Practical Enclave Malware with Intel SGX

Michael Schwarz, Samuel Weiser, Daniel Gruß

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem Konferenzband

Abstract

Modern CPU architectures offer strong isolation guarantees
towards user applications in the form of enclaves. However, Intel’s threat
model for SGX assumes fully trusted enclaves and there doubt about
how realistic this is. In particular, it is unclear to what extent enclave
malware could harm a system. In this work, we practically demonstrate
the first enclave malware which fully and stealthily impersonates its host
application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents
for extortion but also act on the user’s behalf, e.g., send phishing emails
or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is
then inadvertently executed by the host application. With SGX-ROP,
we bypass ASLR, stack canaries, and address sanitizer. We demonstrate
that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and
lay ground for future research on defenses against enclave malware.
Originalspracheenglisch
TitelDetection of Intrusions and Malware, and Vulnerability Assessment
Untertitel16th International Conference, DIMVA 2019, 2019
ErscheinungsortCham
Herausgeber (Verlag)Springer International
Seiten177-196
ISBN (elektronisch)978-3-030-22038-9
ISBN (Print)978-3-030-22037-2
DOIs
PublikationsstatusVeröffentlicht - Jun 2019
Veranstaltung16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Gothenburg, Gothenburg, Schweden
Dauer: 19 Jun 201920 Jun 2019
https://www.dimva2019.org/

Publikationsreihe

NameLecture Notes in Computer Science
Band11543

Konferenz

Konferenz16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
KurztitelDIMVA 2019
LandSchweden
OrtGothenburg
Zeitraum19/06/1920/06/19
Internetadresse

ASJC Scopus subject areas

  • !!Computer Science(all)

Fingerprint

Untersuchen Sie die Forschungsthemen von „Practical Enclave Malware with Intel SGX“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren