The first Intel SGX malware has arrived

A group of experts published their research on this attack

Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of the first functional malware for Intel Software Guard Extensions (Intel SGX). The research expert group believes that the vulnerabilities present in SGX, a feature designed to reinforce Intel’s security, could generate countless damage, as this allows hackers to deploy very advanced malware variants.   

According to its official website, Intel SGX is “an extension of architecture developed to improve the security of the data and the application code”. Michael Schwarz, Daniel Gruss and Samuel Weiser, specialists in network security, discovered a way to hide malware in the SGX enclaves of Intel. 

The experts used a technique known as return-oriented programming (ROP) to design their own application and perform various malicious activities, such as randomization of the address space design at operating system level or executing arbitrary code to extract confidential information.

Researchers have shown that enclaves can escape their SGX execution environment and omit any communication interface prescribed by their host. Previously it was thought that enclaves, and anything operating within them, were limited to access to parts of the operating system that did not interact with the enclaves; this team of experts has shown that the hypothesis was wrong.

To perform the attack, experts resorted to the use of the Transactional Synchronization Extensions (TSX) function, available on the most recent devices, so they managed to analyze the system memory in search of a virtual address to which could access the current process. According to specialists in network security, this intrusion is not detectable, because applications at the operating system level cannot take a look at the enclave.

Research managers consider this information to be useful in developing solutions for the next generation of computer equipment. In addition, some security measures against these attack vectors may not necessarily require software modifications, although their implementation may have some impact on equipment performance.