Security

Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

And no, you're not supposed to be able to do that

By Richard Chirgwin

21 SHARE

Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim.

SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.

These areas are called enclaves, and are typically used to run things like anti-piracy code without anyone spying on the decryption keys, or to run sensitive computational code on an untrusted remote machine. Attestation is used to ensure software on one box is talking to code running unaltered in an enclave on another box.

The speculative execution flaws revealed in January, however, jeopardize SGX's security boundaries, as demonstrated in the video below. As is to be expected, exploiting the chip-level vulnerabilities requires local access: a miscreant must be able to log in, or malware must be running in order to leverage the design blunder to attack an SGX enclave.

The researchers – professors Yinqian Zhang, Zhiqiang Lin, and Ten Lai, plus students Guoxing Chen, Sanchuan Chen, and Yuan Xiao – hail from Ohio State University in the USA. They've dubbed their enclave-sniffing technique SgxPectre, and noted on GitHub: “Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”

In a formal paper, placed online this week, the team explained how a malicious program can influence a CPU core's branch predictor so that, when the processor is executing SGX enclave code, the contents of the secure environment's private memory and CPU registers can be observed via slight changes to the state of the cache.

Enclave code built using the Intel SGX SDK, Rust-SGX, Graphene-SGX, or similar runtime libraries, are vulnerable, we're told. These development kits include code patterns that can be exploited via SgxPectre to work out what lies within an enclave's secret memory.

The steps the researchers took to snoop on forbidden SGX data were as follows:

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

There is a fix: Intel's microcode update that introduced indirect branch restricted speculation (IBRS), which flushes the branch prediction history at the enclave boundary.

However, an evil sysadmin at, for example, a cloud provider could revert the patch, and “there is no means for the enclave code to reliably detect if IBRS is enabled.” This means enclave code running on a remote cloud machine can be snooped on by BOFHs, when the whole point of SGX is to securely run code on a faraway box.

The other microcode mitigations, Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier (IBPB), have the same problem, that they mitigate speculative execution, but the enclave can't detect whether or not they're present. Thus, these defenses can be removed from a remote machine, defeating the purpose of the technology.

The Reptoline software-only mitigations don't protect SGX against SgxPectre, the researchers said. Intel is aware of their work, we're told. ®

Updated to add

Intel says it will update its SGX SDK later this month to allow software attestation to detect the presence of Spectre mitigations. Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins. A spokesperson told us:

We are aware of the research paper from Ohio State and have previously provided information and guidance online about how Intel SGX may be impacted by the side channel analysis vulnerabilities. We anticipate that the existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers — which we plan to make available on March 16th — should be effective against the methods described in that research.

Sign up to our NewsletterGet IT in your inbox daily

21 Comments

More from The Register

Ex-Intel exec Diane Bryant exits Google cloud

Could Chipzilla replace Brian with a Bryant?

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Prez Trump to host chinwag with Google, Microsoft, Oracle and Qualcomm – report

And Sundar Pichai heads to grilling on Chocolate Factory's data slurping

Former NSA top hacker names the filthy four of nation-state hacking

DEF CON Carefully omits to mention the Land of the Free

It's official. Microsoft pushes Google over the Edge, shifts browser to Chromium engine

Cutting Edge technology, literally

Ahem, Amazon, Google, Microsoft... Selling face-snooping tech to the Feds is bad, mmm'kay?

Government facial surveillance harms civil liberties, advocacy groups warn

Intel hands first Optane DIMM to Google, where it'll collect dust until a supporting CPU arrives

+Comment Leaked roadmap emerges, still full of holes

GitLab's move off Azure to Google cloud totally unrelated to Microsoft's GitHub acquisition. Yep

Source shack says it's chasing reliability and Kubernetes tech

Groundhog Day comes early as Intel Display Drivers give Windows 10 the silent treatment

What's that? You've installed 1809? No, sorry, can't hear you

Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code