Researchers Implant “Protected” Malware On Intel SGX Enclaves

Researchers in cybersecurity have found a way to conceal malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to prevent disclosure and modification.

In other words, the technique enables attackers to implant malicious code in a secure memory that employs SGX’s protection features, which are designed to protect sensitive data from prying eyes and tampering, even on a compromised system.

SGX (Software Guard Extensions) was introduced with Intel’s Skylake processors. It enables developers to run selected application modules in a completely isolated secure region of memory called enclaves. These enclaves are designed to be protected from processes running at higher privilege levels, such as the operating system, kernel, BIOS, SMM, hypervisor, etc.

However, a group of researchers, some of whom were responsible for the discovery of the Spectre-Meltdown CPU flaws, were able to circumvent this protection and install their malicious application in the secure enclaves by employing the age-old return-oriented programming technique (ROP).

The attack also employs Transactional Synchronization eXtensions (TSX), which are present in modern Intel CPUs, along with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP).

TAP uses TSX to determine if a virtual address is accessible by the current process. This exploration of memory is undetectable, as operating system-level applications are not intended to peer inside an enclave.

“Our SGX-ROP attack uses a new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave,” reads a research paper [PDF] published on Tuesday.

The team developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW), to determine whether a memory page is writable. CLAW encapsulates the write instruction for the target memory page within a TSX transaction and explicitly aborts the transaction after the write.

The writability of the target memory page can then be deduced based on the transaction’s return value.

Once malware infiltrates a secure enclave, the confidentiality and integrity that SGX fundamentally guarantees to legitimate programs would prevent researchers or security solutions from detecting or analyzing the malware.

This would eventually enable the malicious application to circumvent various security technologies, such as operating system-level Address Space Layout Randomization (ASLR), stack canaries, address sanitizer, and execute arbitrary code on the targeted system.

In addition, there is a potential threat of ransomware of the next generation, which, if implemented correctly, prevents ransomware recovery tools from functioning.

The researchers stated that their team’s proof-of-concept exploits circumvented ASLR, stack canaries, and address sanitizer to “run ROP gadgets in the host context enabling practical enclave malware” and that the entire exploit process took 20.8 seconds.

Instead of protecting users from harm, SGX currently poses a security threat by facilitating so-called “super-malware” with ready-to-use exploits, concluded the academics.

Future generations of Intel CPUs could implement countermeasures against such attacks by sandboxing SGX enclaves better. Some of these countermeasures would necessitate hardware modifications without incurring any performance penalty, while others would not necessitate hardware modifications but would incur a performance penalty.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Dark Web Markets Evolve During the Third Quarter

January 1, 2019

In Q3 the Dark Web is characterized by vulnerabilities, stolen credentials, and the evolution of marketplaces. McAfee’s Q3 analysis reveals that after Hansa and AlphaBay were shut down on the Dark Web, Dream Markets and Wall Street Market became the…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of