[Cryptography] Practical Enclave Malware with Intel SGX

Henry Baker hbaker1 at pipeline.com
Wed Feb 13 11:39:14 EST 2019


FYI --

https://arxiv.org/pdf/1902.03256.pdf

Practical Enclave Malware with Intel SGX
Michael Schwarz, Samuel Weiser, Daniel Gruss
Graz University of Technology

Abstract.  Modern CPU architectures offer strong isolation guarantees
towards user applications in the form of enclaves.  For instance,
Intel's threat model for SGX assumes fully trusted enclaves, yet there
is an on-going debate on whether this threat model is realistic.  In
particular, it is unclear to what extent enclave malware could harm a
system.  In this work, we practically demonstrate the first enclave
malware which fully and stealthily impersonates its host application.
Together with poorly-deployed application isolation on personal
computers, such malware can not only steal or encrypt documents for
extortion, but also act on the user's behalf, e.g., sending phishing
emails or mounting denial-of-service attacks.  Our SGX-ROP attack uses
new TSX-based memory-disclosure primitive and a write-anything-
anywhere primitive to construct a code-reuse attack from within an
enclave which is then inadvertently exe- cuted by the host
application.  With SGX-ROP, we bypass ASLR, stack canaries, and
address sanitizer.  We demonstrate that instead of protect- ing users
from harm, SGX currently poses a security threat, facilitating
so-called super-malware with ready-to-hit exploits.  With our results,
we seek to demystify the enclave malware threat and lay solid ground
for future research on and defense against enclave malware.

----
SGX works just fine, sort of; it's the threat model that is faulty.

The usual suspects: ROP, fake stacks.

The new suspects: *transactional memory*, introduced as a *security
feature* (among other virtues), can be used to engage in and hide
mischief: Oops!!

Every *hiding place* can always be used to hide both good and evil,
so there is no such thing as "good"/"always-to-be-trusted" hiding
place ("enclave").

Bottom line: *every* asymmetrical threat model (i.e., one in
which there is an indisputed faith in some 'white hat' actor --
e.g., DRM) is doomed, IMHO.  I shouldn't have to *pwn* my *own*
computer in order to control it.



More information about the cryptography mailing list