arXiv:1808.06478v1 [cs.CR] 20 Aug 2018 ihnan within ie unial euiygaate ihrsett tun a to respect with guarantees security quantifiable vides a oewieS osizdhwsvstn h eueSyste Secure the visiting was Hosseinzadeh S. while done was eicto fapiaincode. application of verification Additiona BIOS). and hypervisor, system, operating (e.g., estv aat h takr h rvosypooe de previously-proposed The attacker. called mechanism, the to data sensitive an of flow granular trol (branch fine-grained the leaks that attack channel a hw htSXi unrbeto vulnerable is SGX that shown re has recent However, software. fr system computations compromised hardwa sensitive tentially promising protecting a for is technology (SGX) based Extensions Guard Software Intel Abstract hog h nlv sn h eetSXSe framework. SGX-Step recent single the can using attacker the enclave if the ineffective through be to shown been has but o admzto.Orshm sisie yZgagr but Zigzagger, contr by inspired on is based scheme Our branch-shadowing, randomization. against flow defense new a pose C Concepts CCS environment. SGX SGX-Nben in of programs benchmark ten of overhead run-time the random combi code a run-time tion. and using modifications branches compile-time unconditional of of tion targets the b hide conditional and eliminate we Specifically, parameter. curity University. uainadgaaten h nert n confidentialit and integrity the hardwa guaranteeing and recent putation a secur providing is (TEE) Environment [12] Execution Trusted (SGX) based Extension Guard Software Intel Introduction 1 randomization flow control tack; Keywords countermeasures and ysis G nlv eitn osd hnes npriua,Lee maki Lee particular, a for In demonstrated channels. defenses side to proposed resistant also enclave SGX have They coul information. which cret attacks, side-channel that several demonstrated to has susceptible research is recent [11], SGX of scope the int and attestation, measurement, hardware-based enables so system malicious potentially including platform, the on aigit con hs togratce capabilities, attacker stronger these account into Taking eeautdtepromneo u prahb measuring by approach our of performance the evaluated We lhuhItlhssae htsd-hne tak r bey are attacks side-channel that stated has Intel Although ∗ .Hsenae n .Lletadcnrbtdeulyt t to equally contributed Liljestrand H. and Hosseinzadeh S. enclave ne G;sd-hne tak rnhsaoigat- branch-shadowing attack; side-channel SGX; Intel iiaigBac-hdwn tak nItlSGX Intel on Attacks Branch-Shadowing Mitigating enclave branch-shadowing • h nlv spoetdfo l te software other all from protected is enclave The . euiyadprivacy and Security Zigzagger nvriyo uk,Finland Turku, of University hhe Hosseinzadeh Shohreh nvriyo uk,Finland Turku, of University SXpoetdcd) oetal revealing potentially code), protected (SGX [email protected] il Leppänen Ville [email protected] ; tepe ohd h oto flow, control the hide to attempted , sn oto lwRandomization Flow Control using iecanlatc htallows that attack channel side branch-shadowing → iecanlanal- Side-channel ∗ sGopa Aalto at Group ms i ok which work, his ekse- leak d fdata of y l [17] al. t side a – l,SGX lly, t)con- ity) ranches epro- we bese- able mpo- om ftware search com- e egrity fense -step SGX ond pro- iza- na- ng ch re- re- ol 1 one otetre oain.TeZgagrtrampolin Zigzagger The locations. target the to — bounces — ihsnl ntuto rnlrt,tu raigteZig the breaking thus granularity, instruction single with BB.Tociia atr lo hsatc opoed 1) proceed: to attack this allow factors critical Two (BTB). defense. hsasmto ysoighwa nlv a einterrupted be can enclave an how showing by invalid assumption [21] ser this framework rapid s SGX-Step this with recent in the enclave branch However, target the jumps. the interrupt shadow cannot to precision attacker cient the that branc is different to idea back-and-forth jumps of series a initiate rmoie,ie,mnmlcd etosta odinterme hold that sections code minimal i.e., Zig trampolines, targeting branches unconditional u into and branches tional conditional all converts Zigzagger instrumentation, fgessteatce a efr,adtu ecnquantify can we thus n and the perform, limits can BTB attacker the the of guesses size of finite The locations. to possible attacker all the then forcing trampoline, we our of run-time, layout At the domize code. trampoline in-enclave bran our unconditional geting into instructions modifica branch all compile-time convert use to we Zigzagger, to Similar enclave. thr single-step can attacker the if even branch-shadowing, branch-s attacks. perform to comp ability Retpoline the affect the [14] mitigation nor based [15], patches firmware t