[PPT] - CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel PowerPoint Presentation

SLIDE 1

CopyCat: Controlled Instruction-Level Attacks on Enclaves

Daniel Moghimi
Jo Van Bulck
Nadia Heninger
Frank Piessens
Berk Sunar

Intel Labs –

Sept. 10 2020

SLIDE 2

OS/Hypervisor Security Model

2

Hardware Hypervisor OS

App App App

Traditional Security Model

Trusted

SLIDE 3

Trusted Execution Environment (TEE) – Intel SGX

Intel Software Guard eXtensions (SGX)

3

Hardware Hypervisor OS

App App App

Traditional Security Model

Trusted

Hardware Hypervisor OS

App App App

Traditional Security Model

SLIDE 4

Trusted Execution Environment (TEE) – Intel SGX

Intel Software Guard eXtensions (SGX)
Enclave: Hardware protected user-level software module
Mapped by the Operating System
Loaded by the user program
Authenticated and Encrypted by CPU

4

Traditional Security Model

Hardware Hypervisor OS

App App App

SLIDE 5

Trusted Execution Environment (TEE) – Intel SGX

Intel Software Guard eXtensions (SGX)
Enclave: Hardware protected user-level software module
Mapped by the Operating System
Loaded by the user program
Authenticated and Encrypted by CPU
Protects against system

level adversary New Attacker Model: Attacker gets full control over OS

5

Hardware Hypervisor OS

App App App

Traditional Security Model

blocked

Hardware

App

SLIDE 6

Intel SGX Attack Taxonomy

6

Intel’s Responsibility
Microcode Patches / Hardware mitigation
TCB Recovery
Old Keys are Revoked
Remote attestation succeeds only with mitigation.
Hyperthreading is out
Remote Attestation Warning

SGX Attacks Intel’s Responsibility

Foreshadow [1] Plundervolt [2]

[1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020.

SLIDE 7

Intel SGX Attack Taxonomy

7

Intel’s Responsibility
Microcode Patches / Hardware mitigation
TCB Recovery
Old Keys are Revoked
Remote attestation succeeds only with mitigation.
Hyperthreading is out
Remote Attestation Warning

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Foreshadow [1] Plundervolt [2]

[1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020.

SLIDE 8

Intel SGX Attack Taxonomy

8

Intel’s Responsibility
Microcode Patches / Hardware mitigation
TCB Recovery
Old Keys are Revoked
Remote attestation succeeds only with mitigation.
Hyperthreading is out
Remote Attestation Warning
µarch Side Channel
Constant-time Coding
Flushing and Isolating buffers
Probabilistic

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Foreshadow [1] Plundervolt [2]

µarch Side Channel

Cache [3][4][5] Branch Predictors [6][7] Interrupt Latency [8]

[1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018.

SLIDE 9

Intel SGX Attack Taxonomy

9

Intel’s Responsibility
Microcode Patches / Hardware mitigation
TCB Recovery
Old Keys are Revoked
Remote attestation succeeds only with mitigation.
Hyperthreading is out
Remote Attestation Warning
µarch Side Channel
Constant-time Coding
Flushing and Isolating buffers
Probabilistic
Deterministic Attacks
Page Fault, A/D Bit, etc. (4kB Granularity)

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Foreshadow [1] Plundervolt [2]

Deterministic – Ctrl Channel

µarch Side Channel

Cache [3][4][5] Branch Predictors [6][7] Interrupt Latency [8] Page Fault [9] A/D Bit [10]

[1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018. [9] Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems." IEEE S&P 2015. [10] Wang, Wenhao, et al. "Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX." ACM CCS 2017.

SLIDE 10

CopyCat Attack

10

SLIDE 11

CopyCat Attack

11

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler

Time

Enclave Execution Thread Starts

SLIDE 12

CopyCat Attack

12

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler

Time

𝑢1 𝑢2

IRQ Range

SLIDE 13

CopyCat Attack

13

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler

Time

𝑢1 𝑢2

IRQ Range

3 4

SLIDE 14

CopyCat Attack

14

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

1

SLIDE 15

CopyCat Attack

15

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

SLIDE 16

CopyCat Attack

16

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

SLIDE 17

CopyCat Attack

17

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

1

SLIDE 18

CopyCat Attack

18

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

1

SLIDE 19

CopyCat Attack

19

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

1

SLIDE 20

CopyCat Attack

20

NOP ADD XOR MUL DIV ADD MUL NOP NOP

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

Time

𝑢1 𝑢2

IRQ Range

1

SLIDE 21

CopyCat Attack

21

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions

I got 15 IRQs. How many zeros?

SLIDE 22

CopyCat Attack

22

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions
Filtering Zeros out: Clear the A bit before, Check the A bit after

I got 15 IRQs. How many zeros?

