Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

And no, you're not supposed to be able to do that

By Richard Chirgwin

Posted in Security, 1st March 2018 08:02 GMT

Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim.

SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.

These areas are called enclaves, and are typically used to run things like anti-piracy code without anyone spying on the decryption keys, or to run sensitive computational code on an untrusted remote machine. Attestation is used to ensure software on one box is talking to code running unaltered in an enclave on another box.

The speculative execution flaws revealed in January, however, jeopardize SGX's security boundaries, as demonstrated in the video below. As is to be expected, exploiting the chip-level vulnerabilities requires local access: a miscreant must be able to log in, or malware must be running in order to leverage the design blunder to attack an SGX enclave.

The researchers – professors Yinqian Zhang, Zhiqiang Lin, and Ten Lai, plus students Guoxing Chen, Sanchuan Chen, and Yuan Xiao – hail from Ohio State University in the USA. They've dubbed their enclave-sniffing technique SgxPectre, and noted on GitHub: “Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”

In a formal paper, placed online this week, the team explained how a malicious program can influence a CPU core's branch predictor so that, when the processor is executing SGX enclave code, the contents of the secure environment's private memory and CPU registers can be observed via slight changes to the state of the cache.

Enclave code built using the Intel SGX SDK, Rust-SGX, Graphene-SGX, or similar runtime libraries, are vulnerable, we're told. These development kits include code patterns that can be exploited via SgxPectre to work out what lies within an enclave's secret memory.

The steps the researchers took to snoop on forbidden SGX data were as follows:

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

There is a fix: Intel's microcode update that introduced indirect branch restricted speculation (IBRS), which flushes the branch prediction history at the enclave boundary.

However, an evil sysadmin at, for example, a cloud provider could revert the patch, and “there is no means for the enclave code to reliably detect if IBRS is enabled.” This means enclave code running on a remote cloud machine can be snooped on by BOFHs, when the whole point of SGX is to securely run code on a faraway box.

The other microcode mitigations, Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier (IBPB), have the same problem, that they mitigate speculative execution, but the enclave can't detect whether or not they're present. Thus, these defenses can be removed from a remote machine, defeating the purpose of the technology.

The Reptoline software-only mitigations don't protect SGX against SgxPectre, the researchers said. Intel is aware of their work, we're told. ®

Updated to add

Intel says it will update its SGX SDK later this month to allow software attestation to detect the presence of Spectre mitigations. Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins. A spokesperson told us:

We are aware of the research paper from Ohio State and have previously provided information and guidance online about how Intel SGX may be impacted by the side channel analysis vulnerabilities. We anticipate that the existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers — which we plan to make available on March 16th — should be effective against the methods described in that research.

Sign up to our NewsletterGet IT in your inbox daily

21 Comments

More from The Register

Penguins in a sandbox: Google nudges Linux apps toward Chrome OS

While keeping things safe

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

WSL blueprint open-sourced to tempt distro makers

Wintel part deux? Microsoft Azure first for Intel Clear Linux

Stateless Linux data center released into the wilds

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Pact of silence questioned

Google's not-Linux OS documentation cracks box open at last

'The Book', a first-draft programmer's Fuchsia how-to

Linux laptop-flinger says bye-bye to buggy Intel Management Engine

Says 'disabling' the ME will reduce future vulnerabilities

Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code

Microsoft's most popular SQL Server product of all time runs on Linux

Build Yes, you read that right