computers & security 82 (2019) 118–139 Available online at www.sciencedirect.com j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e SGX-LEGO: Fine-grained SGX controlled-channel attack and its countermeasure ∗ Deokjin Kim a, Daehee Jang b, , Minjoon Park b, Yunjong Jeong b, ∗∗ Jonghwan Kim b, Seokjin Choi a, Brent Byunghoon Kang b, a The Affiliated Institute of ETRI, Daejeon, Republic of Korea b Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea a r t i c l e i n f o a b s t r a c t Article history: The introduction of Intel Software Guard eXtension (SGX) prompted security researchers Received 20 March 2018 to verify its effectiveness. One of the frequently discussed attacks against SGX is the side- Revised 6 November 2018 channel attack by gathering page-fault information (controlled-channel attack). Owing to Accepted 4 December 2018 SGX’s hardware features, the faulting address of the enclave memory is page-masked . Be- Available online 18 December 2018 cause of this, both the controlled-channel attack and the defenses of SGX are built under the assumption that an attacker observes the memory access attempts of the enclave code Keywords: with page-granularity . However, Van Bluck et al. recently demonstrated a controlled-channel Operating system attack technique which negates the prior assumption of page-granularity . In this paper, we Intel SGX introduce a new class of attack that stems from the reduced controlled-channel granularity, Controlled-channel i.e., the Version IDentification attack (VID). The goal of VID attack is identifying the detailed ROP code information inside SGX enclave by analyzing the fine-grained SGX controlled-channel. Page fault To protect enclave memory from such attack, we design and implement SGX-LEGO, an au- tomated system that adopts execution polymorphism to the SGX enclave code. Previous defense approaches against controlled-channel attacks can be broadly categorized into two types: (i) disclosing the fault information and (ii) rendering the fault information useless. SGX-LEGO uses the latter approach by permuting the memory access sequence at the in- struction level. In SGX-LEGO design, we leverage the concept of code-reuse-programming to overcome the implementation challenges regarding SGX page management. In the evalua- tion, we show how VID attacks the cryptographic functions, and demonstrate the efficacy of SGX-LEGO in security perspective and performance. © 2018 Elsevier Ltd. All rights reserved. topics regarding SGX is the side-channel attack. Side-channel 1. Introduction attacks against the SGX environment are usually aimed at extracting memory contents from the enclave memory. So Intel Software Guard eXtension (SGX) provides confidentiality far, various SGX side-channel attacks ( Shinde et al., 2016; and integrity to an application even if the underlying privi- Van Bulck et al., 2017b; Xu et al., 2015 ) have been introduced. leged software, such as the operating system (OS) or hyper- In particular, Xu et al. (2015) introduced an SGX side-channel visor, is untrustworthy. One of the most actively researched ∗ Co-first author. ∗∗ Corresponding author. E-mail addresses: [email protected] (D. Kim), [email protected] (D. Jang), [email protected] (M. Park), [email protected] (Y. Jeong), [email protected] (J. Kim), [email protected] (S. Choi), [email protected] (B.B. Kang). https://doi.org/10.1016/j.cose.2018.12.001 0167-4048/© 2018 Elsevier Ltd. All rights reserved. computers & security 82 (2019) 118–139 119 attack referred to as controlled-channel attack that is based on In general, observing system call information such as their the observation of page-faults. sequence and parameters can be an effective approach in So far, controlled-channel attack revealed data inside SGX order to fingerprint an application’s code identity. However, enclave assuming the code was publicly available. Revealing SGX applications typically consist of a non-enclave part and the code information inside SGX enclave was known to be in- enclave part. Codes running inside the enclave portion usually feasible once the SGX binary is first encrypted and dynami- process security-sensitive in-memory data without involving cally decrypted later inside enclave memory. For example, a system calls (e.g., cryptographic operation, image processing). previous work ( Schuster et al., 2015 ) encrypts the code section In addition, system call information cannot distinguish be- (private code which contains the main logic) and decrypts it tween different build environments (e.g., different compiler with a public code fragment (allowed to be exposed) at run- optimization level) of the same software. To mount sophisti- time using the decryption key provided by the trusted re- cated exploits (e.g., involving ROP gadgets), the attacker seeks mote party over the network. Once the static binary analysis detailed information about the target software, including