Malware guard extension: Using SGX to conceal cache attacks

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

Originalspracheenglisch
TitelDetection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Herausgeber (Verlag)Springer-Verlag Italia
Seiten3-24
Seitenumfang22
Band10327 LNCS
ISBN (Print)9783319608754
DOIs
PublikationsstatusVeröffentlicht - 2017
Veranstaltung14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Deutschland
Dauer: 6 Jul 20177 Jul 2017

Publikationsreihe

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Band10327 LNCS
ISSN (Print)0302-9743
ISSN (elektronisch)1611-3349

Konferenz

Konferenz14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
LandDeutschland
OrtBonn
Zeitraum6/07/177/07/17

Fingerprint

Malware
Cache
Physical addresses
Attack
Hardware
Operating Systems
Computer hardware
Containers
Side Channel Attacks
Computer systems
Data storage equipment
Trace
Scenarios
Software
Shared Memory
Time Constant
Container
Demonstrate
Multiplication
Probe

ASJC Scopus subject areas

  • !!Theoretical Computer Science
  • !!Computer Science(all)

Dies zitieren

Schwarz, M., Weiser, S., Gruss, D., Maurice, C., & Mangard, S. (2017). Malware guard extension: Using SGX to conceal cache attacks. in Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (Band 10327 LNCS, S. 3-24). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Band 10327 LNCS). Springer-Verlag Italia. https://doi.org/10.1007/978-3-319-60876-1_1

Malware guard extension : Using SGX to conceal cache attacks. / Schwarz, Michael; Weiser, Samuel; Gruss, Daniel; Maurice, Clémentine; Mangard, Stefan.

Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Band 10327 LNCS Springer-Verlag Italia, 2017. S. 3-24 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Band 10327 LNCS).

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Schwarz, M, Weiser, S, Gruss, D, Maurice, C & Mangard, S 2017, Malware guard extension: Using SGX to conceal cache attacks. in Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Bd. 10327 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Bd. 10327 LNCS, Springer-Verlag Italia, S. 3-24, Bonn, Deutschland, 6/07/17. https://doi.org/10.1007/978-3-319-60876-1_1
Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S. Malware guard extension: Using SGX to conceal cache attacks. in Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Band 10327 LNCS. Springer-Verlag Italia. 2017. S. 3-24. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-60876-1_1
Schwarz, Michael ; Weiser, Samuel ; Gruss, Daniel ; Maurice, Clémentine ; Mangard, Stefan. / Malware guard extension : Using SGX to conceal cache attacks. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Band 10327 LNCS Springer-Verlag Italia, 2017. S. 3-24 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{dfe167e24bbb49988bb3329a399a05ac,
title = "Malware guard extension: Using SGX to conceal cache attacks",
abstract = "In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96{\%} of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.",
author = "Michael Schwarz and Samuel Weiser and Daniel Gruss and Cl{\'e}mentine Maurice and Stefan Mangard",
year = "2017",
doi = "10.1007/978-3-319-60876-1_1",
language = "English",
isbn = "9783319608754",
volume = "10327 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag Italia",
pages = "3--24",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",
address = "Italy",

}

TY - GEN

T1 - Malware guard extension

T2 - Using SGX to conceal cache attacks

AU - Schwarz, Michael

AU - Weiser, Samuel

AU - Gruss, Daniel

AU - Maurice, Clémentine

AU - Mangard, Stefan

PY - 2017

Y1 - 2017

N2 - In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

AB - In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based sidechannel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.

UR - http://www.scopus.com/inward/record.url?scp=85022328708&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_1

DO - 10.1007/978-3-319-60876-1_1

M3 - Conference contribution

SN - 9783319608754

VL - 10327 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 24

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

PB - Springer-Verlag Italia

ER -