As developers start to rely more on hardware-based memory encryption controls that isolate specific application code and data in memory - secure enclaves, adversaries can use enclaves to successfully coexist on the host and enjoy similar protections. In this talk we venture into a practical implementation of such an offensive enclave, with the help of Intel SGX enclave technology, supported on a wide variety of processors present in enterprise data-centers and in the cloud. We discuss how malware can avoid detection in defensively instrumented environments and protect their operational components from processes running at high privilege levels, including the Operating System. We dive deeper into using enclaves in implants and stagers, and discuss the design and implementation of an enclave that is capable of facilitating secure communication and storage of sensitive data in offensive operations. We cover how the enclaves can be built to help secure external communication while resisting system and network inspection efforts and to achieve deployment with minimal dependencies where possible. Finally, we release the enclave code and a library of offensive enclave primitives as a useful reference for teams that leverage Intel SGX technology or have the hardware platform capable to support such adversarial efforts. -- This talk has been released to YouTube and the DEF CON Media server. YouTube: https://www.youtube.com/watch?v=WWGkaGBtn2Q

1. Use of Offensive Enclaves In Adversarial Operations
DEFCON 29
@Op_Nomad
Your House is My House

2. $ who –m
Dimitry Snezhkov
Attack & Pen Team
Tools, research, automation

3. Offensive Goals
• Living off the land SGX enabled environments in offensive operations
• Securing code and data (payloads)
• Securing communication with C2s
• Diverting EDR attention from user-land cradle/loader
• Leveraging “assumed secure” components minimizing inspection priority
• Windows as example but concepts apply to Linux
• YOLO fun and experiments J
Not a talk about SGX vulnerabilities or SGX deep dives.

4. SGX Overview
• SGX – technology to protect specific code
and data from disclosure or modification.
• Hardware enforced in 6th Generation
Intel® Core™ Processor + ENCLU/ENCLS
• SGX “enclaves” are protected areas of
execution that increase security even on
compromised platforms.”
• SGX enclave is a trusted code linked into
untrusted application
• Laptops, datacenters, cloud VMs (Azure
DC level trusted computing machines)
!"#$%&'($)*+'&,-.'#/#0#
123#4'*5#/#6#78#'*5#/#9:#4;#
''(<'%#78#'%'=>,'#;:

5. SGX Components
PSW – Platform Software
• Driver
• AESM_SERVICE - orchestration
SDK – Software development
• Intel
• OpenEnclave
Outcome: Application
• Trusted / Untrusted
• E/O – Calls
• EDL
• Signing
• Configuration
• Loading

6. SGX Support of the Goals
The problem of payload transfer:
• Obfuscation
• Keys in memory
• Algorithm often Symmetric
• Inspection of comms negotiation
Alternatives:
• Flexible crypto in SGX ?
• Heavy but possible (3rd party)
• Target availability
• ! Roll your own
• No syscalls, limited I/O (state)
• SGX_TCRYPTO API? Use attestation key interchange building block routines

7. Exclave: SGX API Assisted Implant System
Step 0
checkECapability()
enableSGXEFI()
createEnclave(enclaveSignedFile)
Step 1 RSA(pub+pk)
sgx_create_rsa_pub1_key(…)
Step 2 RSA(pub)(SK)
sgx_rsa_priv_decrypt_sha256(…)
Step 3 AES-GCM(SK)(payload):
sgx_rijndael128GCM_decrypt(…)

8. SGX Exclave Loader
Components:
- App
- Assume Inspectable
- Loaded disk
- Bridge
- Assume Inspectable
- Loaded disk/memory
- Enclave (signed)
- Assume Obfuscated**
- Loaded disk (SGX req.)
- Image from buffer in some SDKs
- MS-API
- YMMV

9. Exclave System
Demo

10. Assumption and Limitations
ü Bad coding practice, weakening enclaves. YOLO.
ü Whitelisted signing keys (Pre-release/ Debug)
ü Attestation => attribution
ü In theory !attested enclaves => inspected. In practice – EDRs do not fully inspect.
ü SGX_AESERVICE, SGX driver and PSW installed by default. TCRYPTO present
ü Watch for signatures identifying non-approved SGX enclaves. (Few do this)

11. Defense Takeaways
ü Enforced attestation is key (Dev key, Intel verified)
ü Remove whitelisted test / build keys from SDK in prod
ü Instrument detection to valid signed dlls for SGX sections to identify yours
sgxfun/parse_enclave.py at master · kudelskisecurity/sgxfun · GitHub

12. EOF
Thank you!
https://github.com/dsnezhkov/exclave