Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

And no, you're not supposed to be able to do that


Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim.

SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.

These areas are called enclaves, and are typically used to run things like anti-piracy code without anyone spying on the decryption keys, or to run sensitive computational code on an untrusted remote machine. Attestation is used to ensure software on one box is talking to code running unaltered in an enclave on another box.

The speculative execution flaws revealed in January, however, jeopardize SGX's security boundaries, as demonstrated in the video below. As is to be expected, exploiting the chip-level vulnerabilities requires local access: a miscreant must be able to log in, or malware must be running in order to leverage the design blunder to attack an SGX enclave.

The researchers – professors Yinqian Zhang, Zhiqiang Lin, and Ten Lai, plus students Guoxing Chen, Sanchuan Chen, and Yuan Xiao – hail from Ohio State University in the USA. They've dubbed their enclave-sniffing technique SgxPectre, and noted on GitHub: “Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”

In a formal paper, placed online this week, the team explained how a malicious program can influence a CPU core's branch predictor so that, when the processor is executing SGX enclave code, the contents of the secure environment's private memory and CPU registers can be observed via slight changes to the state of the cache.

Youtube Video

Enclave code built using the Intel SGX SDK, Rust-SGX, Graphene-SGX, or similar runtime libraries, are vulnerable, we're told. These development kits include code patterns that can be exploited via SgxPectre to work out what lies within an enclave's secret memory.

The steps the researchers took to snoop on forbidden SGX data were as follows:

  • Poison the branch target buffer to inject target addresses.
  • Prepare the CPU so it's more likely to speculatively execute the secret-leaking instructions in the enclave code's SDK.
  • Run the enclave code.
  • Examine the monitoring array using a “flush-reload” cache side-channel attack to drip-feed out the contents of the enclave.
dumpster fire

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

There is a fix: Intel's microcode update that introduced indirect branch restricted speculation (IBRS), which flushes the branch prediction history at the enclave boundary.

However, an evil sysadmin at, for example, a cloud provider could revert the patch, and “there is no means for the enclave code to reliably detect if IBRS is enabled.” This means enclave code running on a remote cloud machine can be snooped on by BOFHs, when the whole point of SGX is to securely run code on a faraway box.

The other microcode mitigations, Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier (IBPB), have the same problem, that they mitigate speculative execution, but the enclave can't detect whether or not they're present. Thus, these defenses can be removed from a remote machine, defeating the purpose of the technology.

The Reptoline software-only mitigations don't protect SGX against SgxPectre, the researchers said. Intel is aware of their work, we're told. ®

Updated to add

Intel says it will update its SGX SDK later this month to allow software attestation to detect the presence of Spectre mitigations. Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins. A spokesperson told us:

We are aware of the research paper from Ohio State and have previously provided information and guidance online about how Intel SGX may be impacted by the side channel analysis vulnerabilities. We anticipate that the existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers — which we plan to make available on March 16th — should be effective against the methods described in that research.

Similar topics

Broader topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022