Exploitable Hardware Features and Vulnerabilities Enhanced Side-Channel Attacks on Intel SGX and Their Countermeasures Dissertation Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the Graduate School of The Ohio State University By Guoxing Chen, B.S., M.S., Graduate Program in Computer Science and Engineering The Ohio State University 2019 Dissertation Committee: Dr. Ten H. Lai, Advisor Dr. Yinqian Zhang, Co-Advisor Dr. Radu Teodorescu Dr. Zhiqiang Lin c Copyright by Guoxing Chen 2019 Abstract Intel Software Guard eXtensions (SGX) provides software applications shielded execu- tion environments to run private code and operate sensitive data, where both the code and data are isolated from the rest of the software systems. Despite of its security promises, today’s SGX design has been demonstrated to be vulnerable to various side-channel attacks, and countermeasures have been proposed to mitigate these attacks. However, current under- standing of the attack vectors and the corresponding countermeasures is insufficient. This dissertation explores new attacks when the adversary could exploit hardware features, such as Hyper-Threading and speculative execution, and aims to design comprehensive defense mechanisms that could address existing threats. Specifically, we first demonstrate how to abuse Hyper-Threading to launch attacks that could bypass existing AEX-based mitigations. Then, we introduce SGXPECTRE Attacks, the SGX-variants of the recently disclosed Spec- tre attacks, that exploit speculative execution vulnerabilities to subvert the confidentiality of SGX enclaves. On the defense side, we first design and implement HYPERRACE, an LLVM-based tool for instrumenting SGX enclave programs to eradicate all side-channel threats due to Hyper-Threading. Then, to address the limitations of existing mitigations, we extend the idea of HYPERRACE and propose the concept of verifiable execution contracts, which request the privileged software to provide a benign execution environment for enclave within which launching attacks becomes infeasible. ii To my father, Yizai Chen, my mother, Linyan Yang, my sisters, Fangfang Chen and Xiaofang Chen, who love and support me unconditionally to pursue my dreams. iii Acknowledgments I would like to express my heartfelt gratitude to my advisors, Dr. Ten H. Lai and Dr. Yinqian Zhang for their patient and careful supervision. Dr. Lai takes me under his wings, offering me complete freedom in pursuing my own research interests and sharing with me his infectious optimism about research and life. Dr. Zhang leads me to explore cutting edge area of research and teach me patiently to tackle research problems with his extensive knowledge and expertise. His incredible energy and passion for research inspired me a lot. I feel double lucky to have both of them as my advisors. I also want to thank my collaborators and mentors. In particular, I would like to thank Dr. Dong Xuan, who taught me a lot over the years. I did enjoy the moments when we worked together to build various amazing systems. Beyond research, Dr. Xuan is also a great friend, who gave me many valuable suggestions when I encountered difficulties and unexpected situations. I am also grateful to Dr. Michael Reiter, Dr. XiaoFeng Wang and Dr. Zhiqiang Lin, for their extensive advice and dedication to our collaborative research projects. I feel so honored to have worked with all of them. iv Vita May 14, 1988 . Born, Wenzhou, China. 2010 . B.S. Information Engineering, Shanghai Jiao Tong University, Shanghai, China. 2013 ....................................... M.S. Information and Communication En- gineering, Shanghai Jiao Tong University, Shanghai, China. 2013-present . .Ph.D. Candidate, Computer Science and Engineering, The Ohio State University, USA. Publications Research Publications Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H. Lai. SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution In Proceedings of IEEE European Symposium on Security and Privacy (EuroS&P), 2019. Guoxing Chen*, Wenhao Wang* (*co-first authors), Tianyu Chen, Sanchuan Chen, Yinqian Zhang, XiaoFeng Wang, Ten H. Lai, Dongdai Lin. Racing in Hyperspace: Closing Hyper- Threading Side Channels on SGX with Contrived Data Races In Proceeding of IEEE Symposium on Security and Privacy (S&P), 2018. Guoxing Chen, Ten H. Lai, Michael Reiter, Yinqian Zhang. Differentially Private Ac- cess Patterns for Searchable Symmetric Encryption In Proceeding of IEEE International Conference on Computer Communications (INFOCOM), 2018. v Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, Carl A. Gunter. Leaky Cauldron on the Dark Land: Understand- ing Memory Side-Channel Hazards in SGX In Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017. Gang Li, Fan