Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et...
Transcript of Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et...
![Page 1: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/1.jpg)
Foreshadow: Extracting the Keys to the Intel SGX Kingdom
with Transient Out-of-Order Execution
Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3
Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul Strackx 1
1imec-DistriNet, KU Leuven 2Technion 3University of Michigan 4University of Adelaide and Data61
USENIX Security, August 2018
![Page 2: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/2.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 3: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/3.jpg)
Evolution of “side-channel attack” occurrences in Google Scholar
1990 1994 1998 2002 2006 2010 2014 2018
3000
4000
2000
1000
DO WE JUST SUCKAT... COMPUTERS?
YUP. ESPECIALLY SHARED ONES.
Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/1 / 17
![Page 4: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/4.jpg)
Security in a post-Meltdown world
Classic attacker-defender race
Exploit and patch application-level vulnerabilities (memory safety, side-channels)
App
OS
CPU
2 / 17
![Page 5: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/5.jpg)
Security in a post-Meltdown world
Game changer Meltdown
Free universal read primitive → kernel page-table isolation
App
OS
CPU
!?
2 / 17
![Page 6: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/6.jpg)
Rumors: Meltdown immunity for SGX enclaves?
“[enclaves] remain protected and completely secure”
— International Business Times, February 2018
“[enclave memory accesses] redirected to an abort page, which has no value”
— Anjuna Security, Inc., March 2018
3 / 17
![Page 7: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/7.jpg)
Rumors: Meltdown immunity for SGX enclaves?
https://wired.com and https://arstechnica.com
3 / 17
![Page 8: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/8.jpg)
Intel SGX promise: Hardware-level isolation and attestation
Mem HDD
OS kernel
Trusted Untrusted
CPU
AppApp
TPM
Hypervisor
Enclave app
4 / 17
![Page 9: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/9.jpg)
Intel SGX promise: Hardware-level isolation and attestation
Mem HDD
OS kernel
Trusted Untrusted
CPU
AppApp
TPM
Hypervisor
Enclave app
4 / 17
![Page 10: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/10.jpg)
![Page 11: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/11.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 12: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/12.jpg)
Building Foreshadow
5 / 17
![Page 13: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/13.jpg)
Building Foreshadow
L1 terminal fault challenges
5 / 17
![Page 14: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/14.jpg)
Meltdown recap: Transiently encoding unauthorized memory
Unauthorized access
6 / 17
![Page 15: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/15.jpg)
Meltdown recap: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window
oracle array
secre
t id
x
6 / 17
![Page 16: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/16.jpg)
Meltdown recap: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window Exception
(discard architectural state)
6 / 17
![Page 17: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/17.jpg)
Meltdown recap: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window
oracle array
cache hit
Exception handler
6 / 17
![Page 18: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/18.jpg)
Challenge #1: Intel SGX abort page semantics
7 / 17
![Page 19: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/19.jpg)
Challenge #1: Intel SGX abort page semantics
Untrusted world view
Enclaved memory reads 0xFF
Meltdown “bounces back” (∼ mirror)
Intra-enclave view
Access enclaved + unprotected memory
SGXpectre in-enclave code abuse
7 / 17
![Page 20: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/20.jpg)
Challenge #1: Intel SGX abort page semantics
Untrusted world view
Enclaved memory reads 0xFF
Meltdown “bounces back” (∼ mirror)
Intra-enclave view
Access enclaved + unprotected memory
SGXpectre in-enclave code abuse7 / 17
![Page 21: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/21.jpg)
Challenge #1: Intel SGX abort page semantics
Untrusted world view
Enclaved memory reads 0xFF
Meltdown “bounces back” (∼ mirror)
Intra-enclave view
Access enclaved + unprotected memory
SGXpectre in-enclave code abuse7 / 17
![Page 22: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/22.jpg)
Building Foreshadow: Evade the abort page
Note: SGX MMU sanitizes untrusted address translation
SGX?
Abort page semantics:An attempt to read from a non-existent or disallowed resource returns all ones for data(abort page). An attempt to write to a non-existent or disallowed physical resource isdropped. This behavior is unrelated to exception type abort (the others being Fault and Trap).
