FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
SnakeGX (full version)
1. SnakeGX: a sneaky attack
against SGX Enclaves
Flavio Toffalini - Singapore University of Technology and Design
Mariano Graziano - Cisco Systems, Inc.
Mauro Conti - University of Padua
Jianying Zhou - Singapore University of Technology and Design
ACNS - June 21-24, 2021
1
3. SGX introduction
3
User-space
Kernel-space
Enclave
Intel Software Guard eXtention (SGX)
- Enclaves: isolated memory regions in
user-space
- Enclaves cannot interact with ring-0
software (i.e., no syscall)
- Enclaves can write/read in user-space
- User- and kernel-space cannot write/read
the enclave space
HOW IS THIS ENFORCED?
CPU/MMU/Microcode checks.
OS-independent design.
4. Application
SGX Software Development Kit
Enclave
Secure Function 1
Secure Function N
...
Code
4
Secure Function 2
SGX SDK organizes the enclave code in secure functions
5. Problem description - memory corruptions
An enclave is prone of
memory corruption errors
One can force the execution
jumping over existing code
This hijacks the enclave logic
5
User-space
Kernel-space
Enclave
Payload
Correct execution
Hijacked execution
6. Problem description - SGX issues
6
User-space
Kernel-space
SGX assumes everything outside an Enclave is
malicious (e.g., the OS) [1]
Usually good, however, the OS must trust an
enclave contain bening software
A code-reuse attack could alter the enclave logic,
without breaking the isolation [2,3,4,5]
The OS is not aware of the attack
Enclave
?
? ?
[1] Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface (SIGARCH 2013)
[2] Hacking in Darkness: Return-oriented Programming against Secure Enclaves (Usenix 2017)
[3] The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX (Usenix 2018)
[4] A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes (CCS 2019)
[5] Faulty Point Unit: ABI Poisoning Attacks on Intel SGX (ACSAC 2020)
7. Current memory attacks
State-of-the-art attacks:
7
Forces the enclave to crash and
restart multiple times to “guess”
the correct attack
Dark-ROP
(Usenix 2017)
Relies on code patterns, no
need to crash the enclave
It leaves many structures in
memory
Guard’s Dilemma
(Usenix 2018)
Introduces a new and unexpected
enclave in the system that attracts
the intention of the analyst
SGX-ROP
(Dimva 2019)
// not exactly an attack
8. Current memory attacks
State-of-the-art attacks:
8
Forces the enclave to crash and
restart multiple times to “guess”
the correct attack
Dark-ROP
(Usenix 2017)
Relies on code patterns, no
need to crash the enclave
It leaves many structures in
memory
Guard’s Dilemma
(Usenix 2018)
Introduces a new and unexpected
enclave in the system that attracts
the intention of the analyst
SGX-ROP
(Dimva 2019)
// not exactly an attack
Too noisy Too many
traces
Add unexpected
enclaves
9. SnakeGX
Research question:
Is it possible to attack an SGX enclave without being detected by the host OS?
Our proposal: a framework to implant a backdoor in legitimate SGX enclaves
How?
1) Exploiting SGX isolation to avoid memory-inspection
2) Leaving less traces as possible
9
10. Application
SnakeGX - The plan!
Install a backdoor in the victim enclave => add a malicious secure function
Enclave
Secure Function 1
Secure Function N
...
Backdoor
Safe code
Attacker
10
11. SnakeGX - The plan!
Properties:
- Persistent: remains inside the enclave
- Stateful: it saves date and takes decision
- Interactive: can invoke syscalls
Advantages:
- No need to repeat an attack
- Limited traces in memory
- Avoid inspection
11
User-space
Kernel-space
Enclave
Backdoor
➊
➌
X := 10
➋
➊
➌
➋
23. Backdoor architecture
23
TLS (inside the enclave)
FakeFrame
Workspace
Backup
ROP-chains
ROP-chains
fake ocall_context
fake ocall_context
Buffer For status and temporary variables
Actual ROP chains executed
ROP chains and structure
copies for restoring
For the trigger
➊ - Enclave Memory Analysis ➋ - Payload Installation ➌ - Payload Triggering ➍ - Backdoor architecture ➎ -
Context-switch
24. ➊ - Enclave Memory Analysis ➋ - Payload Installation ➌ - Payload Triggering ➍ - Backdoor architecture ➎ -
Context-switch
Context-switch
Goal: the payload should interact with the OS without losing the enclave control
Intuition: split the payload in ROP chains inside and outside the enclave
24
User-space
Kernel-space
Enclave
Oc
P1
P2
Attacker
ORET
ORET
Note:
P1
, P2
: split the payload in 2 parts
Oc
: outside chain temporary copied in
user-space and erased after usage
26. The Evaluation
- Use Case: StealthDB
- Traces measurement and comparison with SotA
26
27. Use Case: StealthDB
StealthDB1
is a PostgreSQL extension to perform homomorphic-like encryption by using
SGX enclaves
Application
Enclave
Secure Function
Backdoor
Safe code
Attacker
P_Key (AES key)
backdoor() {
if (P_Key is changed)
exfiltrate(P_Key)
}
ORET
ECALL
27
[1] https://github.com/cryptograph/stealthdb/
28. Use Case: StealthDB
28
Analysis Payload
P1
: checks status and in case
exfiltrates P_Key
Oc
: write P_Key on a socket
P2
: restores the payload for a next
execution
Application
Enclave
P1
Attacker
P_Key (AES key)
P1
() {
if (P_Key is changed)
exfiltrate(P_Key)
}
ORET
OC
P2
ORET
socket
31. Conclusion
Before
- Current SGX malware introduces unexpected enclaves in the system
- Current one-shot-attacks need to repeat the attack(and leave traces in memory)
Now
- Infecting legitimate enclaves (no new enclaves)
- SnakeGX hide most of the logic inside the enclave (more challenging to detect)
31