Yang, Guoxing Chen, Qiang Zhai, Xinfeng Li, Jin Teng, Junda Zhu, Dong Xuan, Biao Chen, Wei Zhao. EV-Matching: Bridging Large Visual Data and Electronic Data for Efficient Surveillance In Proceeding of IEEE International Conference on Distributed Computing Systems (ICDCS), 2017. Fan Yang, Qiang Zhai, Guoxing Chen, Adam C. Champion, Junda Zhu, Dong Xuan. Flash- Loc: Flashing Mobile Phones for Accurate Indoor Localization In Proceeding of IEEE International Conference on Computer Communications (INFOCOM), 2016. Jihun Hamm, Adam Champion, Guoxing Chen, Mikhail Belkin, Dong Xuan. Crowd-ML: A Privacy-Preserving Learning Framework for a Crowd of Smart Devices In Proceeding of IEEE International Conference on Distributed Computing Systems (ICDCS), 2015. Wenjie Lin, Guoxing Chen, Ten H. Lai, David Lee. Detecting the Vulnerability of Multi- Party Authorization Protocols to Name Matching Attacks In Proceedings of the International Conference on Security and Management (SAM), 2014. Guoxing Chen, Zhengzheng Xiang, Changqing Xu, Meixia Tao. On Degrees of Freedom of Cognitive Networks with User Cooperation In IEEE Wireless Communications Letters, 2012. Fields of Study Major Field: Computer Science and Engineering vi Table of Contents Page Abstract . ii Dedication . iii Acknowledgments . iv Vita ...........................................v List of Tables . .x List of Figures . xi 1. Introduction . .1 1.1 Overview . .1 1.2 HT-SPM: Hyper-Threading Assisted Sneaky Page Monitoring Attacks .3 1.3 SGXPECTRE: Speculative Execution Enabled Side-Channel Attacks . .5 1.4 HYPERRACE: Hyper-Threading Side-Channel Mitigation . .6 1.5 Securing TEEs with Verifiable Execution Contracts . .7 2. Background and Threat Model . .9 2.1 Intel SGX . .9 2.2 Intel Processor Internals . 12 2.2.1 Cache and Memory Hierarchy . 12 2.2.2 Hardware Extensions of Intel Processors . 13 2.2.3 Out-of-order and Speculative Execution . 14 2.3 Threat Model . 15 2.4 Existing Threats to SGX . 16 2.5 Effectiveness of Existing Defenses . 19 vii 3. HT-SPM: Hyper-Threading Assisted Sneaky Page Monitoring Attacks . 21 3.1 Overview . 21 3.2 Design . 24 3.3 Evaluation . 25 4. SGXPECTRE: Speculative Execution Enabled Side-Channel Attacks . 28 4.1 SGXPECTRE Attacks . 30 4.1.1 A Simple Example . 30 4.1.2 Injecting Branch Targets into Enclaves . 32 4.1.3 Controlling Registers in Enclaves . 35 4.1.4 Leaking Secrets via Side Channels . 36 4.1.5 Winning a Race Condition . 38 4.2 Attack Gadgets Identification . 39 4.2.1 Types of Gadgets . 39 4.2.2 Symbolically Executing SGX Code . 41 4.2.3 Gadget Identification . 42 4.2.4 Experimental Results of Gadget Detection . 43 4.3 Stealing Enclave Secrets . 48 4.3.1 Reading Register Values from Arbitrary Enclaves . 48 4.3.2 Stealing Intel Secrets . 52 4.4 Evaluating Existing Countermeasures . 55 4.5 Is SGX Broken? . 57 4.5.1 Intel’s Secrets . 57 4.5.2 Defense via Centralized Attestation Services . 60 4.6 Summary . 61 5. HYPERRACE: Hyper-Threading Side-Channel Mitigation . 62 5.1 Overview . 62 5.1.1 Motivation . 62 5.1.2 Design Summary . 64 5.2 Physical-core Co-Location Tests . 66 5.2.1 Straw-man Solutions . 66 5.2.2 Co-Location Test via Data Race Probability . 68 5.3 Security Analysis of Co-location Tests . 76 5.3.1 Security Model . 77 5.3.2 Security Analysis . 79 5.3.3 Empirical Security Evaluation . 88 5.4 Protecting Enclave Programs with HYPERRACE ............. 91 viii 5.4.1 Safeguarding Enclave Programs . 91 5.4.2 Implementation of HYPERRACE ................. 93 5.5 Performance Evaluation . 93 5.5.1 nbench . 94 5.5.2 Cryptographic Libraries . 98 5.6 Summary . 99 6. Securing TEEs with Verifiable Execution Contracts . 101 6.1 Overview . 102 6.1.1 Limitations of Existing Defenses . 102 6.1.2 Verifiable Execution Contracts as Defense . 103 6.2 Execution contracts . 104 6.2.1 Construction of Execution Contracts . 105 6.2.2 Security Guarantees . 110 6.2.3 Remaining Challenges . 113 6.3 Verifiability . 113 6.3.1 Available Signals . 113 6.3.2 Verifiability Models . 114 6.3.3 Verification of Proposed Contracts . 116 6.4 Implementation . 119 6.4.1 Enforcing Execution Contracts . 119 6.4.2 Verifying Execution Contracts . 121 6.5 Evaluation . 123 6.5.1 Security Evaluation . 123 6.5.2 Performance Evaluation . 124 6.6 Execution Contracts without Memory Confidentiality . 129 6.6.1 Threat Analysis . 130 6.6.2 Defeating Memory Leaks with Execution Contracts . 131 6.6.3 Microcode-Level Mitigation . 133 6.6.4 Preventing Replay Attacks . 136 6.7 Discussion . 137 6.8 Summary . 138 7. Conclusion . 139 Bibliography . 141 ix List of Tables Table Page 2.1 MESI cache line states. 12 2.2 Existing threats to SGX . 17 3.1 Configuration of the testbed, available per logical core when HyperThread- ing is enabled. 26 4.1 SGXPECTRE Attack Type-I gadgets in.