recent experimentally neither confirmed have we However, BPU. the th exploit in branch-shadowing to similar are [6] variant SGXPectre h rnhsaoigatc,called attack, branch-shadowing the itr,wihi trdi h P’ nenlBac Target Branch internal CPU’s b the recent in stored on tar is decisions the which its history, and bases not BPU or The branches. taken indirect are of branches whether i.e., d known, branching are exact by before performance instructions improve of to pipelining used lowing is BPU The (BPU). Branch Unit CPU’s inform diction the secret abusing by the sec works attack leak any the on would Fundamentally, depends channel r flow side control code this this of information, If flow enclave. control an precise inside the ning learn to software untrusted T nr a encetdb h enclave. the by created been had whet entry wheth revealing BTB thus checks predicted, and correctly were code branches branch bra the shadow the after his immediately executes it struction, interrupts exe enclave, attacker victim The branches. the enclave’s the as entries BTB same attacker the shadow allowing 3 address, lower the instruction’s contain branch only the entries of cleared BTB not 2) are and exits; enclave enclave the the inside branches by created tries h eetSete[6 tak,adtersbeun SGX-s subsequent their and attacks, [16] Spectre recent The ooecm hscalne epeetanwdfneagainst defense new a present we challenge, this overcome To e ta.[7 lopooe otaebsddfneagain defense software-based a proposed also [17] al. et Lee rnhisrcin usd h nlv htmpt the to map that enclave the outside instructions branch at nvriy Finland University, Aalto at nvriy Finland University, Aalto [email protected] [email protected] asLiljestrand Hans nrwPaverd Andrew Zigzagger ∗ sn compile-time Using . it jumps diate uhthe ough ocreate to hadowing e.The hes. zagger’s hstar- ches ecisions T en- BTB shadow ncondi- e the her c in- nch tthey at zagger umber Buffer ranch when e of ies ation. bits 1 cutes tions pecific ates ran- uffi- Pre- iler- and hat get un- ret al- es er st limit the success probability of a branch-showing attack using the (conditional/unconditional/indirect) branch has been taken or not. size of the trampoline as a tunable security parameter. If this control flow depends on confidential information held by Our contributions are therefore: the enclave, the attacker would be able to infer this information • Experimental analysis demonstrating that the recent Spectre mit- from the leaked control flow. Because SGX does not clear the BPU igation techniques do not affect the branch-shadowing attack on enclave exit an attacker outside the enclave could probe the (Section 3). BPU to infer control flow decisions taken within. The attacker first • A new approach for defending against branch-shadowing at- statically analyzes the unencrypted enclave code and enumerates tacks, even in the presence of single-step enclave execution, us- all branches (i.e., conditional, unconditional, and indirect) together ing control flow randomization (Section 5). with their target addresses. She then creates shadow code where • An initial LLVM implementation of our solution (Section 6) and the branch-instructions and target addresses are aligned such that a quantitative evaluation of its performance and security guar- they will use the same BPU history entries. The attacker then al- antees (Section 7). lows the enclave to execute briefly before interrupting it. Finally, she enables the performance counter, in particular the Last Branch 2 Background Record (LBR), and executes the shadow code, prompting the CPU to predict shadow-branch behavior based on prior enclave execu- 2.1 Branch Prediction tion. The LBR contains information on branch prediction but can- Intel CPUs use instruction pipelining to load and execute instruc- not record in-enclave branches. However, the in-enclave branches tions in batches. This allows optimization such as parallelizing and can be inferred from the LBR entries for the branches executed af- reordering of instructions. The CPU also performs speculative exe- ter exiting the enclave. Unlike cache-based channels, this does not cution, i.e., it uses the BPU to predict which branches will be taken, require timing because the LBR directly reports prediction status. and executes them before knowing if they are taken [13]. In mod- ern microprocessors, the BPU typically consists of two main sub- systems, a BTB and a directional predictor. 