Malware guard extension: Using SGX to conceal cache attacks

Michael Schwarz*, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard

*Korrespondierende/r Autor/-in für diese Arbeit

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

Originalspracheenglisch
TitelDetection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Herausgeber (Verlag)Springer-Verlag Italia
Seiten3-24
Seitenumfang22
Band10327 LNCS
ISBN (Print)9783319608754
DOIs
PublikationsstatusVeröffentlicht - 2017
Veranstaltung14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Deutschland
Dauer: 6 Juli 20177 Juli 2017

Publikationsreihe

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Band10327 LNCS
ISSN (Print)0302-9743
ISSN (elektronisch)1611-3349

Konferenz

Konferenz14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Land/GebietDeutschland
OrtBonn
Zeitraum6/07/177/07/17

ASJC Scopus subject areas

  • Theoretische Informatik
  • Informatik (insg.)

Fingerprint

Untersuchen Sie die Forschungsthemen von „Malware guard extension: Using SGX to conceal cache attacks“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren