Researchers have found a way to run malicious code on Intel processor systems in such a way that malware can not be analyzed or identified by antivirus software using its own CPU features to protect bad code. In addition to making it more difficult to exploit malicious software, bad partici- pants can use this protection, for example, to write haphazard applications that never reveal their encryption keys in legible memory, making it much more difficult to recover from attacks. Michael Schwarz, Samuel Weiser and Daniel Rruss (one of the researchers in the past year's Specter attack), uses a feature Intel has announced with its Skylake processors called Software Guard eXtensions (SGX). SGX allows programs to format enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else in the system can spy on them) and integrity (any interference in the code or data can be found). The content of an enclave is transparently encoded each time it is recorded in RAM and is decoded when read. The processor controls access to the enclave: any attempt to access the enclave of code from outside the enclave is blocked; Deciphering and encryption occurs only in the enclave
SGX is advertised as a solution to a number of security issues when a developer wants to protect code, data, or both from prying eyes. For example, an Cloud Platform SGX enclave can be used to run custom algorithms, so even a cloud provider can not determine what algorithms are doing. On the client computer, the SGL enclave can be used similarly to impose DRM (Digital Rights Management) restrictions; The decryption process and the decryption keys that can be used by the DRM used in the enclave, making them unreadable for the rest of the system. There are biometric products on the market that use biometric data processing assistants and store it so they can not be tampered with.
SGX is designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks against this threat model (for example, misspelled SGX enclaves may be vulnerable to attacks in time or Meltdown style attacks), they appear to be reliable while some of the best practices are being followed. Threat Model
Researchers use this stability for malicious purposes and consider the question: what happens if the enclave in the enclave is malicious? Design SGX will make it impossible for malware protection software to inspect or analyze the malware running. This would make it a promising place to place malicious code. However, the code in an enclave is quite limited. In particular, it has no provision for making operating system calls; can not open files, read data from a disc, or record on a disc. All these things should be done outside the enclave. As such, naively it appears that the hypothetical SGX-based junk app will need a significant code outside the SGX enclave: the pieces to list all your documents, read them and overwrite them with their encrypted versions will not be protected. Only the encryption operation will take place within the enclave
The enclave code, however, has the ability to read and write anywhere in the uncropped process memory; while nothing outside the enclave can look from within, everything within the enclave is free to look out. Researchers have used this ability to scan through process memory and find the information needed to build a payload (ROP) to fulfill the code of their choice. This merges small fragments of executable code that are part of the host application to do things that the host application does not intend.
It is necessary to do this reading and writing. If the enclave code attempts to read unallocated memory or to store in unallocated or read-only memory, the usual behavior is to generate an exception and the processor exit the enclave to cope with the exception. This will make it impossible to scan the host's memory, because once the exception occurred, the malicious enclave would no longer work, and in all likelihood the program would collapse. To do this, researchers are reviewing a technique that has also been useful in the Meltdown attack: they have used another Transactional Synchronization eXtensive (TSX) function.
TSX provides a limited form of transaction memory. The transaction memory allows the thread to modify a bunch of different locations in the memory and then publish those modifications in a single atomic refresh so that other threads see nor of the modifications or all of modifications , without being able to see any of the intermediate half-written stages. If the second thread attempts to change the same memory until the first thread has made all of its modifications, then the attempt to post the modifications is interrupted.
The purpose of TSX is to facilitate the development of multi-threaded data structures that are not used. • Use locks to protect their modifications; properly, they can be much faster than locking structures, especially for heavy loads. But TSX has a side effect that is particularly handy: attempts to read or write unallocated or impossible memory from one transaction do not generate exceptions. Instead, they simply cancel the transaction. Critically, this transaction does not interrupt the enclave; instead, it is cultivated in the enclave.
This gives the malicious enclave all he needs to do his dirty work. It scans the host process memory to find the components for its ROP media and somewhere to write this useful load, then redirects the processor to perform this payload. Typically, the payload will do something like marking a portion of the memory as executable, so the malware can put its own set of support functions ̵
The processor will not load the old code into an enclave. Enclave developers need a "business deal" with Intel to develop enclaves. Under this agreement, Intel blesses a code signing certificate that belongs to the developer and adds it to a white list. A special encampment developed by Intel (which implicitly uses CPU confidence) then checks each part of the code as it is loaded to ensure it is signed by one of the white list certificates. The malware developer may not want to enter into such an agreement with Intel, and the terms of the agreement explicitly prohibit the development of SGX malware, although the value of this limitation may be questioned.
However, this can be frustrated by writing an enclave that loads a payload from a disk and then executes it; the loader will need a signature from a white list, but the payload is not. This approach is useful anyway, because while the enclave code is executed in encrypted memory, the encrypted disk libraries are not encrypted themselves. With a dynamic load, the disk load can be encrypted and only decrypted after being loaded into the enclave. The loader himself would not be malicious, giving some probability of denying that everything that was malicious was intended. In fact, an enclave can be totally benign but contain usable defects that allow attackers to inject their malicious code inside; SGX does not protect against common old encryption errors
This particular aspect of SGX is widely criticized as it makes Intel something different for all SGX applications. Accordingly, second-generation SGX systems (which include some eighth-generation or newer processors) grant this limitation, making it possible to launch enclaves that are not signed by Intel's beneficiaries.
The study shows that SGX can be used in a way that is unlikely to be possible: malware can be located in a protected enclave so that the unencrypted code of that malware is never exposed to the host operating system , including anti-virus software. In addition, malicious software is not constrained by the enclave: it can destroy the host application to access the operating system's API by opening the door for attacks, such as encrypting victims' files.
For this threat model …
The attack is esoteric, but as SGX becomes more common, researchers will invade it more and more and find ways to undermine and co-operate. We saw similar things with the introduction of hardware virtualization support;
Intel is informed about the study, responding to:
Intel is aware of the study by answering: this study is based on assumptions that are out of the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; However, Intel SGX does not guarantee that the code executed in the enclave is a reliable source. In all cases, we recommend using programs, files, applications, and plugins from trusted sources. Customer protection continues to be a top priority for us and we would like to thank Michael Schwartz, Samuel Weiser and Daniel Graus for their ongoing research and to work with Intel on coordinated vulnerability detection.
In other words, to the extent that Intel is interested in SGX working properly, protecting the enclave's content from the rest of the system. If you run something wrong in the enclave, then the company does not promise that bad things will not happen to your computer; SGX is simply not designed to protect against this.
This may be so, but SGX gives the developers some powerful options they did not have before. – How bad guys are going to go wrong? is an obvious question that needs to be asked because if you give them some advantage, you will get involved with it