In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other.
Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read.
Attack targets Intel SGX enclaves
These isolated memory fields are called enclaves and are used by both regular computers and by cloud servers.
On regular PCs, enclaves store sensitive information from each process, separating the data from the operating system’s reach. On cloud servers, where multiple customers share the same machine, enclaves are crucial elements used by hypervisors, the software that creates and runs the different virtual machines for each customer.
Because of this memory separation and because the data stored in enclaves is also encrypted to safeguard from hardware-level attackers, right after its introduction, Intel has recommended that software developers store encryption keys in SGX enclaves, as there’s no safer place to store such information.
Researchers create enclave malware
In their research paper, the team of Austrian experts says they’ve created the very first malware that can be stored in Intel SGX enclaves.
In their experiments, researchers demonstrated how this “super malware” can attack its host and leak data from enclaves located on the same machine via simple cache attacks.
“Our proof-of-concept malware is able to recover RSA keys by monitoring cache access patterns of an RSA signature process in a semi-synchronous attack,” researchers said.
“In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace,” they said. “We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.”
Malware uses enclaves to remain invisible
As a paradox, the attack and the malware are completely invisible to the host, due to the effectiveness of the SGX enclave isolation, Security software won’t detect any of its malicious actions, as it cannot access the enclave of another process.
“Even the most advanced detection mechanisms using performance counters cannot detect our malware,” researchers bragged. “Intel intentionally does not include SGX activity in the performance counters for security reasons. However, this unavoidably provides attackers with the ability to hide attacks as it eliminates the only known technique to detect cache side-channel attacks.”
More details on the attacks and proposed countermeasures are available in the research paper titled “Malware Guard Extension: Using SGX to Conceal Cache Attacks.”