DTLB

P

R W U S A …

Physical Page Number

… …

P

R W U S

A

…

Physical Page Number

… …

P

R W U S A …

Physical Page Number

… …

0x000401

Code Page Virtual Address PMH Page Walk

The A Bit is

nly set when

an instruction is retired

SLIDE 23

CopyCat Attack

23

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions
Filtering Zeros out: Clear the A bit before, Check the A bit after
Deterministic Instruction Counting

SLIDE 24

CopyCat Attack

24

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions
Filtering Zeros out: Clear the A bit before, Check the A bit after
Deterministic Instruction Counting
Counting from start to end is not useful.
A Secondary oracle
Page table attack as a deterministic secondary oracle

CALL ADD XOR MUL PUSH ADD MUL MOV NOP

Time

Target Code Page

SLIDE 25

CopyCat Attack

25

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions
Filtering Zeros out: Clear the A bit before, Check the A bit after
Deterministic Instruction Counting
Counting from start to end is not useful.
A Secondary oracle
Page table attack as a deterministic secondary oracle

CALL ADD XOR MUL PUSH ADD MUL MOV NOP

Time

Target Code Page Stack Page

4 Steps

SLIDE 26

CopyCat Attack

26

Malicious OS controls the interrupt handler
A threshold to execute 1 or 0 instructions
Filtering Zeros out: Clear the A bit before, Check the A bit after
Deterministic Instruction Counting
Counting from start to end is not useful.
A Secondary oracle
Page table attack as a deterministic secondary oracle

CALL ADD XOR MUL PUSH ADD MUL MOV NOP

Time

Target Code Page Stack Page Data Page

4 Steps 3 Steps

SLIDE 27

CopyCat Attack

27 Page A Page B Page C Page D

Traditional Page-table Attacks

Previous Controlled Channel attacks leak Page Access Patterns

SLIDE 28

CopyCat Attack

28 Page A Page B Page C Page D

Traditional Page-table Attacks

Page A Page B Page C Page D

CopyCat Attack Additional Data

4 8 6 4

Previous Controlled Channel attacks leak Page Access Patterns
CopyCat additionally leaks number of instructions per page

SLIDE 29

CopyCat – Leaking Branches

29 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

test %eax, %eax je label mov %edx, %esi label: call add mov %eax, -0xc(%rbp)

Compile

Stack S Code P1 Code P2 Stack S Code P1 Code P2

SLIDE 30

CopyCat – Leaking Branches

30 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

SLIDE 31

CopyCat – Leaking Branches

31 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

test %eax, %eax je label mov %edx, %esi label: call add mov %eax, -0xc(%rbp)

Compile

Stack S Code P1 Code P2 Stack S Code P1 Code P2

SLIDE 32

CopyCat – Leaking Branches

32 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

test %eax, %eax je label mov %edx, %esi label: call add mov %eax, -0xc(%rbp)

Compile

Stack S Code P1 Code P2 Stack S Code P1 Code P2

SLIDE 33

CopyCat – Leaking Branches

33 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

test %eax, %eax je label mov %edx, %esi label: call add mov %eax, -0xc(%rbp)

Compile

Stack S Code P1 Code P2 Stack S Code P1 Code P2

SLIDE 34

Data Code Data Code Data Code

CopyCat – Leaking Branches

34 if(c == 0) { r = add(r, d); } else { r = add(r, s); }

C Code

test %eax, %eax je label mov %edx, %esi label: call add mov %eax, -0xc(%rbp)

Compile

Stack S Code P1 Code P2 Stack S Code P1 Code P2

switch (c){ case 0: r = 0xbeef; break; case 1: r = 0xcafe; break; default: r = 0; }

C Code

SLIDE 35

35

SLIDE 36

Binary Extended Euclidean Algorithm (BEEA)

36

Previous attacks only leak some of

the branches w/ some noise

SLIDE 37

Binary Extended Euclidean Algorithm

37

Previous attacks only leak some of

the branches w/ some noise

CopyCat synchronously leaks all the

branches wo/ any noise

SLIDE 38

CopyCat on WolfSSL

Translate instruction Counts to Basic Block Transitions

38

SLIDE 39

CopyCat on WolfSSL

Translate instruction Counts to Basic Block Transitions

39

SLIDE 40

CopyCat on WolfSSL

Translate instruction Counts to Basic Block Transitions

40

SLIDE 41

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦

41

SLIDE 42

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N

42

SLIDE 43

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N
Branch and prune Algorithm with the help of the recovered trace

43 p = . . . X q = . . . X p = . . . 0 q = . . . 0 p = . . . 0 q = . . . 1 p = . . . 1 q = . . . 0 p = . . . 1 q = . . . 1

SLIDE 44

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N, and N is public
Branch and prune Algorithm with the help of the recovered trace

44 p = . . . X q = . . . X p = . . X 0 q = . . X 0 p = . . . 0 q = . . . 1 p = . . . 1 q = . . . 0 p = . . X 1 q = . . X 1 N = 1 1 1 0

SLIDE 45

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N, and N is public
Branch and prune Algorithm with the help of the recovered trace

