A Survey of Published Attacks on Intel

A Survey of Published Attacks on Intel

1 A Survey of Published Attacks on Intel SGX Alexander Nilsson∗y, Pegah Nikbakht Bideh∗, Joakim Brorsson∗zx falexander.nilsson,pegah.nikbakht_bideh,[email protected] ∗Lund University, Department of Electrical and Information Technology, Sweden yAdvenica AB, Sweden zCombitech AB, Sweden xHyker Security AB, Sweden Abstract—Intel Software Guard Extensions (SGX) provides a Unfortunately, a relatively large number of flaws and attacks trusted execution environment (TEE) to run code and operate against SGX have been published by researchers over the last sensitive data. SGX provides runtime hardware protection where few years. both code and data are protected even if other code components are malicious. However, recently many attacks targeting SGX have been identified and introduced that can thwart the hardware A. Contribution defence provided by SGX. In this paper we present a survey of all attacks specifically targeting Intel SGX that are known In this paper, we present the first comprehensive review to the authors, to date. We categorized the attacks based on that includes all known attacks specific to SGX, including their implementation details into 7 different categories. We also controlled channel attacks, cache-attacks, speculative execu- look into the available defence mechanisms against identified tion attacks, branch prediction attacks, rogue data cache loads, attacks and categorize the available types of mitigations for each presented attack. microarchitectural data sampling and software-based fault in- jection attacks. For most of the presented attacks, there are countermeasures and mitigations that have been deployed as microcode patches by Intel or that can be employed by the I. INTRODUCTION application developer herself to make the attack more difficult (or impossible) to exploit. For all of the surveyed attacks in Trusted Execution Environments (TEEs) create isolated en- this paper, any known and relevant mitigation techniques are vironments where sensitive code can run with higher security also presented. level than the operating system. Intel Software Guard Exten- sions (SGX) is an example of a TEE. SGX utilizes enclaves to isolate execution environment from other applications, the B. Organization operating system’s kernel and the hypervisor. SGX can run In sec. II some background information on SGX is pre- arbitrary code on general hardware and is suitable for cloud sented. The known attacks with their categorizations are given environments where it isolates the running code and data from in sec. III. Then, the available mitigation techniques to catego- the untrusted environment. rized attacks are given in sec. IV. Finally, the current status of Without TEE solutions such as SGX, virtualization tech- mitigation techniques and their applicability against specific niques are the primary defence that can be used by software attacks are discussed in sec. V and the paper is concluded in to isolate code and data from other running software on a sec. VI. computer. Unfortunately virtualization techniques requires the arXiv:2006.13598v1 [cs.CR] 24 Jun 2020 application to trust the OS-kernel and hypervisor, and by II. BACKGROUND ON SGX extension the cloud provider in such a scenario. SGX is a set of extensions that aim to provide integrity and SGX is only one of a few attempts at solving the issue confidentiality for secure computations on computer systems of trusted computing in the cloud. Another solution is the where privileged software is potentially malicious. Trusted Platform Module (TPM). The TPM however requires SGX provides execution environments called enclaves to a larger chain of trust which is a drawback since it would run code and operate sensitive data, where both code and require that the user roots its trust in the both the intentions data are protected from the outside software environment. This of the implementers and in the absence of bugs in very large includes other applications running on the system and the pieces of code (often including the BIOS’, the OS kernel’s operating system’s kernel. Even the hypervisor, if it is running, and hypervisor’s code-bases). Comparatively, SGX provides a is an actor from which SGX enclaves are protected. Notably, great advantage, in that the root of trust is based only on the physical attacks are not considered in Intel’s threat model, nor application code itself and the hardware implementation of the are so-called side-channel attacks. CPU. For the rest of this section we refer to [1] without explicitly writing it out on each paragraph. We refer to it also for the This work was partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice interested reader who wishes a more detailed explanation on Wallenberg Foundation the internals of SGX. 2 A. SGX Overview This prevents memory mapping attacks and security check The Intel x86 64-bit instruction set architecture (ISA), bypasses. While