2.4 Zigzagger and SGX-Step The BTB is used to predict the targets of indirect branches [10]. Lee et al. [17] also presented Zigzagger, a software-based coun- Whenever a branch is taken, a new record is created in the BTB termeasure to thwart the attack. Zigzagger removes the branches associating the branch instruction’s addresses with the target ad- from the enclave functions by obfuscating and replacing a set of dress. Upon encountering subsequent branch instructions, the BPU branch instructions with a series of indirect jumps. Instead of each checks the BTB for the branch instruction address and, if an entry conditional branching instruction, an indirect jump and a condi- exists, it predicts that the current branch instruction will behave tional move (CMOV) is used. Zigzagger assumes that an attacker in the same way. The exact details of the BTB lookup algorithms, cannot precisely time the enclave interrupts, i.e., a single probewill hashing and size are not public, but the BTB size on Intel Skylake cover over 50 instructions. It introduces a trampoline to exercise CPUs has been experimentally determined to be 4096 entries [17]. all unconditional jumps before finally jumping to the final destina- The directional predictor is used to predict whether or not a condi- tion. The attacker will typically always detect the same set of taken tional branch will be taken. It stores the pattern of the previously jumps (i.e., all the unconditional jumps) and cannot distinguish the taken branches in a Pattern History Table (PHT), based on which final jump from the decoy-jumps. it predicts whether or not the current branch will be taken [7]. However, Van Bulck et al. [21] presented SGX-Step, a framework Multiple processes executing on the same core share the same consisting of a Linux kernel driver and runtime library that ma- BPU. On one hand, this is favorable from a complexity and utiliza- nipulates the processor’s Advanced Programmable Interrupt Con- tion point of view, but on the other hand, it allows an attacker to troller (APIC) timer in order to interrupt an enclave after a single misuse the BPU across cores and infer the target and direction of instruction i.e., to single-step the enclave’s execution. They show branch instructions [7, 17]. that this makes the Zigzagger defense ineffective because the at- tacker can distinguish meaningful jumps from decoys. 2.2 Intel SGX Intel SGX is an instruction set extension that provides new instruc- 3 Spectre Mitigation Techniques tions to instantiate Trusted Execution Environments (TEEs), called enclaves, consisting of code and data. An enclave’s data can only The recent Spectre [16] and SGXPectre [6] attacks are similar to be accessed by code running within the enclave, thus protecting it branch-shadowing in that they abuse the BPU to exploit specula- from all other software on the platform, including privileged sys- tive execution. But whereas branch-shadowing aims to infer prior tem software such as the OS or hypervisor. Enclave data is auto- branching behavior, these attacks instead manipulate upcoming matically encrypted before it leaves the CPU boundary. However, branch prediction, e.g., cause speculative execution to touch other- the OS remains in control of process scheduling and memory map- wise inaccessible memory. Although not designed to do so, we sus- ping, and can therefore control the mapping of (encrypted) enclave pected the new Spectre mitigation techniques could also affect the memory pages and interrupt enclave execution. branch-shadowing attacks. However, our testing indicates that nei- ther the recent firmware patches from Intel [15], nor the compiler- 2.3 Branch-shadowing Attacks on SGX based Retpoline [14] affect the ability to perform branch-shadowing Lee et al. [17] presented a branch-shadowing attack against Intel attacks against SGX. SGX. It is a type of side-channel attack that leaks the fine-grained In particular, we confirmed that Indirect Branch Restricted Spec- control flow (i.e., at branch level) of code running inside an enclave. ulation (IBRS) — designed to prevent unprivileged code from affect- The attack can be used to infer branching decisions, i.e., whether a ing speculation in privileged execution, e.g., within the enclave — 2 has no effect on branch-shadowing. In our tests we saw no dif- ference between an updated i7-7500U CPU and non-updated ma- chines. We speculate that this is because IBRS is specifically de- signed low-privilege code from affecting high-privilege code, not the branch-shadowing scenario. The Retpoline defense replaces branch instructions with return instructions but our tests indicate that return statements affect the BTB, not only the dedicated Re- turn Stack Buffer (RSB). SGXPectre further demonstrated that Spec- tre attacks can be performed against Retpoline.