https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-development-basics8 / 17
![Page 23: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/23.jpg)
Building Foreshadow: Evade the abort page
Note: SGX MMU sanitizes untrusted address translation
Van Bulck et al. “Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution”, USENIX Security 20178 / 17
![Page 24: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/24.jpg)
Building Foreshadow: Evade the abort page
Straw man: (Speculative) accesses in non-enclave mode are dropped
Van Bulck et al. “Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution”, USENIX Security 20178 / 17
![Page 25: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/25.jpg)
Building Foreshadow: Evade the abort page
Stone man: Bypass abort page via untrusted page table
Van Bulck et al. “Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution”, USENIX Security 20178 / 17
![Page 26: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/26.jpg)
Building Foreshadow: Evade the abort page
Stone man: Bypass abort page via untrusted page table
Unprivileged system call
mprotect( secret_ptr & 0xFFF, 0x1000, PROT_NONE );
Van Bulck et al. “Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution”, USENIX Security 20178 / 17
![Page 27: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/27.jpg)
Challenge #2: Strict caching requirements
9 / 17
![Page 28: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/28.jpg)
Challenge #2: Strict caching requirements
L1 terminal fault
Only enclave loads served from L1 reach transient out-of-order execution
https://twitter.com/lavados/status/951066835310534656
Foreshadow present bit ↔ Meltdown supervisor bit
9 / 17
![Page 29: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/29.jpg)
Challenge #2: Strict caching requirements
L1 terminal fault
Only enclave loads served from L1 reach transient out-of-order execution
Foreshadow present bit ↔ Meltdown supervisor bit
9 / 17
![Page 30: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/30.jpg)
Challenge #2: Strict caching requirements
Intel micro-architecture
Address translation abort in parallel with L1 lookup (tag comparison)
SGX?EPT
walk?PT
walk?
L1D
vadrsguestpadrs
hostpadrs
Tag? Pass to out-of-order
CPU micro-architecture
EPCM fail
1 2 3
3a
Weisse et al. “Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution”
Foreshadow present bit ↔ Meltdown supervisor bit
9 / 17
![Page 31: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/31.jpg)
Building Foreshadow: Loading enclave secrets in L1
SGX-Step
1. Preemptive extraction
Interrupt victim enclave at page or instruction-level granularity
→ Memory operands + CPU registers (SSA)
2. Concurrent extraction
Intel HyperThreading: co-resident logical CPUs share L1
→ Real time memory accesses
3. Uncached extraction
Forcibly reload 4 KiB enclave page: ewb + eldu
→ Reliably dump entire enclave address space
Van Bulck et al. “SGX-Step: A practical attack framework for precise enclave execution control”, SysTEX 201710 / 17
![Page 32: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/32.jpg)
Building Foreshadow: Loading enclave secrets in L1
SGX-Step
1. Preemptive extraction
Interrupt victim enclave at page or instruction-level granularity
→ Memory operands + CPU registers (SSA)
2. Concurrent extraction
Intel HyperThreading: co-resident logical CPUs share L1
→ Real time memory accesses
3. Uncached extraction
Forcibly reload 4 KiB enclave page: ewb + eldu
→ Reliably dump entire enclave address space
Van Bulck et al. “SGX-Step: A practical attack framework for precise enclave execution control”, SysTEX 2017
10 / 17
![Page 33: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/33.jpg)
Building Foreshadow: Loading enclave secrets in L1
SGX-Step
1. Preemptive extraction
Interrupt victim enclave at page or instruction-level granularity
→ Memory operands + CPU registers (SSA)
2. Concurrent extraction
Intel HyperThreading: co-resident logical CPUs share L1
→ Real time memory accesses
3. Uncached extraction
Forcibly reload 4 KiB enclave page: ewb + eldu
→ Reliably dump entire enclave address space
Van Bulck et al. “SGX-Step: A practical attack framework for precise enclave execution control”, SysTEX 2017
10 / 17
![Page 34: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/34.jpg)
Building Foreshadow: Loading enclave secrets in L1
Many more optimization techniques + microbenchmarks → see paper!
10 / 17
![Page 35: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/35.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 37: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/37.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 38: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/38.jpg)
Establishing trust: Remote attestation and secret provisioning
Binding secrets to enclave identity
Goal: Secure end-to-end communication channel + local storage
App enclave
12 / 17
![Page 39: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/39.jpg)
Establishing trust: Remote attestation and secret provisioning
CPU-level key derivation
Intel == trusted 3th party (shared CPU master secret)
App enclave
EGETKEY
EREPORT
Quotingenclave
Genuine attestation flow
12 / 17
![Page 40: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/40.jpg)
Eroding trust: Remote attestation and secret provisioning
Foreshadow adversary
Extract long-term platform attestation key → forge Intel signatures
App enclave
Quotingenclave
Bogus attestation flow
EGETKEY
13 / 17
![Page 41: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/41.jpg)
Eroding trust: Remote attestation and secret provisioning
Foreshadow domino effects
Active man-in-the-middle: read + modify all local and remote secrets (!)
App enclave
13 / 17
![Page 42: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/42.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 43: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/43.jpg)
Foreshadow-NG: Breaking the virtual memory abstraction
L1 terminal fault [Int18]
Unmap page → read arbitrary cached physical memory
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
Weisse et al. “Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution”14 / 17
![Page 44: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/44.jpg)
Foreshadow-NG: Breaking the virtual memory abstraction
SGX?EPT
walk?PT
walk?
