If there's somethin' stored in a secure enclave, who ya gonna call? Membuster!

Boffins ride the memory bus past Intel's SGX to your data

Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus.

In a paper [PDF] titled, "An Off-Chip Attack on Hardware Enclaves via the Memory Bus," slated for inclusion in the 29th USENIX Security Symposium in August, 2020, researchers Dayeol Lee, Dongha Jung, Ian Fang, Chia-Che Tsai, and Raluca Ada Popa describe an off-chip attack on hardware enclaves called Membuster.

Their work focuses specifically on Intel SGX (software guard extensions), Chipzilla's chip architecture extensions for creating secure execution environments. But they say it's applicable to other hardware enclaves that do not encrypt addresses on the memory bus.

"This attack is not limited to Intel SGX; no existing TEE [Trusted Execution Environment] defends this type of attack," said Dayeol Lee, a doctoral student at UC Berkeley and one of the report's co-authors, in an email to The Register. "But there are known mitigations in various levels (hardware/software) as described in the paper. They are just expensive in terms of performance, cost, etc."

The attack is local and does not work over a network; threat scenarios include an attacker trying to obtain data from a secure enclave where there's physical access to the target device ,or an attacker at a cloud service provider trying to obtain a tenant customer's data – a possibility that sounds less far-fetched given what occurred at Twitter recently.

Lee explained that hardware enclaves are not only for the cloud but are also used in end-user devices, like mobile phones. A rogue Amazon employee, he suggested, could use the technique to extract data from a tenant's application running on a hardware enclave, or an end-user could gather data from an enclaved application, to get secret data from the enclave owner, the app's developer.

Other security boffins have already devised various on-chip attacks on hardware enclaves that exploit side-channels, like a shared cache, or utilize techniques like return oriented programming. For example, earlier this year, Graz University of Technology academics disclosed an attack on Intel SGX that allows the implantation of malware.

But rather than relying on on-chip side channel information – observing the behavior of chip components used for both protected and general operations – to reveal memory addresses, the Membuster attack depends on observing an off-chip side channel, the memory address bus.

"Although the CPU encrypts the data of an enclave, all the addresses still leave the CPU unencrypted, allowing the attacker to infer program secrets from the access patterns," the paper explains. "Since off-the-shelf DRAM interfaces do not support address bus encryption, no existing hardware enclave can prevent physical attackers from observing the memory address bus."

Various academic proposals have been made recently to close off on-chip side channels, like like Varys, Hyperrace, Cloak, T-SGX, and Déjà Vu. But because Membuster operates off-chip, putting defenses built within the silicon simply won't help.

As the boffins describe it, their attack takes advantage of operating system privileges to induce cache misses – which is when data is not found in a cache and must be sought elsewhere or in main memory, an occurrence that imparts information useful to the attacker. The technique requires custom hardware, reverse engineering of hardware components and an algorithm to obtain application secrets from memory bus traces.

To conduct the attack, the attacker needs to install a custom-printed circuit board called an interposer on the DIMM socket between the DRAM and the socket. Once the bugged system is rebooted, the eavesdropping hardware copies the command bus signals and sends them a signal analyzer for amplification, storage, and analysis.

Greg Kroah-Hartman describes security issues runing Linux on Intel CPUs

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer


These DRAM traces are then used to map memory addresses and addressing functions and to translate between virtual and physical memory addresses.

To demonstrate their technique, the boffins conducted attacks on Hunspell, an open-source spell checking library widely in applications like LibreOffice, Chrome, and Firefox, and Memcached, an in-memory key-value database. The amount of data they could recover varied with the methods applied; using a technique called cache squeezing, they were able to recover 96 per cent of a random spell-checked document and 82 per cent of the Memcached query.

Membuster has limitations, its creators concede. It's not well-suited for rapid-fire references to the same memory address because it only leaks memory access patterns from last-level cache misses. The technique is best suited "for leaking data-dependent memory loads over a large heap or array," the paper explains.

The researchers conclude Membuster demonstrates that physically securing secure enclaves should be taken as seriously as software security.

Intel, alerted previously to the findings, provided a statement to The Register via email explaining that Membuster doesn't fit its threat model.

"Intel SGX operates under the assumption that the security perimeter includes only the internals of the CPU package, and in particular, leaves the DRAM untrusted," a company spokesperson said. "It is supported by an autonomous hardware unit called the Memory Encryption Engine (MEE) whose role is to help protect CPU-DRAM traffic over some memory range. We’ve previously documented that attacks requiring oblivious RAM are outside of scope of the design for the MEE. Membuster is one such attack." ®

Similar topics

Other stories you might like

  • It's primed and full of fuel, the James Webb Space Telescope is ready to be packed up prior to launch

    Fingers crossed the telescope will finally take to space on 22 December

    Engineers have finished pumping the James Webb Space Telescope with fuel, and are now preparing to carefully place the folded instrument inside the top of a rocket, expected to blast off later this month.

    “Propellant tanks were filled separately with 79.5 [liters] of dinitrogen tetroxide oxidiser and 159 [liters of] hydrazine,” the European Space Agency confirmed on Monday. “Oxidiser improves the burn efficiency of the hydrazine fuel.” The fuelling process took ten days and finished on 3 December.

    All eyes are on the JWST as it enters the last leg of its journey to space; astronomers have been waiting for this moment since development for the world’s largest space telescope began in 1996.

    Continue reading
  • China to upgrade mainstream RISC-V chips every six months

    Home-baked silicon is the way forward

    China is gut punching Moore's Law and the roughly one-year cadence for major chip releases adopted by the Intel, AMD, Nvidia and others.

    The government-backed Chinese Academy of Sciences, which is developing open-source RISC-V performance processor, says it will release major design upgrades every six months. CAS is hoping that the accelerated release of chip designs will build up momentum and support for its open-source project.

    RISC-V is based on an open-source instruction architecture, and is royalty free, meaning companies can adopt designs without paying licensing fees.

    Continue reading
  • The SEC is investigating whistleblower claims that Tesla was reckless as its solar panels go up in smoke

    Tens of thousands of homeowners and hundreds of businesses were at risk, lawsuit claims

    The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.

    Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.

    “We have confirmed with Division of Enforcement staff that the investigation from which you seek records is still active and ongoing," a letter from the SEC said in a reply to Henkes’ request, according to Reuters. Active SEC complaints and investigations are typically confidential. “The SEC does not comment on the existence or nonexistence of a possible investigation,” a spokesperson from the regulatory agency told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021