4 Attacker Model and Requirements We assume that the attacker has fine-grained control of enclave execution, i.e., can interrupt the enclave with instruction-level ac- Figure 1. System design curacy. The attacker can thus perform a branch-shadowing attack against every branch instruction. Specifically, the attacker can de- termine whether or not a branch instruction has been executed and Listing 1. Example code before instrumentation taken (i.e., whether a conditional jump fell through or not). If the i f (a !=0) { branching decisions depend on sensitive enclave data, the attacker / ∗ Block1 ∗/ can infer this data through the branch-shadowing attack. } else { This is a significantly stronger attacker capability than that as- / ∗ Block2 ∗/ sumed by previous work [17] because Van Bulck et al. [21] showed } that single-step execution of SGX enclaves is both feasible to imple- / ∗ Block3 ∗/ ment and sufficient to break existing defenses like Zigzagger [17]. We focus on branch-shadowing attacks and do not consider other side-channels, such as cache or page-fault attacks. Given these attacker capabilities, we require a defence mecha- The key insight of our approach is that, unlike Zigzagger, the nism that prevents fine-grained branch-shadowing from revealing trampolines are randomized inside the enclave at run-time. This secret-dependent control flow. Specifically, we require that branch prevents the attacker from reliably tracking their execution. Taken instructions in the instrumented code are: together, these two properties fulfill requirements R.1 and R.2, as we show in our security evaluation in Section 7. R.1 Any branch that can be directly observed through branch- shadowing reveals no secret-dependent control flow informa- tion. R.2 For any secret-dependent branches, the attacker’s probability Block 0 of success is bounded based on a security parameter k. a = 0 a! = 0
5 Proposed Approach Block 1 Block 2 Our mitigation scheme uses compile-time obfuscation and run-time randomization to hide the control flow of an enclave application. While our proposed method is inspired by and uses a similar ap- proach to Zigzagger, we assume a stronger attacker model. Specif- Block 3 ically, our approach can defend against branch-shadowing even in the presence of an attacker with single-step capabilities. Figure 2. Original control flow graph Figure 1 illustrates the high-level view of our approach. The system consists of two main components: an obfuscating compiler and a run-time randomization library. The compiler generates the Listing 1 and Figure 2 show a single if-statement and corre- obfuscated code and trampolines, and the randomization library sponding Control Flow Graph. The corresponding obfuscated CFG randomizes the trampolines at each enclave entry. This random- is show in Figure 3. Figure 4 shows the same obfuscated code with ization only affects the trampolines allowing most code to remain the branch instruction converted. The static code is produced at securely in execute-only memory. compile time and its layout is assumed to be known to the attacker. The obfuscating compiler modifies the code by converting all The trampoline is similarly produced at compile time but is then branching instructions to indirect branches. The indirect branch randomized at run-time within the enclave. We assume that the targets are then explicitly set by the instrumentation depending on attacker can observe and shadow the static code whereas the tram- the converted branch type. We use conditional moves as replace- poline is unknown. ments for conditional branches, allowing us to replicate the func- Specifically, our approach works as follows: tionality of any conditional branch without involving the BPU. The 1) All branching instructions are converted to indirect uncondi- observable control flow transitions, i.e., non trampoline branches, tional branches. A register (r15) is reserved and populated with are further organized so that they are always unconditionally exe- the original branch targets. The target addresses are taken from cuted in the same order. a jump-table that is updated during randomization. Conditional 3 Block 0 Listing 2. Randomization algorithm for (entry = 0 : jump_table_entries) { location = rand() % trampoline_size; B0J a = 0 a != 0 i f (fits(entry, location)) { mark_reserved(location , entry ); tb1 tb1S } else { Block 1 l = (l+1) % trampoline_size; } B1J move_entry(entry , location ); a != 0 } a = 0
tb2 tb2S Block 2 shadowing the trampoline branches and reliably tracking the pro- gram’s execution. B2J Static code Trampolines a! = 0 Block0: lea tb1, r15 a = 0 Block 3 lea tb1S, r14 tb1: lea tb2S, r15 cmp 0, a jmp Block1 cmov r14, r15
Figure 3. Modified control flow graph B0J: jmp r15 tb1S: lea tb2, r15 jmp B1J Block1:
