4 min read
SGX allows programs to establish protected enclaves for code and data, where none of the programs on the system can spy on it or tamper with it. The contents of an enclave are encrypted when written to RAM and decrypted upon being read. The processor does not allow code from outside the enclave to access the enclave’s memory.
Researchers have used this model to understand what happens if the code inside the enclave itself is malicious. The SGX is designed in such a way that antimalware software will not be able to detect the malware, thus making these enclaves the perfect spot for planting malicious code. The researchers used an SGX-ROP attack that depicts the above, by including the the Transactional Synchronization eXtension(TSK)-based memory disclosure primitive as part of the process. The TSK was also a part of the Meltdown attacks launched on Intel processors.
How does the attack take place?
According to the researchers, since code in an enclave is quite restricted, it cannot make operating system calls, open files, read data from disk, or write to disk. All of these attacks have to be performed from outside the enclave and only the encryption operation would occur within the enclave. That being said, the enclave code has the ability to read and write anywhere in the unencrypted process memory. To work with this model the TSX was used which provides a constrained form of transactional memory where a thread can modify different memory locations and then publish those modifications in one single atomic update.
The enclave makes use of this functionality and scans the memory of the host process to find the components for its ROP payload and somewhere to write that payload. It then redirects the processor to run that payload which can mark a section of memory as being executable, for the malware to put its own set of supporting functions someplace it can access. What’s more? The critical encryption will take place inside the enclave, making it impossible to extract the encryption key or even analyze the malware to find out what algorithm it’s using to encrypt the data.
Another thing to note is that malware isn’t constrained by the enclave and it can subvert the host application to access operating system APIs, making way for attacks such as ransomware-style encryption of a victim’s files.
This is what an Intel spokesperson has replied to ZDNet in an email: “Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure”.
The research paper outlines 4 simple steps required to perform the attack:
- The malicious enclave scans the host application for usable ROP gadgets using the read primitive
- The enclave identifies writable memory caves through the write primitive and injects the arbitrary malicious payload into those caves.
- The enclave uses the gadgets identified in step 1 to construct a ROP chain and injects it into the application stack.
- The enclave returns execution to the host application. Once the application hits the ROP chain on the stack, the actual exploitation starts.
The ROP chain runs with host privileges and then the attacker can issue arbitrary system calls to hack into the system.
You can head over to the Research paper to know more about the methodology followed by the researchers for this attack.