its is stopped in this way, extracting the code information at run- detailed software version. In this paper, we assume the side- time is supposedly prevented because (i) SGX protects enclave channel attack and defense focused to the code page access. memory from direct read attempts, and (ii) the granularity of As memory access patterns can be observed from the out- controlled-channel attack is too big to extract the code infor- side world with finer granularity, deterministic memory ac- mation. We point out that (ii) is no longer true due to the in- cess patterns can be used as a fingerprint for identifying troduction of fine-grained controlled channel. In this paper, the exact program version inside the SGX enclave. For ex- we explore the SGX controlled-channel attack in terms of code ample, extracted memory access patterns can be compared disclosure attempt . to such patterns of previously known programs (enclave ap- The essence of the controlled-channel attack is extract- plication and non-enclave applications both). We later show ing memory access patterns using page-fault information. the experimental results for this deterministic pattern extrac- So far, researchers presumed that this memory access pat- tion and comparison . This attack becomes effective as SGX tern can only be observed with page granularity 1 which is SDK libraries (and other library codes) are increasingly shared big enough to hide the detailed execution trace. Previous SGX among developers. We provide more details about this at- side-channel attacks assume that the OS can only observe tack in Section 3 and demonstrate the experimental results the faulting sequence of distinctive pages . In other words, con- in Section 6 . secutive page faults against the same page cannot be ob- To address the threat of fine-grained controlled-channel at- served outside the enclave. This is important primitive regard- tack (including the VID attack model), we design and imple- ing controlled-channel attack. For example, an adversary can ment SGX-LEGO: a binary conversion framework that adopts monitor the code page fault and realize that the control flow execution polymorphism for SGX applications. The goal of has reached the page, but due to this primitive, the adversary SGX-LEGO is to remove discernible memory access patterns cannot tell how many instructions were executed inside such (including consecutive access to the same page) while the page. However, recent work ( Van Bulck et al., 2017b ) demon- code is running inside the enclave. Several techniques can be strated a technique that allows malicious OS to observe con- considered for removing discernible memory access patterns secutive memory access attempts against same page therefore inside the SGX enclave. For instance, heavy obfuscation (e.g., breaking this primitive. VM-based obfuscation with added randomness) can be con- The previous work ( Van Bulck et al., 2017b ) discuss the sidered as a solution. However, the SGX environment lacks ramifications of their technique in terms of SGX enclave data dynamic page permission management,3 which is essential exposure. In this paper, we extend their discussion and for implementing polymorphic binary. Polymorphic execution demonstrate that this new development 2 not only advances can also be implemented based on RWX 4 memory without the efficacy of existing controlled-channel attacks against using dynamic page management. However, the use of RWX data but also enables the attacker to reveal the code inside en- memory is discouraged for software security ( Frassetto et al., clave memory. According to our experiments, the information 2017 ) 5. inside the SGX enclave such as the code algorithm, SDK library One of the main contributions of SGX-LEGO is that it version, and their configuration is no longer safely hidden ow- achieves polymorphic execution (thus randomized memory ing to fine-grained controlled-channel attack. To study the ex- access pattern) without using dynamic page management or tent of this problem, we define the concept of Version IDen- RWX memory. To satisfy this requirement, SGX-LEGO lever- tification (VID) attack against SGX and conduct experiments ages the concept of code-reuse programming (CRP) 6 tech- on its issues. The idea of a VID attack is simple and straight- nique. In general, CRP is utilized by attackers to bypass the forward. Since the page granularity of fault monitoring is bro- DEP enforcement where RWX memory is not allowed. Here, ken, an attacker can harvest the code page access attempts inside the SGX enclave at a fine-grained level. Based on more detailed information of such memory access events, various 3 Recent generation of SGX hardware supports dynamic page information of the running code inside the SGX enclave can permission. This paper is based on SGX spec 1. 4 Readable, writable, and executable. be inferred regardless of the data they are using.