Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus.
In a paper [PDF] titled, "An Off-Chip Attack on Hardware Enclaves via the Memory Bus," slated for inclusion in the 29th USENIX Security Symposium in August, 2020, researchers Dayeol Lee, Dongha Jung, Ian Fang, Chia-Che Tsai, and Raluca Ada Popa describe an off-chip attack on hardware enclaves called Membuster.
Their work focuses specifically on Intel SGX (software guard extensions), Chipzilla's chip architecture extensions for creating secure execution environments. But they say it's applicable to other hardware enclaves that do not encrypt addresses on the memory bus.
"This attack is not limited to Intel SGX; no existing TEE [Trusted Execution Environment] defends this type of attack," said Dayeol Lee, a doctoral student at UC Berkeley and one of the report's co-authors, in an email to The Register. "But there are known mitigations in various levels (hardware/software) as described in the paper. They are just expensive in terms of performance, cost, etc."
The attack is local and does not work over a network; threat scenarios include an attacker trying to obtain data from a secure enclave where there's physical access to the target device ,or an attacker at a cloud service provider trying to obtain a tenant customer's data – a possibility that sounds less far-fetched given what occurred at Twitter recently.
Lee explained that hardware enclaves are not only for the cloud but are also used in end-user devices, like mobile phones. A rogue Amazon employee, he suggested, could use the technique to extract data from a tenant's application running on a hardware enclave, or an end-user could gather data from an enclaved application, to get secret data from the enclave owner, the app's developer.
Other security boffins have already devised various on-chip attacks on hardware enclaves that exploit side-channels, like a shared cache, or utilize techniques like return oriented programming. For example, earlier this year, Graz University of Technology academics disclosed an attack on Intel SGX that allows the implantation of malware.
But rather than relying on on-chip side channel information – observing the behavior of chip components used for both protected and general operations – to reveal memory addresses, the Membuster attack depends on observing an off-chip side channel, the memory address bus.
"Although the CPU encrypts the data of an enclave, all the addresses still leave the CPU unencrypted, allowing the attacker to infer program secrets from the access patterns," the paper explains. "Since off-the-shelf DRAM interfaces do not support address bus encryption, no existing hardware enclave can prevent physical attackers from observing the memory address bus."
Various academic proposals have been made recently to close off on-chip side channels, like like Varys, Hyperrace, Cloak, T-SGX, and Déjà Vu. But because Membuster operates off-chip, putting defenses built within the silicon simply won't help.
As the boffins describe it, their attack takes advantage of operating system privileges to induce cache misses – which is when data is not found in a cache and must be sought elsewhere or in main memory, an occurrence that imparts information useful to the attacker. The technique requires custom hardware, reverse engineering of hardware components and an algorithm to obtain application secrets from memory bus traces.
To conduct the attack, the attacker needs to install a custom-printed circuit board called an interposer on the DIMM socket between the DRAM and the socket. Once the bugged system is rebooted, the eavesdropping hardware copies the command bus signals and sends them a signal analyzer for amplification, storage, and analysis.
Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainerREAD MORE
These DRAM traces are then used to map memory addresses and addressing functions and to translate between virtual and physical memory addresses.
To demonstrate their technique, the boffins conducted attacks on Hunspell, an open-source spell checking library widely in applications like LibreOffice, Chrome, and Firefox, and Memcached, an in-memory key-value database. The amount of data they could recover varied with the methods applied; using a technique called cache squeezing, they were able to recover 96 per cent of a random spell-checked document and 82 per cent of the Memcached query.
Membuster has limitations, its creators concede. It's not well-suited for rapid-fire references to the same memory address because it only leaks memory access patterns from last-level cache misses. The technique is best suited "for leaking data-dependent memory loads over a large heap or array," the paper explains.
The researchers conclude Membuster demonstrates that physically securing secure enclaves should be taken as seriously as software security.
Intel, alerted previously to the findings, provided a statement to The Register via email explaining that Membuster doesn't fit its threat model.
"Intel SGX operates under the assumption that the security perimeter includes only the internals of the CPU package, and in particular, leaves the DRAM untrusted," a company spokesperson said. "It is supported by an autonomous hardware unit called the Memory Encryption Engine (MEE) whose role is to help protect CPU-DRAM traffic over some memory range. We’ve previously documented that attacks requiring oblivious RAM are outside of scope of the design for the MEE. Membuster is one such attack." ®