Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves - PowerPoint PPT Presentation

Hardware Enclave Attacks CS261

Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

Attacks on Hardware Enclaves • Attacks on Intel services: • Traditional server-based attacks (not interesting) • Attacks on enclave code: • Exploiting software vulnerabilities • Interesting API- based attacks: Iago attacks (ASPLOS’13) • Attacks on Intel CPUs: • Cache timing side channels, Spectre / Meltdown (Foreshadow) • Controlled-channel attacks 3

Enclave Page Permissions Physical 1. EPCM Process Memory EPC VA V RWX SECS Enclave Enclave Page Permission = EPCM[RWX] AND PT[RWX] 2. Page Table VA RWX PA 4

Page Faults in Enclaves Physical Process Memory AEP: EPC ERESUME Enclave Page Fault X = *(addr); RAX: 00000000 RBX: 00000000 … RIP: AEP (Async Exit Pointer) Fault Addr: addr & ~(FFF) Leaking the higher 52 bits (i.e., 64 -12) of page fault address OS Kernel 5

Target Code • Input-dependent branches if (secret & 0x1) process_one(); Page A else process_zero(); Page B • Input-dependent data access data_array[secret << 12] = 1; Page X secret = 0 Page X + 1 secret = 1 Page X + 2 secret = 2 6

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); … … } } f4() { f5() { … … } } 7

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A f4() { f5() { … … } } 8

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A B f4() { f5() { … … } } 9

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A B D f4() { f5() { … … } } 10

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A B D B A f4() { f5() { … … } } 11

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A B D B A C f4() { f5() { … … } } 12

Distinguishing Same Page Addresses f1() { … Page A f2(); f1() … f3(); Page C Page B … f2() f3() } Page D f2() { f3() { f4(), f5() … … f4(); f5(); Page addresses: … … } } A B D B A C D f4() { f5() { f5() f4() … … } } 13

Update the Page Table f1() { … Page Fault Page A f2(); R f1() … f3(); Page C Page B … R R f2() f3() } Page D f2() { f3() { R f4(), f5() … … f4(); f5(); Page addresses: … … } } A f4() { f5() { … … } } 14

Update the Page Table f1() { … Page A f2(); Mark executable R X f1() … to continue f3(); Page C Page B … R R f2() f3() } Page D f2() { f3() { R f4(), f5() … … f4(); f5(); Page addresses: … … } } A B f4() { f5() { … … } } 15

Update the Page Table f1() { … Page A f2(); R f1() … f3(); Page C Page B … R R X f2() f3() } Page D f2() { f3() { R f4(), f5() … … f4(); f5(); Page addresses: … … } } A B D f4() { f5() { … … } } 16

Example: Hunspell Checker • Phase 1: inserts dictionary into hash buckets • Phase 2: looks up words from a secret document 17

Hunspell Insertion Word Pages word1 A, D word2 B, D • Hash::add_word(std::string word) { word3 A, E struct hentry *hp = malloc(…); word4 B, D, F int i = hash(word); Page(tableptr[i]) struct hentry *dp = tableptr[i]; while (dp->next != NULL) { Page(node 1) Page(node 2) dp = dp->next; … } strcpy(hp->word, word); Page(new node) dp->next = hp; } 18

Hunspell Lookup Word Pages word1 A, D word2 B, D word3 A, E word4 B, D, F • Hash::lookup(std::string word) { int i = hash(word); Page(tableptr[i]) struct hentry *dp = tableptr[i]; Page(node 1) while (dp != NULL) { Page(node 2) if (!strcmp(hp->word, word)) … return dp; dp = dp->next; } Match with the oracle } 19

Side Channels vs Controlled Channels Cache Side Channels Controlled Channels Granularity Cachelines (64-byte) Pages (4KB) Noisiness Highly noisy Noiseless and Lossless Synchronization Two-phase synchronization No synchronization with (e.g., PRIME+PROBE, the victim FLUSH+RELOAD) Scope Common to most Specific to enclaves platforms Privileges Non-root Need root privileges 20

Mitigation • ASLR (Address Space Layout Randomization)? • Not working  Can d etect entry points and “start - up” patterns • Self-paging • Some architecture (e.g., RISC-V) suggests self-paging in enclaves • The OS never gets any page faults • Detecting attacks • Execution time, page fault count, etc • Forbidding page faults from enclave code  T-SGX 21

T- SGX (NDSS’17) • Intel TSX (Transactional Synchronization Extensions) • Any fault  abort handler unsigned status; // Begin a transaction if ((status = _xbegin()) == _XBEGIN_STARTED) { // Run any code Page Fault _xend(); } else { // Abort } • Can forbid all page faults in enclaves (i.e., no paging) 22

Other Enclave Attacks • Page table access/dirty bits (USENIX‘17) • Recently read  access bit; Recently written  dirty bit • Can be observed without page faults • Branch Predictor States (USENIX’17) • Enclave and non-enclave code shares branch predictor states • Can observe which branches are taken • Addresses on memory bus (CCS’13) • Every memory command (read / write) is visible on bus • Can observe with a DIMM interposer 23

Questions? Hardware Enclave Attacks 24