal similarity score range to [0, 1000000] 5 NIST General Evaluation Specifications Page 1 of 9 FRVT Ongoing 6 Table of Contents 7 1. Audience ............................................................................................................................................................................ 3 8 2. Rules for Participation........................................................................................................................................................ 3 9 2.1. Participation Agreement .......................................................................................................................................... 3 10 2.2. Validation ................................................................................................................................................................. 3 11 2.3. Number and Schedule of Submissions ..................................................................................................................... 3 12 3. Reporting...........................................................................................................................................................................
    [Show full text]
  • SGX Secure Enclaves in Practice Security and Crypto Review
    SGX Secure Enclaves in Practice Security and Crypto Review JP Aumasson, Luis Merino This talk ● First SGX review from real hardware and SDK ● Revealing undocumented parts of SGX ● Tool and application releases Props Victor Costan (MIT) Shay Gueron (Intel) Simon Johnson (Intel) Samuel Neves (Uni Coimbra) Joanna Rutkowska (Invisible Things Lab) Arrigo Triulzi Dan Zimmerman (Intel) Kudelski Security for supporting this research Agenda .theory What's SGX, how secure is it? .practice Developing for SGX on Windows and Linux .theory Cryptography schemes and implementations .practice Our projects: reencryption, metadata extraction What's SGX, how secure is it? New instruction set in Skylake Intel CPUs since autumn 2015 SGX as a reverse sandbox Protects enclaves of code/data from ● Operating System, or hypervisor ● BIOS, firmware, drivers ● System Management Mode (SMM) ○ aka ring -2 ○ Software “between BIOS and OS” ● Intel Management Engine (ME) ○ aka ring -3 ○ “CPU in the CPU” ● By extension, any remote attack = reverse sandbox Simplified workflow 1. Write enclave program (no secrets) 2. Get it attested (signed, bound to a CPU) 3. Provision secrets, from a remote client 4. Run enclave program in the CPU 5. Get the result, and a proof that it's the result of the intended computation Example: make reverse engineer impossible 1. Enclave generates a key pair a. Seals the private key b. Shares the public key with the authenticated client 2. Client sends code encrypted with the enclave's public key 3. CPU decrypts the code and executes it A trusted
    [Show full text]
  • Multiprocessing Contents
    Multiprocessing Contents 1 Multiprocessing 1 1.1 Pre-history .............................................. 1 1.2 Key topics ............................................... 1 1.2.1 Processor symmetry ...................................... 1 1.2.2 Instruction and data streams ................................. 1 1.2.3 Processor coupling ...................................... 2 1.2.4 Multiprocessor Communication Architecture ......................... 2 1.3 Flynn’s taxonomy ........................................... 2 1.3.1 SISD multiprocessing ..................................... 2 1.3.2 SIMD multiprocessing .................................... 2 1.3.3 MISD multiprocessing .................................... 3 1.3.4 MIMD multiprocessing .................................... 3 1.4 See also ................................................ 3 1.5 References ............................................... 3 2 Computer multitasking 5 2.1 Multiprogramming .......................................... 5 2.2 Cooperative multitasking ....................................... 6 2.3 Preemptive multitasking ....................................... 6 2.4 Real time ............................................... 7 2.5 Multithreading ............................................ 7 2.6 Memory protection .......................................... 7 2.7 Memory swapping .......................................... 7 2.8 Programming ............................................. 7 2.9 See also ................................................ 8 2.10 References .............................................
    [Show full text]
  • Beyond MOV ADD XOR – the Unusual and Unexpected
    Beyond MOV ADD XOR the unusual and unexpected in x86 Mateusz "j00ru" Jurczyk, Gynvael Coldwind CONFidence 2013, Kraków Who • Mateusz Jurczyk o Information Security Engineer @ Google o http://j00ru.vexillium.org/ o @j00ru • Gynvael Coldwind o Information Security Engineer @ Google o http://gynvael.coldwind.pl/ o @gynvael Agenda • Getting you up to speed with new x86 research. • Highlighting interesting facts and tricks. • Both x86 and x86-64 discussed. Security relevance • Local vulnerabilities in CPU ↔ OS integration. • Subtle CPU-specific information disclosure. • Exploit mitigations on CPU level. • Loosely related considerations and quirks. x86 - introduction not required • Intel first ships 8086 in 1978 o 16-bit extension of the 8-bit 8085. • Only 80386 and later are used today. o first shipped in 1985 o fully 32-bit architecture o designed with security in mind . code and i/o privilege levels . memory protection . segmentation x86 - produced by... Intel, AMD, VIA - yeah, we all know these. • Chips and Technologies - left market after failed 386 compatible chip failed to boot the Windows operating system. • NEC - sold early Intel architecture compatibles such as NEC V20 and NEC V30; product line transitioned to NEC internal architecture http://www.cpu-collection.de/ x86 - other manufacturers Eastern Bloc KM1810BM86 (USSR) http://www.cpu-collection.de/ x86 - other manufacturers Transmeta, Rise Technology, IDT, National Semiconductor, Cyrix, NexGen, Chips and Technologies, IBM, UMC, DM&P Electronics, ZF Micro, Zet IA-32, RDC Semiconductors, Nvidia, ALi, SiS, GlobalFoundries, TSMC, Fujitsu, SGS-Thomson, Texas Instruments, ... (via Wikipedia) At first, a simple architecture... At first, a simple architecture... x86 bursted with new functions • No eXecute bit (W^X, DEP) o completely redefined exploit development, together with ASLR • Supervisor Mode Execution Prevention • RDRAND instruction o cryptographically secure prng • Related: TPM, VT-d, IOMMU Overall..
