Researchers in cybersecurity have found a way to conceal malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to prevent disclosure and modification.
In other words, the technique enables attackers to implant malicious code in a secure memory that employs SGX’s protection features, which are designed to protect sensitive data from prying eyes and tampering, even on a compromised system.
SGX (Software Guard Extensions) was introduced with Intel’s Skylake processors. It enables developers to run selected application modules in a completely isolated secure region of memory called enclaves. These enclaves are designed to be protected from processes running at higher privilege levels, such as the operating system, kernel, BIOS, SMM, hypervisor, etc.
However, a group of researchers, some of whom were responsible for the discovery of the Spectre-Meltdown CPU flaws, were able to circumvent this protection and install their malicious application in the secure enclaves by employing the age-old return-oriented programming technique (ROP).
The attack also employs Transactional Synchronization eXtensions (TSX), which are present in modern Intel CPUs, along with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP).
TAP uses TSX to determine if a virtual address is accessible by the current process. This exploration of memory is undetectable, as operating system-level applications are not intended to peer inside an enclave.
“Our SGX-ROP attack uses a new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave,” reads a research paper [PDF] published on Tuesday.
The team developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW), to determine whether a memory page is writable. CLAW encapsulates the write instruction for the target memory page within a TSX transaction and explicitly aborts the transaction after the write.
The writability of the target memory page can then be deduced based on the transaction’s return value.
Once malware infiltrates a secure enclave, the confidentiality and integrity that SGX fundamentally guarantees to legitimate programs would prevent researchers or security solutions from detecting or analyzing the malware.
This would eventually enable the malicious application to circumvent various security technologies, such as operating system-level Address Space Layout Randomization (ASLR), stack canaries, address sanitizer, and execute arbitrary code on the targeted system.
In addition, there is a potential threat of ransomware of the next generation, which, if implemented correctly, prevents ransomware recovery tools from functioning.
The researchers stated that their team’s proof-of-concept exploits circumvented ASLR, stack canaries, and address sanitizer to “run ROP gadgets in the host context enabling practical enclave malware” and that the entire exploit process took 20.8 seconds.
Instead of protecting users from harm, SGX currently poses a security threat by facilitating so-called “super-malware” with ready-to-use exploits, concluded the academics.
Future generations of Intel CPUs could implement countermeasures against such attacks by sandboxing SGX enclaves better. Some of these countermeasures would necessitate hardware modifications without incurring any performance penalty, while others would not necessitate hardware modifications but would incur a performance penalty.
