Malware guard extension: Using SGX to conceal cache attacks

Michael Schwarz; Samuel Weiser; Daniel Gruss; Clémentine Maurice; Stefan Mangard

doi:10.1007/978-3-319-60876-1_1

Malware guard extension: Using SGX to conceal cache attacks

Michael Schwarz^*, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard

^*Corresponding author for this work

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Publisher	Springer-Verlag Italia
Pages	3-24
Number of pages	22
Volume	10327 LNCS
ISBN (Print)	9783319608754
DOIs	https://doi.org/10.1007/978-3-319-60876-1_1
Publication status	Published - 2017
Event	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany Duration: 6 Jul 2017 → 7 Jul 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10327 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Country/Territory	Germany
City	Bonn
Period	6/07/17 → 7/07/17

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-60876-1_1

malware_guard_extensionAccepted author manuscript, 1.12 MB

Cite this

Schwarz, M., Weiser, S., Gruss, D., Maurice, C., & Mangard, S. (2017). Malware guard extension: Using SGX to conceal cache attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (Vol. 10327 LNCS, pp. 3-24). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS). Springer-Verlag Italia. https://doi.org/10.1007/978-3-319-60876-1_1

Malware guard extension: Using SGX to conceal cache attacks. / Schwarz, Michael; Weiser, Samuel; Gruss, Daniel et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS Springer-Verlag Italia, 2017. p. 3-24 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Schwarz, M, Weiser, S, Gruss, D, Maurice, C & Mangard, S 2017, Malware guard extension: Using SGX to conceal cache attacks. in Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. vol. 10327 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10327 LNCS, Springer-Verlag Italia, pp. 3-24, 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, Bonn, Germany, 6/07/17. https://doi.org/10.1007/978-3-319-60876-1_1

Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S. Malware guard extension: Using SGX to conceal cache attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS. Springer-Verlag Italia. 2017. p. 3-24. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-60876-1_1

Schwarz, Michael ; Weiser, Samuel ; Gruss, Daniel et al. / Malware guard extension : Using SGX to conceal cache attacks. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS Springer-Verlag Italia, 2017. pp. 3-24 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{dfe167e24bbb49988bb3329a399a05ac,

title = "Malware guard extension: Using SGX to conceal cache attacks",

abstract = "In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.",

author = "Michael Schwarz and Samuel Weiser and Daniel Gruss and Cl{\'e}mentine Maurice and Stefan Mangard",

year = "2017",

doi = "10.1007/978-3-319-60876-1_1",

language = "English",

isbn = "9783319608754",

volume = "10327 LNCS",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer-Verlag Italia",

pages = "3--24",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",

address = "Italy",

note = "14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 ; Conference date: 06-07-2017 Through 07-07-2017",

}

TY - GEN

T1 - Malware guard extension

T2 - 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017

AU - Schwarz, Michael

AU - Weiser, Samuel

AU - Gruss, Daniel

AU - Maurice, Clémentine

AU - Mangard, Stefan

PY - 2017

Y1 - 2017

N2 - In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

AB - In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

UR - http://www.scopus.com/inward/record.url?scp=85022328708&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_1

DO - 10.1007/978-3-319-60876-1_1

M3 - Conference paper

AN - SCOPUS:85022328708

SN - 9783319608754

VL - 10327 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 24

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

PB - Springer-Verlag Italia

Y2 - 6 July 2017 through 7 July 2017

ER -

Malware guard extension: Using SGX to conceal cache attacks

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

EU - SOPHIA - Securing Software against Physical Attacks

Dependable Internet of Things

Cite this

Malware guard extension: Using SGX to conceal cache attacks

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Projects

EU - SOPHIA - Securing Software against Physical Attacks

Dependable Internet of Things

Cite this