Intel shrugs off ‘new’ side-channel attacks on branch prediction units and SGX

Been there, mitigated that, got the class actions, says Chipzilla

Intel’s shrugged off two new allegations of design flaws that enable side-channel attacks.

One of the new allegations was discussed at Black Hat Asia in Singapore last week, where University of Graz PhD Students Moritz Lipp and Michael Schwarz delivered a talk titled “When good turns to evil: using Intel SGX to stealthily steal Bitcoins.”

SGX is Intel’s way of creating secure enclaves that, as advertised, offer “protected areas of execution in memory” that “protect select code and data from disclosure or modification.” SGX enclaves are supposed to be inaccessible from the OS and even survive attacks that crack the BIOS or corrupt drivers.

Lipp and Schwarz noted that SGX enclaves have been used by developers of Bitcoin wallets because they sensibly appreciate being able to store them in a secure location, given that to own a Bitcoin key is a short step away from owning Bitcoin too. But the pair delivered some bad news: an old-school “prime and probe” attack can be run against SGX enclaves.

Prime and probe sees attackers fill known RAM addresses and then watch as their victim load data into the RAM they’ve targeted. Once attackers know a RAM address has been changed, they read its contents and go about their evil business.

Which sounds like a great way to get data out of an SGX enclave except for one small problem: SGX is immune to the timing software that lets you figure out when RAM was accessed. So the pair wrote their own, helped by a DRAM side channel attack that exploits timing differences to find DRAM row borders. Once they knew the row borders, they were able to infer the rest of the RAM addresses and conduct a prime and probe that revealed recently-changed areas of memory and could then exfiltrate data.

To rub salt into the wound, their attack can run from an SGX enclave of its own.


We need to go deeper: Meltdown and Spectre flaws will force security further down the stack


Intel characterised the presentation and the paper (PDF) describing it as a known method, described here, and re-heated to consider Bitcoin.

“This presentation describes a previously known method to recover an RSA key from an enclave containing RSA crypto code that is vulnerable to a side channel exploit,” an intel spokesperson said. “This can be prevented by SGX application developers through utilization of an appropriate side channel attack-resistant crypto implementation inside the enclave.”

Intel also hosed down a new paper (PDF) titled “BranchScope: A New Side-Channel Attack on Directional Branch Predictor” that describes “a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor.”

The attack relies on the fact that “Modern microprocessors rely on branch prediction units (BPUs) to sustain uninterrupted instruction delivery to the execution pipeline across conditional branches. When multiple processes execute on the same physical core, they share a single BPU.”

But the authors, from a quartet of universities, wrote that “the sharing potentially opens the door tp an attacker to manipulate the shared BPU state, create a side-channel, and derive a direction or target of a branch instruction executed by a victim process. Such leakage can compromise sensitive data.”

“For example, when a branch instruction is conditioned on a bit of a secret key, the key bits are leaked directly.”

Intel’s less certain it has this one covered, but told us “We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits.”

“We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.”

Which offers some comfort to users, but shows Intel is also a long way from escaping the mess that Meltdown and Spectre created. SGX has long been known to have certain sensitivities. Research like these two papers shows that with a little lateral thinking, Intel’s products can be challenged in many ways.

And with this class of attack now more prominent than ever before, chances of future exploits only increase – as does the chance the next big disclosure will come from a bad actor uninterested in either an academic announcement or the kind of controlled release used for Meltdown and Spectre. ®

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018