Researchers at Ohio State University have created the SgxPectre attack, which is capable of reading all the contents of Intel SGX-powered secure enclaves.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The SgxPectre vulnerability exposes the contents of secure enclaves used in 6th generation and newer Intel processors.
- The feature was intended for use in securing cryptographic keys used for encrypted communication and DRM against access other programs, or a host OS in virtualized environments.
Researchers at Ohio State University have demonstrated a method to adapt Spectre to read data protected by Software Guard Extensions (SGX), which allows for the creation of a secure enclave in memory to protect data from being used by applications at a higher privilege level. While the original Spectre vulnerability relied on branch prediction and speculation to read kernel-level memory, it was not able to read the contents of SGX-protected secure enclaves.
This vulnerability--called SgxPectre--combines the branch prediction and speculation attributes of Spectre with vulnerable code patterns in the existing SGX runtime libraries (Intel SGX SDK, Rust-SGX, and Graphene-SGX were named specifically by the researchers) to gain complete access to the contents of the secure enclave. Because the problems exist in the runtime libraries, any program utilizing SGX is insecure, independent of how SGX utilization is implemented in the program.
According to the researchers: "The branch prediction units used in the enclave mode for predicting branch targets are not thoroughly cleansed upon enclave entrance. Therefore, code outside the targeted enclave (either running in the unprotected memory region or in another enclave) can manipulate the targets the branch prediction inside the targeted enclave."
This would, in theory, make the vulnerability exploitable across virtual machines on the same host, not just host-to-guest.
Additionally, "Implicit caching caused by speculatively executed instructions are not properly rolled back after these instructions are discarded, which means the speculatively executed instructions, though never committed to memory, may lead to cache state changes that are observable by the adversary."
The researchers indicate that Indirect Branch Restricted Speculation (IBRS) can mitigate SgxPectre attacks, though this is implemented via a microcode update, which can be optionally disabled by system administrators. (This, among other problems, led Linus Torvalds to call the patches "insane" as well as "complete and utter garbage" when the patches were submitted for inclusion in the Linux kernel.) As a result, developers will need to verify CPUSVN when running, and check code for similar vulnerable code patterns.
SEE: Comparison chart: Virtualization platforms (Tech Pro Research)
According to Intel, SGX is intended for use with "identity and records privacy, secure browsing, and digital rights management (DRM)," and "[hardening] endpoint protection or any high-assurance security use case that needs to safely store secrets or protect data."
SGX is used by the wolfSSL package on compatible platforms, as well as in some cloud services to provide a secure environment, as hypervisors cannot inspect the secure enclaves created by guest operating systems. SGX was introduced in 6th generation (Skylake) Intel processors, and subsequently added to the Goldmont Plus series of low-end Celeron and Pentium Silver processors. Microsoft added support for SGX to Azure last September.
Previous research by Austria's Graz University of Technology demonstrated the ability to extract RSA keys using a DRAM side-channel attack.
Update: An Intel spokesperson provided this statement to TechRepublic:
"We are aware of the research paper from Ohio State and have previously provided information and guidance online about how Intel SGX may be impacted by the side channel analysis vulnerabilities. We anticipate that the existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers-- which we plan to begin making available on March 16th-- will be effective against the methods described in that research. We recommend customers make sure they are always using the most recent version of the toolkit."
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Microsoft announces new updates to protect against Spectre and Meltdown attacks (ZDNet)
- Spectre and Meltdown: Cheat sheet (TechRepublic)
- First Intel, now AMD also faces multiple class-action suits over Spectre attacks (ZDNet)
- How the Meltdown and Spectre chip flaws will impact cloud computing (TechRepublic)