7 Evaluation Benchmark Before After Performance 7.1 Security Analysis (std. dev.) (std. dev.) loss As specified in Requirements (Section 4), we must prevent an at- Numericsort 828.8(0.79) 578.8(0.21) 30% Stringsort 86.59(0.09) 67.72(0.21) 21% tacker from inferring the secret-dependent control flow by R.1) ensuring that observable branches do not leak information, and Bitfield 1.839e8 1.370e8 25% R.2) preventing the attacker from probing other branches with a (1.34e5) (3.27e5) Fpemulation 87.70(0.11) 42.73(0.02) 51% probability based on the security parameter k. To hide any data-dependant branches (R.1), we replace all con- Fourier 1.789e5 1.500e5 16% ditional branches with unconditional branches. We further setup (1.19e2) (1.50e2) Assignment 21.64 (0.03) 7.769 (0.01) 64% the control flow so that each block in the static code section is ex- ecuted in the same order and on each function call. One limitation Idea 2667(1.26) 2665(1.84) 0.1% is that we do not conceal the number of loop executions, because Huffman 2354(4.07) 860.5(0.71) 63% Neuralnet 35.16(0.03) 25.57(0.22) 27% this can be unknown compile time. While unimplemented, in some cases this could be avoided by unrolling loops. Ludecomposition 973.1(1.45) 785.0(1.41) 19% The remaining branching instructions are exclusively in the tram- Average 17.17% polines, for which the locations are randomized to defend against CPU overhead: The increase in execution time is caused by the shadowing (R.2). Without knowing the exact trampoline layout, the attacker is forced to guess or exhaustively probe all possible added trampoline jumps and the need to exhaustively execute all jump-blocks. Table 1 presents the execution time of various bench- locations. The probability of attack success (P ) is given by aack marks in the enclave, before and after obfuscating them. The de- Equation 1, where G is the number of guesses and k the number of possible trampoline locations. crease in the number of iterations per second clearly shows a non- negligible performance degradation. However, since we have ob- G fuscated the entire program in these benchmarks, these represent P = aack k (1) the worst case performance overheads. In real deployments, we The upper limit for G is the number of BTB entries, but in prac- would obfuscate only the parts of the code that depend on secret tice this is lowered by any intermediate code (e.g., system calls and enclave data. The performance loss range can be grouped as very attack setup) that pollutes the BTB. The security parameter k de- low (3-16%), middle (25-32%), and high (60% and above). This vari- termines the trampoline randomization space. Because X86 allows ation depends on how complicated the function is in terms of size unaligned execution, a single 4KB range gives us up to 4091 poten- and number of branches. The Idea benchmark, for instance, has tial trampoline locations (with a trampoline size ranging from 5 to functions with many nested conditional branches all of which re- 15 bytes). With a randomization area of 8KB and 4096 BTB entries, quire corresponding jump-blocks to be added and executed. the attacker’s success probability of shadowing a single branch has Memory overhead: As expected, our instrumentation does not an upper bound of 0.5. The probability of following the full control increase heap or stack use, but does increase the code size that flow thus drops exponentially as the number of targeted branches must be loaded within the enclave. For measuring the code size, increase. we compared the size of the enclave object files before and after instrumentation. The code size of SGX-Nbench increased 1.6 times 7.2 Performance Evaluation (from 39.6 kB to 64.6 kB) after instrumentation. We measured the performance overhead of our system in terms of CPU-utilization, memory use, and code size. Our experiments were 8 Related work conducted on an SGX-enabled Intel Skylake Core i5-6500 CPU, run- There is a growing body of research on side channel attacks target- ning at 3.20 GHz, with 7,6 GiB of RAM. The machine was run- ing Intel SGX and corresponding countermeasures. In addition to ning Ubuntu 16.04 with 64-bit Linux 4.4.0-96-generic kernel and the branch-shadowing attacks [7, 17] that we discussed in detail, the SGX SDK version 2.0. there other side channel attack targeting SGX enclaves [3, 4, 9, 22]. In order to evaluate the performance of our approach, we used In order to mitigate these side channel attacks, there have been SGX-Nbench [1] which is adapted from Nbench-byte-2.2.3, to mea- various approaches proposed. In the following, we discuss these sure the performance of 10 different benchmarks executed within countermeasures and how they differ from our work. 5 Several research works have been presented to thwart