application software cannot access the mem- to which we limit the scope of this paper, defines several ory space of the enclave the reverse is not true. The enclave architectural privilege levels, each one strictly more capable have no restrictions in regards to the rest of the applications than the one below it. The least privileged is ring 3 where code and data, this facilitates easy and secure communication all user-space applications run. This is the majority of the between the two modes. software on a running system1. Ignoring ring 2 and 1, which The SGX design and implementation is fully backward are not used by any major Operating System today, the next- compatible with other ISA extensions such as VMX which most powerful privilege level is ring 0 in which the OS enables the use of this technology by cloud tenants where kernel is running. Software running in ring 0 is responsible several virtual machines are co-hosted on the same hardware. for resource allocation, device management, context switching, page swapping and so forth. B. The SGX Lifetime Intel Virtual Machine Extensions (VMX) is a set of hard- The enclave’s lifetime is managed by the (untrusted) OS- ware virtualization instructions which introduces the additional kernel, this includes handling of page swapping, interrupts privilege levels of VMX root and VMX non-root. Hypervisors and CPU core scheduling. This is facilitated by several new usually run as VMX root in ring 0 and carry the ultimate instructions introduced by the SGX extensions. Some of the responsibility of resource allocation. more important ones will be discussed in this section. This relates to Intel SGX in the following way: An SGX 1) Creation: In order to create an enclave, ring 0 first issues enclave always runs as ring 3 like any normal user-space the privileged ECREATE instruction. Enclave creation is application (either VMX root or non-root). Also like any intended as a service for applications, provided by the system normal user-space application it relies on the OS-kernel (ring software. The ECREATE instruction allocates a special page 0) software for services such as scheduling, page swapping for the enclave called the SECS, like all other enclave pages it and hardware interrupt handling. This is despite the fact that is located inside the protected PRM range. The SECS stores none of the system software (ring 3 or 0) is trusted by the meta data for the enclave and it is critical for the enclave’s enclave threat model. This has been achieved by a rather security. complex series of hardware extensions as well as the exclusion 2) Loading: After creation the SECS is still marked as of denial-of-service from the threat model. This is reasonable uninitialized. Only while the SECS is marked as such can since protection against denial of service in an untrusted EADD and EEXTEND instructions be issued for that enclave. environment would be very hard to achieve, if not down-right These instructions are also privileged and can only be issued impossible. by ring 0. EADD is used to add pages into the protected virtual The code and data for all enclaves on a running system address space of the enclave. resides in the Enclave Page Cache (EPC) inside the Processor EEXTEND is used for measuring data and code for Reserved Memory (PRM) which is a reserved subset of the software attestation. Attestation will be briefly discussed in physical address space (DRAM). It is worth noting that this sec. II-C. address range is protected by the CPU so that Direct Memory 3) Initialization: The OS-kernel in ring 0 must issue the Access (DMA) is prohibited and that not even code running EINIT instruction in order to initialize the enclave. However, in the so-called Software Management Mode2 can get access before it can do that it must first obtain an EINIT Token to its contents. In order to protect against snoops of external Structure. The procedure for this is to utilize a special Launch memory reads and writes the PRM is transparently encrypted Enclave (LE) which is signed by a special key whose corre- and integrity protected before entering/exiting the memory bus. sponding public part is hardcoded into the SGX implementa- This means that the CPU package itself is the only place where tion by Intel. enclave data can be read in its decrypted form. 4) Teardown: Ring 0 can issue the EREMOVE instruction Enclaves are designed to operate much like dynamic load- to remove enclaves. This deallocates the specified page after able modules3 which are loaded directly into the virtual it is made sure that no logical processor currently owns it. address space of user-space applications. This means that After the SECS page is deallocated the enclave is completely enclaves can be entered in much the same ways that API- destroyed. EREMOVE refuses to deallocate the SECS before calls are made into software libraries (although it is a more all other pages have been deallocated.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us