Introduced in 2015 via sixth-generation Intel Core processors, SGX is present in Intel’s Core and Xeon CPUs and is also supported in various hardware. It’s an architecture extension comprising central processing unit (CPU) instruction codes meant to protect data from being leaked or modified. It does so by enabling applications to partition and allocate memory regions or enclaves, encrypting their contents (e.g., passwords, user data), and restricting access to them. This protection is asymmetric. That is, an operating system or user application cannot access enclave data, but an enclave can access outer virtual space.
According to the researchers, hackers could use an enclave as a place to hide malware. For example, a piece of ransomware’s encryption keys can be hidden from memory, making it harder to remediate. It could also be used to carry out unauthorized actions such as sending phishing emails and launching distributed denial-of-service (DDoS) attacks. Attackers could hide malicious code such as a downloader within a secure enclave, where it is out of reach of anti-malware solutions and can download and run encrypted arbitrary payload.
The proof of concept (PoC) relies on deceiving a user into installing an application embedded with an enclave that has malicious code. SGX’s technology can mitigate this risk by allowing only enclaves signed by keys on Intel’s own whitelist, which are typically given out to application developers. Nonetheless, attackers could misuse keys stolen from trusted developers or could obtain their own keys. The researchers noted that the upcoming SGX version 2 would allow for more flexibility in the process of obtaining signature keys.
The researchers also showed how enclave protection walls could be circumvented by employing return oriented programming (ROP). It’s a technique that uses code already existing in the system in order to perform key functions, chaining together fragments of code to enable a malicious enclave to avoid SGX security limitations. Code within an enclave cannot use privileged instructions or syscalls. To reach this goal, they described how to create read-and-write primitives (segments of code) by misusing Intel Transactional Synchronization Extensions (TSX), formerly designed to accelerate execution of multithreaded application transactions.
The primitives allow attackers to arbitrarily read and write an entire mapped virtual memory space outside of an enclave without raising any CPU faults at a speed of 48.5 GBps on an i7-6700K CPU. The researchers named this technique SGX-ROP. Using SGX-ROP, their PoC was able to bypass other security mechanisms meant to mitigate security risks like memory leaks and buffer overflow. As the researchers showed in their PoC, current Intel SGX software development (SDK) code contains enough ROP gadgets to allow the attack. This attack would be completely stealthy. For one thing, there are no CPU faults raised. For another, even CPU counters are not updated (with current microcode) when instructions are executed within an enclave. Also, ROP code with malicious arbitrary payload can be run once on request and all traces can be removed during payload code exit sequence.
SGX-ROP is a method for making detectable parts of malicious code and data stealthy against traditional detection methods. As such, it’s more practical for use in hiding than using for the real attack. Of course, there will be initial infection that can be detected; it will be contained in the SGX enclave code. But the next stages of infection (payload with malicious code and data) will be probably impossible to detect.
The research was disclosed to Intel, which recommended the use of trusted programs, files, applications, and plug-ins.
With the disclosure of the likes of Meltdown, Spectre, and Foreshadow, the exploitation of security or design flaws in hardware is a complicated challenge for users and enterprises. Updating a vulnerable component, for instance, could take a long time. It also becomes more difficult for firmware or hardware to be updated especially if they could potentially disrupt business operations. While there is no silver bullet to threats that use attack surfaces like hardware-based flaws, a proactive, defense-in-depth approach to detecting them is important. This provides security or IT teams greater visibility into the activities on their online perimeter, which, in turn, helps them to better remediate threats.
With insights by Vít Šembera (Trend Micro Threat Researcher)
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).