Projects per year
Abstract
Modern CPU architectures offer strong isolation guarantees
towards user applications in the form of enclaves. However, Intel’s threat
model for SGX assumes fully trusted enclaves and there doubt about
how realistic this is. In particular, it is unclear to what extent enclave
malware could harm a system. In this work, we practically demonstrate
the first enclave malware which fully and stealthily impersonates its host
application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents
for extortion but also act on the user’s behalf, e.g., send phishing emails
or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is
then inadvertently executed by the host application. With SGX-ROP,
we bypass ASLR, stack canaries, and address sanitizer. We demonstrate
that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and
lay ground for future research on defenses against enclave malware.
towards user applications in the form of enclaves. However, Intel’s threat
model for SGX assumes fully trusted enclaves and there doubt about
how realistic this is. In particular, it is unclear to what extent enclave
malware could harm a system. In this work, we practically demonstrate
the first enclave malware which fully and stealthily impersonates its host
application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents
for extortion but also act on the user’s behalf, e.g., send phishing emails
or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is
then inadvertently executed by the host application. With SGX-ROP,
we bypass ASLR, stack canaries, and address sanitizer. We demonstrate
that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and
lay ground for future research on defenses against enclave malware.
| Original language | English |
|---|---|
| Title of host publication | Detection of Intrusions and Malware, and Vulnerability Assessment |
| Subtitle of host publication | 16th International Conference, DIMVA 2019, 2019 |
| Place of Publication | Cham |
| Publisher | Springer International |
| Pages | 177-196 |
| ISBN (Electronic) | 978-3-030-22038-9 |
| ISBN (Print) | 978-3-030-22037-2 |
| DOIs | |
| Publication status | Published - Jun 2019 |
| Event | 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Gothenburg, Gothenburg, Sweden Duration: 19 Jun 2019 → 20 Jun 2019 https://www.dimva2019.org/ |
Publication series
| Name | Lecture Notes in Computer Science |
|---|---|
| Volume | 11543 |
Conference
| Conference | 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment |
|---|---|
| Abbreviated title | DIMVA 2019 |
| Country/Territory | Sweden |
| City | Gothenburg |
| Period | 19/06/19 → 20/06/19 |
| Internet address |
ASJC Scopus subject areas
- General Computer Science
Fingerprint
Dive into the research topics of 'Practical Enclave Malware with Intel SGX'. Together they form a unique fingerprint.Projects
- 3 Finished
-
Dessnet - Dependable, secure and time-aware sensor networks
Mangard, S., Glanzer, C., Görtschacher, L. J., Bösch, W., Grosinger, J., Fischbacher, R. B., Deutschmann, B. & Shetty, D.
1/06/17 → 31/07/21
Project: Research project
-
-
Dependable Internet of Things
Boano, C. A., Kubin, G., Bloem, R., Horn, M., Pernkopf, F., Zakany, N., Mangard, S., Witrisal, K., Römer, K. U., Aichernig, B., Bösch, W., Baunach, M. C., Tappler, M., Malenko, M., Weiser, S., Eichlseder, M., Leitinger, E., Grosinger, J., Großwindhager, B., Ebrahimi, M., Alothman Alterkawi, A. B., Knoll, C., Teschl, R., Saukh, O., Rath, M., Steinberger, M., Steinbauer-Wagner, G. & Tranninger, M.
1/01/16 → 31/03/22
Project: Research project