Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification.
In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system.
Introduced with Intel’s Skylake processors, SGX (Software Guard Extensions) allows developers to run selected application modules in a completely isolated secure region of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels like the operating system, kernel, BIOS, SMM, hypervisor, etc.
However, a team of researchers, some of whom were behind the discovery of the Spectre-Meltdown CPU flaws, managed to bypass this protection and got their own malicious application in the secure enclaves by leveraging the age-old technique of return-oriented programming (ROP).
The attack also uses Transactional Synchronization eXtensions (TSX), found in modern Intel CPUs, in conjunction with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP).
TAP uses TSX to determine if a virtual address is accessible by the current process, and this exploration of memory is undetectable because operating system-level applications cannot look inside an enclave, by design.
“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application,” reads a research paper [PDF] published Tuesday.
To determine whether a memory page is writable, the team developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW), which encapsulates the write instruction for the target memory page within a TSX transaction and explicitly aborts the transaction after the write.
After that, the writability of the target memory page can be deduced based on the return value of the transaction.
Once the malware gets its way into the secure enclave, the confidentiality and integrity that SGX fundamentally guarantees to legit programs would also prohibit researchers or security solutions from detecting and analyzing the malware within an enclave.
This would eventually allow the malware app to bypass various security technologies, such as operating system-level Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer, as well as execute arbitrary code on the targeted system.
“Moreover, there’s a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain.
The researchers said the proof-of-concept exploit developed by their team bypassed ASLR, stack canaries, and address sanitizer, to “run ROP gadgets in the host context enabling practical enclave malware,” noting that the entire exploit process took 20.8 seconds.
In the end, the academics concluded that instead of “protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”
The mitigations against such attacks could be implemented in future generations of Intel CPUs that better sandbox the SGX enclaves. While some of those mitigations would require hardware-level changes without costing any performance, some would not require hardware modifications but would trade some performance.