Practical Enclave Malware with Intel SGX Michael Schwarz, Samuel Weiser, Daniel Gruss June 20, 2019 - DIMVA’19 Graz University of Technology
www.tugraz.at Outline SGX 2 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Outline SGX 2 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Outline SGX 2 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Outline 2 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Create Enclave Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Return Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Return Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Return . . . Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Return . . . Operating System 3 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at What if? • Enclaves are black boxes 4 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at What if? • Enclaves are black boxes • Protected from all applications and OS 4 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at What if? • Enclaves are black boxes • Protected from all applications and OS • What if they contain malicious code? 4 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at What if? • Enclaves are black boxes • Protected from all applications and OS • What if they contain malicious code? • Can we hide zero days? 4 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Threat Model Intel’s Statement [...] Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source [...] 5 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Limitations Classical exploits cannot be mounted within SGX: 6 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Limitations Classical exploits cannot be mounted within SGX: • No syscalls 6 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Limitations Classical exploits cannot be mounted within SGX: • No syscalls • No shared memory/libraries 6 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Limitations Classical exploits cannot be mounted within SGX: • No syscalls • No shared memory/libraries • No interprocess communication 6 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at SGX Limitations Classical exploits cannot be mounted within SGX: • No syscalls • No shared memory/libraries • No interprocess communication • Blocked instructions 6 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at State-of-the-art Malicious Enclaves • Side-channel attacks from SGX [Sch+17] 7 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at State-of-the-art Malicious Enclaves • Side-channel attacks from SGX [Sch+17] • Fault attacks from SGX [Gru+18; Jan+17] 7 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at State-of-the-art Malicious Enclaves • Side-channel attacks from SGX [Sch+17] • Fault attacks from SGX [Gru+18; Jan+17] • No real exploits from SGX so far 7 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at TEE-REX TEE - REX T E E R EX rusted xecution nvironment eturn-oriented-programming ploit 8 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Data Code Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Data Read Primitive ( TAP ) Gadget Code Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Write Primitive ( CLAW ) Cave Data Read Primitive ( TAP ) Gadget Code Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Write Primitive ( CLAW ) Cave Data Read Primitive ( TAP ) Gadget Code ROP injection chain Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Write Primitive ( CLAW ) Cave Data Read Primitive ( TAP ) Gadget Code ROP injection chain Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Write Primitive ( CLAW ) Cave Data Read Primitive execute ( TAP ) Gadget Code ROP injection chain Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Attack Overview Write Primitive ( CLAW ) Cave Data Read Primitive execute ( TAP ) Gadget Code ROP injection chain Stack Enclave 9 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Problems • Enclave can access host memory... 10 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Problems • Enclave can access host memory... • ...but crashes on invalid access 10 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Problems • Enclave can access host memory... • ...but crashes on invalid access • No syscall or exception handler available 10 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory • Intel TSX: hardware transactional memory 11 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory • Intel TSX: hardware transactional memory • Multiple reads and writes are atomic 11 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory • Intel TSX: hardware transactional memory • Multiple reads and writes are atomic • Operations in a transaction 11 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory • Intel TSX: hardware transactional memory • Multiple reads and writes are atomic • Operations in a transaction • Conflict → abort and roll back 11 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory • Intel TSX: hardware transactional memory • Multiple reads and writes are atomic • Operations in a transaction • Conflict → abort and roll back • Faults are suppressed 11 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
www.tugraz.at Transactional Memory Thread 0 Cache Thread 1 12 Michael Schwarz , Samuel Weiser, Daniel Gruss — Graz University of Technology
Recommend
More recommend