controlled- 9 Conclusion and Future work channel (page-fault) attacks. SGX-Shield [18] randomizes the mem- We propose a software-based mitigation scheme to defend against ory layout, similar to Address Space Layout Randomization (ASLR), branch-shadowing attacks, even in the presence of attackers with in order to prevent control flow hijacking and hide the enclave the ability to single-step through SGX enclaves. Our approach com- memory layout. This approach impedes run-time attacks that ex- bines compile-time control flow obfuscation with run-time code ploit memory errors or attacks that rely on a known memory lay- randomization to prevent the enclave program from leaking secret- out (e.g., controlled-channel attacks). SGX-shield uses on-load ran- dependant control flow. To evaluate the performance of our ap- domization, allowing repeated branch-shadowing attacks to grad- proach, we measured the run-time overhead of ten benchmark pro- ually reveal the randomization pattern. Our approach solves this grams of SGX-Nbench. Although we evaluated the worst-case sce- through run-time re-randomization. We further minimize the ad- nario (whole program instrumentation), our results show that, on ditional attack-surface by limiting the randomization to the tram- average, our approach results in a 1.6 times code size increase and polines, not the whole code section. less than 18% performance loss. Shinde et al. [20] propose an approach that masks page-fault As the future work, we will implement the randomizing compo- patterns by making the program’s memory access pattern deter- nent, and optimize our obfuscator to reduce overhead. In addition, ministic. More precisely, they alter the program such that it ac- we will improve our approach by integrating existing defences, in cesses all its data and code pages in the same sequence, regardless order to address other side-channel attacks. of the input. This makes the enclave application demonstrate the same page-fault pattern for any secret input variables. T-SGX [19] References is another solution proposed for mitigating page-fault attacks. It [1] 2017. Benchmark for Intel SGX. https://github.com/utds3lab/sgx-nbench. (2017). leverages Intel Transactional Synchronization Extensions (TSX) to Accessed: 2018-07-11. suppress encountered page-faults without invoking the underly- [2] F. Brasser, S. Capkun, A. Dmitrienko, T. Frassetto, K. Kostiainen, U. Müller, and A.-R. Sadeghi. 2017. DR.SGX: Hardening SGX Enclaves against Cache ing OS. T-SGX does not mitigate the branch-shadowing attack [17], Attacks with Data Location Randomization. CoRR abs/1709.09917 (2017). butitcouldbecombinedwithourapproachtoaddress bothbranch- arXiv:1709.09917 h p://arxiv.org/abs/1709.09917 [3] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Cap- shadowing and page-fault attacks. kun, and A.-R. Sadeghi. 2017. Software Grand Exposure: SGX DR.SGX [2] is presented to defend against cache side-channel at- Cache Attacks Are Practical. In 11th USENIX Workshop on Offen- tacks. It permutes data locations, and continuously re-randomizes sive Technologies (WOOT 17). USENIX Association, Vancouver, BC. h ps://www.usenix.org/conference/woot17/workshop-program/presentation/brasser enclave data in order to hamper correlation of memory accesses. [4] J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. 2017. Telling This approach prevents leakages resulting from secret-dependant Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on En- data accesses. Chandra et. al [5] propose a defense against side- claved Execution. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1041–1056. channel attacks on SGX and for protecting data privacy. To do [5] Swarup Chandra, Vishal Karande, Zhiqiang Lin, Latifur Khan, Murat Kantar- this, dummy data instances are injected into the user-given data cioglu, and Bhavani Thuraisingham. 2017. Securing Data Analytics on SGX with Randomization. Springer International Publishing, Cham, 352–369. DOI: instances in order to add noise to memory access traces. More- h p://dx.doi.org/10.1007/978-3-319-66402-6_21 over, they randomize/shuffle the dummy data with the user data [6] G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai. 2018. SgxPectre Attacks: to reduce the chance of extracting sensitive information from side- Leaking Enclave Secrets via Speculative Execution. (2018). arXiv:1802.09085 h p://arxiv.org/abs/1802.09085 channels. Both approaches are similar to our approach in that they [7] D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. 