    [Show full text]
  • The Intel X86 Microarchitectures Map Version 2.0
    The Intel x86 Microarchitectures Map Version 2.0 P6 (1995, 0.50 to 0.35 μm) 8086 (1978, 3 µm) 80386 (1985, 1.5 to 1 µm) P5 (1993, 0.80 to 0.35 μm) NetBurst (2000 , 180 to 130 nm) Skylake (2015, 14 nm) Alternative Names: i686 Series: Alternative Names: iAPX 386, 386, i386 Alternative Names: Pentium, 80586, 586, i586 Alternative Names: Pentium 4, Pentium IV, P4 Alternative Names: SKL (Desktop and Mobile), SKX (Server) Series: Pentium Pro (used in desktops and servers) • 16-bit data bus: 8086 (iAPX Series: Series: Series: Series: • Variant: Klamath (1997, 0.35 μm) 86) • Desktop/Server: i386DX Desktop/Server: P5, P54C • Desktop: Willamette (180 nm) • Desktop: Desktop 6th Generation Core i5 (Skylake-S and Skylake-H) • Alternative Names: Pentium II, PII • 8-bit data bus: 8088 (iAPX • Desktop lower-performance: i386SX Desktop/Server higher-performance: P54CQS, P54CS • Desktop higher-performance: Northwood Pentium 4 (130 nm), Northwood B Pentium 4 HT (130 nm), • Desktop higher-performance: Desktop 6th Generation Core i7 (Skylake-S and Skylake-H), Desktop 7th Generation Core i7 X (Skylake-X), • Series: Klamath (used in desktops) 88) • Mobile: i386SL, 80376, i386EX, Mobile: P54C, P54LM Northwood C Pentium 4 HT (130 nm), Gallatin (Pentium 4 Extreme Edition 130 nm) Desktop 7th Generation Core i9 X (Skylake-X), Desktop 9th Generation Core i7 X (Skylake-X), Desktop 9th Generation Core i9 X (Skylake-X) • Variant: Deschutes (1998, 0.25 to 0.18 μm) i386CXSA, i386SXSA, i386CXSB Compatibility: Pentium OverDrive • Desktop lower-performance: Willamette-128
    [Show full text]
  • A Survey of Published Attacks on Intel
    1 A Survey of Published Attacks on Intel SGX Alexander Nilsson∗y, Pegah Nikbakht Bideh∗, Joakim Brorsson∗zx falexander.nilsson,pegah.nikbakht_bideh,[email protected] ∗Lund University, Department of Electrical and Information Technology, Sweden yAdvenica AB, Sweden zCombitech AB, Sweden xHyker Security AB, Sweden Abstract—Intel Software Guard Extensions (SGX) provides a Unfortunately, a relatively large number of flaws and attacks trusted execution environment (TEE) to run code and operate against SGX have been published by researchers over the last sensitive data. SGX provides runtime hardware protection where few years. both code and data are protected even if other code components are malicious. However, recently many attacks targeting SGX have been identified and introduced that can thwart the hardware A. Contribution defence provided by SGX. In this paper we present a survey of all attacks specifically targeting Intel SGX that are known In this paper, we present the first comprehensive review to the authors, to date. We categorized the attacks based on that includes all known attacks specific to SGX, including their implementation details into 7 different categories. We also controlled channel attacks, cache-attacks, speculative execu- look into the available defence mechanisms against identified tion attacks, branch prediction attacks, rogue data cache loads, attacks and categorize the available types of mitigations for each presented attack. microarchitectural data sampling and software-based fault in- jection attacks. For most of the presented attacks, there are countermeasures and mitigations that have been deployed as microcode patches by Intel or that can be employed by the I. INTRODUCTION application developer herself to make the attack more difficult (or impossible) to exploit.
    [Show full text]
  • A Performance Analysis Tool for Intel SGX Enclaves
    sgx-perf: A Performance Analysis Tool for Intel SGX Enclaves Nico Weichbrodt Pierre-Louis Aublin Rüdiger Kapitza IBR, TU Braunschweig LSDS, Imperial College London IBR, TU Braunschweig Germany United Kingdom Germany [email protected] [email protected] [email protected] ABSTRACT the provider or need to refrain from offloading their workloads Novel trusted execution technologies such as Intel’s Software Guard to the cloud. With the advent of Intel’s Software Guard Exten- Extensions (SGX) are considered a cure to many security risks in sions (SGX)[14, 28], the situation is about to change as this novel clouds. This is achieved by offering trusted execution contexts, so trusted execution technology enables confidentiality and integrity called enclaves, that enable confidentiality and integrity protection protection of code and data – even from privileged software and of code and data even from privileged software and physical attacks. physical attacks. Accordingly, researchers from academia and in- To utilise this new abstraction, Intel offers a dedicated Software dustry alike recently published research works in rapid succession Development Kit (SDK). While it is already used to build numerous to secure applications in clouds [2, 5, 33], enable secure network- applications, understanding the performance implications of SGX ing [9, 11, 34, 39] and fortify local applications [22, 23, 35]. and the offered programming support is still in its infancy. This Core to all these works is the use of SGX provided enclaves, inevitably leads to time-consuming trial-and-error testing and poses which build small, isolated application compartments designed to the risk of poor performance.
    [Show full text]
  • Intel® Software Guard Extensions (Intel® SGX)
    Intel® Software Guard Extensions (Intel® SGX) Developer Guide Intel(R) Software Guard Extensions Developer Guide Legal Information No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel disclaims all express and implied warranties, including without limitation, the implied war- ranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel rep- resentative to obtain the latest forecast, schedule, specifications and roadmaps. The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request. Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at Intel.com, or from the OEM or retailer. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting www.intel.com/design/literature.htm. Intel, the Intel logo, Xeon, and Xeon Phi are trademarks of Intel Corporation in the U.S. and/or other countries. Optimization Notice Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations.
    [Show full text]