Intel SGX 'safe' room easily trashed by white-hat hacking marauders: Enclave malware demo'd

Handy for smuggling expensive zero-days onto targets and executing them, without antivirus realizing


Updated Security researchers have found that Intel's Software Guard Extensions (SGX) don't live up to their name. In fact, we're told, they can be used to hide pieces of malware that silently masquerade as normal applications.

SGX is a set of processor instructions and features for creating a secure enclave in which code can be executed without scrutiny or interference from any other software – not even the operating system nor hypervisor can look in. It's aimed at processing financial transactions, performing anti-piracy decryption of protected Hollywood movies, and similar cryptography in private away from prying eyes.

That's the theory. However, boffins – some of whom helped expose the Spectre-Meltdown processor flaws last year – think they have cracked open some of the security defenses, by leveraging the age-old technique of return-oriented programming.

Return-oriented programming (ROP) involves overwriting a thread's stack to, rather than have the application work as normal, make it carry out malicious operations instead. This is done by stringing together clumps of unrelated memory-resident instructions, called gadgets, to manipulate the operation of the software. It's a bit like carjacking someone using the tire iron in the vehicle's trunk (or boot for our UK readers).

You change the return addresses in the stack so that the code jumps not back to where it should be after a routine, but to small sections of other code, followed by another section, then another, building up a patchwork of instructions that tell the program to do something else than it should, like leak or change data.

In a paper scheduled for publication on Tuesday, "Practical Enclave Malware with Intel SGX," brainiacs at the Graz University of Technology in Austria describe a technique to bypass various security technologies, such as ASLR, and execute arbitrary code that can steal information or conduct denial-of-service attacks, all via SGX and ROP.

Enclaves have to talk to the outside world via their assigned host application, yet the team's SGX-ROP approach allows the enclave code to meddle with the underlying system by hijacking the host process using ROP.

In effect, malware in the enclave is hidden from view, out of sight of antivirus and other security packages, but it can potentially do what it likes to the environment around it, via its hijacked host, when activated. This also means the enclave can keep its vulnerability exploit code secret by encrypting it and privately decrypting and executing it as necessary, when it gets a signal to attack.

"We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits," explain co-authors Michael Schwarz, Samuel Weiser, and Daniel Gruss in their paper.

Homer Simpson

Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

READ MORE

The trio say that security experts tend to discount attacks involving enclaves because these locked-down code spaces are more constrained than normal system processes – enclaves can only issue system calls, to interact with the operating system, through their host application, and they can't handle I/O operations directly. That should stop bad code within an enclave from reaching the outside world.

Nonetheless, the Graz group found a viable way to bypass Intel's enclave launch process and obtain signing keys, particularly now that SGXv2 provides a way to remove Intel as an intermediary for enclave signing. This means a malicious enclave can work around its restrictions – no syscalls nor knowledge of host application memory – to run arbitrary code as the host process, using ROP, and parade around the computer rather than staying confined to its shoe box.

It is, admittedly, a convoluted technique – compared to classic Windows escalation-of-privilege attacks – yet it's a fascinating approach.

"The enclave has to run locally, but the trigger signal to run the exploit comes from a remote adversary in the scenarios we describe," said Gruss in an email to The Register.

"So you can deploy your exploit (maybe a super expensive zero-day exploit) on all devices via an enclave and no one could tell. Then send the trigger signal when you like and to whom you like and run the exploit."

"However, it could also be an enclave with a bug which can be exploited remotely," Gruss added. "That would have the same result. Arbitrary code execution in an enclave means untraceable arbitrary code execution on the device. An attacker can do anything then."

Attackers TAP resources

The attack relies on the Transactional Synchronization eXtensions (TSX) in modern Intel processors, in conjunction with a novel technique called TSX-based Address Probing (TAP). TAP involves using TSX to determine if a virtual address is accessible by the current process, the researchers explain. And this exploration of memory is invisible to the operating system because that's how secure enclaves are designed.

"We have been working with TSX since quite a while," said Gruss. "It has several interesting properties that we've exploited in the past years. If the processor has TSX support (many don't have TSX support) then the attack can be run just like that, no special preparations required."

He added that the TSX primitive is also interesting in contexts unrelated to SGX because it can be used an an "egg hunter" for scanning the address space for injected shell code (in a system supporting TSX).

TAP's goal is to find code that resides in memory – code gadgets – so they can be chained together for an ROP-style code-reuse attack. But to conduct an SGX-ROP attack, the attacker has to have access to writeable host memory, to store the fake stack frame and attack payload. Since the secure enclave can't allocate host application memory, TAP is used to spot accessible memory.

Woman telling you to be quiet

Boffin suggests Trappist monk approach for Spectre-Meltdown-grade processor flaws, other security holes: Don't say anything public – zip it

READ MORE

To pull that off, the researchers developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW). To determine whether a memory page is writable, CLAW wraps the write instruction for the target page in a TSX transaction and aborts it after the write. The writability of the page can then be deduced by the return value of the transaction.

"With SGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROP gadgets in the host context enabling practical enclave malware," the researchers claim, noting that the entire exploit process can be accomplished in about 20 seconds.

Gruss said he and his colleagues are looking into techniques like sandboxing to make SGX better. But as with the Spectre and Meltdown fixes, the cost could be paid in processor speed.

"We are working on mitigations, some of which trade performance for security on commodity systems, others require hardware changes but do not cost any performance," he said.

The Register asked Intel if it was aware of the researchers' work prior to publication. An Intel spokesperson didn't have an immediate response, but we'll let you know if the company has something to add. ®

Updated to add

In a statement emailed to The Register, an Intel spokesperson said:

Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Grus for their ongoing research and for working with Intel on coordinated vulnerability disclosure.

Similar topics


Other stories you might like

  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading
  • China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks

    FCC urges more action against Huawei and DJI, too

    The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.

    In its announcement of the termination, the government agency explained the decision is necessary because the national security environment has changed in the years since 2002. That was when China Telecom was first allowed to operate in the USA.

    The FCC now believes – partly based on classified advice from national security agencies – that China Telecom can "access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States." And because China Telecom is state-controlled, China's government can compel the carrier to act as it sees fit, without judicial review or oversight.

    Continue reading
  • Qualcomm gets news of modest Snapdragons out of the way before next month's big chip launch

    A little more oomph coming for cheaper smartphones

    Budget smartphones these days do OK with 5G though lack performance in other areas, and so Qualcomm has promised some system-on-chips to give these modest devices some more oomph.

    The processors, announced on Tuesday for entry and mid-range 5G smartphones, also clears the deck for big chip announcements Qualcomm is expected to make at its Snapdragon Tech Summit starting at the end of next month.

    The 6nm Snapdragon 695 5G, unveiled this week, is a successor to the 8nm 690 5G used in the OnePlus Nord N10 5G, which is priced under $300, and various other handhelds.

    Continue reading

Biting the hand that feeds IT © 1998–2021