L1D
vadrsguestpadrs
hostpadrs
Tag? Pass to out-of-order
CPU micro-architecture
EPCM fail
1 2 3
3a
Weisse et al. “Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution”
15 / 17
![Page 45: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/45.jpg)
Road map
1 Introduction
2 The Foreshadow attack
3 Demo
4 Dismantling Intel SGX security objectives
5 Foreshadow-NG implications
6 Mitigations and conclusion
![Page 46: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/46.jpg)
Mitigating Foreshadow
16 / 17
![Page 47: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/47.jpg)
Mitigating Foreshadow
Future CPUs
(silicon-based changes)
https://newsroom.intel.com/editorials/advancing-security-silicon-level/
16 / 17
![Page 48: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/48.jpg)
Mitigating Foreshadow
OS kernel updates
(sanitize page frame bits)
Intel SGX: untrusted OS → no software-only mitigations
16 / 17
![Page 49: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/49.jpg)
Mitigating Foreshadow
Intel microcode updates
⇒ Flush L1 cache on enclave/VMM exit + disable HyperThreading
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
16 / 17
![Page 50: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/50.jpg)
Conclusions and lessons learned
Take-away message
Foreshadow == L1 cache read primitive → collapse CPU protection
↔ Intel µ-code patches for TCB recovery (+ disable HyperThreading!)
⇒ Importance of fundamental side-channel research (e.g., page table attack surface)
⇒ TEE design: avoid single point of failure (domino effects)
17 / 17
![Page 51: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/51.jpg)
Conclusions and lessons learned
Take-away message
Foreshadow == L1 cache read primitive → collapse CPU protection
↔ Intel µ-code patches for TCB recovery (+ disable HyperThreading!)
⇒ Importance of fundamental side-channel research (e.g., page table attack surface)
⇒ TEE design: avoid single point of failure (domino effects)
17 / 17
![Page 52: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/52.jpg)
Conclusions and lessons learned
Take-away message
Foreshadow == L1 cache read primitive → collapse CPU protection
↔ Intel µ-code patches for TCB recovery (+ disable HyperThreading!)
⇒ Importance of fundamental side-channel research (e.g., page table attack surface)
⇒ TEE design: avoid single point of failure (domino effects)
17 / 17
![Page 53: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/53.jpg)
Thank you! Questions?
https://foreshadowattack.eu
![Page 54: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/54.jpg)
References I
G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai.
Sgxpectre attacks: Leaking enclave secrets via speculative execution.arXiv preprint arXiv:1802.09085, 2018.
Intel Corporation.
Intel analysis of L1 terminal fault, August 2018.https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-l1-terminal-fault.
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg.
Meltdown: Reading kernel memory from user space.In 27th USENIX Security Symposium (USENIX Security 18), 2018.
J. Van Bulck, F. Piessens, and R. Strackx.
SGX-Step: A practical attack framework for precise enclave execution control.In Proceedings of the 2nd Workshop on System Software for Trusted Execution, SysTEX’17, pp. 4:1–4:6. ACM, 2017.
J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx.
Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution.In Proceedings of the 26th USENIX Security Symposium. USENIX Association, August 2017.
O. Weisse, J. Van Bulck, M. Minkin, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, R. Strackx, T. F. Wenisch, and Y. Yarom.
Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution.Technical Report, 2018.
Y. Xu, W. Cui, and M. Peinado.
Controlled-channel attacks: Deterministic side channels for untrusted operating systems.In 36th IEEE Symposium on Security and Privacy. IEEE, May 2015.
18 / 17
![Page 55: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/55.jpg)
Appendix: Remote attestation
IntelProvisioning Service
IntelQuoting Service
ProvisioningEnclave
QuotingEnclave
ApplicationEnclave
RemoteVerifier
A
B
1
3
2
5
4
7
6
19 / 17
![Page 56: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with … · 2019. 12. 18. · Van Bulck et al. \SGX-Step: A practical attack framework for precise enclave execution control",](https://reader035.fdocuments.us/reader035/viewer/2022062510/61195a35cbd9a4638d2e0f3a/html5/thumbnails/56.jpg)
Appendix: Key derivation
do_egetkey(&tmp);memcpy(&key, &tmp);
memset(&tmp, 0x0);free(&tmp);
do_egetkey (0x02658)
...enclu[EGETKEY]...ret
sgx_get_key (0x11760)
selib (trusted runtime)
tmp (0xc6400)
3
key (0xe87b0)
le_get_launch_token
5
1
2
sgx_get_key(&key, keyid);
sgx_cmac128(&key, token); memset(&key, 0x0);6 7
return;
4
20 / 17