2018. Branch- employ randomization; however, the target of randomization is Scope: A New Side-Channel Attack on Directional Branch Predictor. In Pro- data and they do not defend against the branch-shadowing attack. ceedings of the 23rd International Conference on Architectural Support for Pro- gramming Languages and Operating Systems (ASPLOS ’18). ACM, 693–707. DOI: CCFIR (Compact Control Flow Integrity and Randomization) [23] h p://dx.doi.org/10.1145/3173162.3173204 is a new method proposed to impede control-flow hijacking attacks [8] O. Goldreich and R. Ostrovsky. 1996. Software Protection and Simula- tion on Oblivious RAMs. J. ACM 43, 3 (May 1996), 431–473. DOI: (e.g., returninto-libc and ROP). CCFIR controls the indirect control h p://dx.doi.org/10.1145/233551.233553 transfers and limits the possible jump location to a whitelist in [9] J. Götzfried, M. Eckert, S. Schinzel, and T. Müller. 2017. Cache At- a Springboard. Randomizing the order of the stubs in the Spring- tacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security (EuroSec’17). ACM, Article 2, 6 pages. DOI: board adds an extra layer of protection and frustrates guessing of h p://dx.doi.org/10.1145/3065913.3065915 the function pointers and return addresses. The environment for [10] Intel. 2017. Intel 64 and IA-32 Architectures Software Developer Manuals. (2017). which CCFIR is proposed differs from ours. h ps://so ware.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf [11] Intel. 2017. Intel SGX and Side-Channels. https://software.intel.com/en- Obfuscation techniques were previously used to thwart leak- us/articles/intel-sgx-and-side-channels. (2017). Accessed: 2018-07-03. age via side-channel attacks. Oblivious RAM (ORAM) [8] contin- [12] Intel. 2017. Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx. (2017). Accessed: 2017-12-11. uously shuffles and re-encrypts the data when accessed in mem- [13] Intel. 2018. Intel 64 and IA-32 Architectures Optimization Reference Manual. ory, disk or from server, in order to conceal the program’s mem- https://software.intel.com/en-us/download/intel-64-and-ia-32-architectures- ory access patterns. It requires that the state is stored and updated optimization-reference-manual. (2018). Accessed: 2018-07-03. [14] Intel. 2018. Retpoline : A Branch Target Injection Mitigation. client-side. This makes it difficult to use ORAM for cache protec- https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A- tion purposes, as it is challenging to store the internal state of Branch-Target-Injection-Mitigation.pdf. (2018). Accessed: 2018-07-10. ORAM securely without hardware support, given the small size [15] Intel. 2018. Speculative Execution Side Channel Mitigations. https://software.intel.com/sites/default/files/managed/c5/63/336996- of cache lines. Moreover, this approach suffers from considerable Speculative-Execution-Side-Channel-Mitigations.pdf. (2018). Accessed: performance overhead. 2018-07-10. [16] P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Man- None of the above countermeasures focus on mitigating branch- gard, T. Prescher, M. Schwarz, and Y. Yarom. 2018. Spectre Attacks: Ex- shadowing attacks, and additionally, Lee et. al [17] have demon- ploiting Speculative Execution *. arXiv preprint (2018). arXiv:1801.01203 strated that their designed branch-shadowing attack is capable of h ps://spectrea ack.com/spectre.pdf [17] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. 2017. Inferring breaking the security constructs of SGX-Shield, T-SGX, and ORAM. Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing. In 26th 6 USENIX Security Symposium, USENIX Security. 16–18. [21] J. Van Bulck, F. Piessens, and R. Strackx. 2017. SGX-Step: A Practical Attack [18] J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. 2017. SGX-Shield: Framework for Precise Enclave Execution Control. In Proceedings of the 2Nd Enabling address space layout randomization for SGX programs. In Proceedings Workshop on System Software for Trusted Execution (SysTEX’17). ACM, Article 4, of the 2017 Annual Network and Distributed System Security Symposium (NDSS). 6 pages. DOI:h p://dx.doi.org/10.1145/3152701.3152706 [19] M.-W. Shih, S. Lee, T. Kim, and M. Peinado. 2017. T-SGX: Eradicating controlled- [22] Y. Xu, W. Cui, and M. Peinado. 2015. Controlled-Channel Attacks: Deterministic channel attacks against enclave programs. In Proceedings of the 2017 Annual Side Channels for Untrusted Operating Systems. In 2015 IEEE Symposium on Network and Distributed System Security Symposium (NDSS). Security and Privacy. IEEE, 640–656. DOI:h p://dx.doi.org/10.1109/SP.2015.45 [20] S. Shinde, Z. L. Chua, V. Narayanan, and P. Saxena. 2015. Preventing Your [23] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks. CoRR W. Zou. 2013. Practical Control Flow Integrity and Randomization for Binary abs/1506.04832 (2015). arXiv:1506.04832 h p://arxiv.org/abs/1506.04832 Executables. In 2013 IEEE Symposium on Security and Privacy. 559–573. DOI: h p://dx.doi.org/10.1109/SP.2013.44
7