45 p = . . . X q = . . . X p = . . X 0 q = . . X 0 p = . . . 0 q = . . . 1 p = . . . 1 q = . . . 0 p = . . X 1 q = . . X 1 N = 1 1 1 0 p = . . 0 0 q = . . 1 0 p = . . 1 0 q = . . 0 0 p = . . 0 0 q = . . 1 0 p = . . 1 1 q = . . 0 1

SLIDE 46

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N, and N is public
Branch and prune Algorithm with the help of the recovered trace

46 N = 1 1 1 0

p = . . . X q = . . . X p = . . X 0 q = . . X 0 p = . . X 1 q = . . X 1 p = . X 0 0 q = . X 1 0 p = . X 1 0 q = . X 0 0 p = . X 0 0 q = . X 1 0 p = . X 1 1 q = . X 0 1 p = . 0 1 1 q = . 1 0 1 p = . 1 1 1 q = . 0 0 1 p = . 0 0 0 q = . 1 1 0 p = . 1 0 0 q = . 0 1 0 p = . 0 1 0 q = . 1 0 0 p = . 1 1 0 q = . 0 0 0 p = . 0 0 0 q = . 1 1 0 p = . 1 0 0 q = . 0 1 0

SLIDE 47

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N, and N is public
Branch and prune Algorithm with the help of the recovered trace

47 N = 1 1 1 0

p = . . . X q = . . . X p = . . X 0 q = . . X 0 p = . . X 1 q = . . X 1 p = . X 0 0 q = . X 1 0 p = . X 1 0 q = . X 0 0 p = . 0 1 0 q = . 1 0 0 p = . 1 1 0 q = . 0 0 0

SLIDE 48

CopyCat on WolfSSL - Cryptanalysis

Single-trace Attack during DSA signing: 𝑙𝑗𝑜𝑤 = 𝑙−1 𝑛𝑝𝑒 𝑜
Iterative over the entire recovered trace with 𝑜 as input → 𝑙𝑗𝑜𝑤
Plug 𝑙𝑗𝑜𝑤 in 𝑡1 = 𝑙1

−1 ℎ − 𝑠

1. 𝑦 𝑛𝑝𝑒 𝑜 → get private key 𝑦
Single-trace Attack during RSA Key Generation: 𝑟𝑗𝑜𝑤 = 𝑟−1 𝑛𝑝𝑒 𝑞
We know that p.q = N, and N is public
Branch and prune Algorithm with the help of the recovered trace
Single-trace Attack during RSA Key Generation: 𝑒 = 𝑓−1 𝑛𝑝𝑒 𝜇 𝑂
Similar attack but instead use 𝜇 𝑂 =

𝑞−1 𝑟−1 2𝑗

Only 81% of the keys have the above property
It works even on a hardcoded and big value for 𝑓, i.e. 𝑓 ≠ 65537

48

SLIDE 49

CopyCat on WolfSSL – Cryptanalysis Results

Executed each attack 100 times.
DSA 𝑙−1 𝑛𝑝𝑒 𝑜
Average 22,000 IRQs
75 ms to iterate over an average of 6,320 steps
RSA 𝑟−1 𝑛𝑝𝑒 𝑞
Average 106490 IRQs
365 ms to iterate over an average of 39,400 steps
RSA 𝑓−1 𝑛𝑝𝑒 𝜇 𝑂
𝑓−1 𝑛𝑝𝑒 𝜇 𝑂
Average 230,050 IRQs
800ms to iterate over an average of 81,090 steps
Experimental traces always match the leakage model in all experiments

→ Successful single-trace key recovery

49

SLIDE 50

CopyCat – Bypassing ECDSA Timing Countermeasure

50

SLIDE 51

How about other Crypto libraries?

Libgcrypt uses a variant of BEEA
Single trace attack on DSA, Elgamal, ECDSA, RSA Key generation
OpenSSL uses BEEA for computing GCD
Single trace attack on RSA Key generation when computing gcd 𝑟 − 1, 𝑞 − 1
There is still lots of other cases of micro leakages due to usage of

branches, e.g. Intel IPP Crypto lehmer’s GCD with optimizations

51

SLIDE 52

Responsible Disclosure

WolfSSL fixed the issues in 4.3.0 and 4.4.0
Blinding for 𝑙−1 𝑛𝑝𝑒 𝑜 and 𝑓−1 𝑛𝑝𝑒 𝜇 𝑂
Alternate formulation for 𝑟−1 𝑛𝑝𝑒 𝑞: 𝑟𝑞−2 𝑛𝑝𝑒 𝑞
Using a constant-time (branchless) modular inverse [11]
Libgcrypt fixed the issues in 1.8.6
Using a constant-time (branchless) modular inverse [11]
OpenSSL fixed the issue in 1.1.1e
Using a constant-time (branchless) GCD algorithm [11]

52

[11] Bernstein, Daniel J., and Bo-Yin Yang. "Fast constant-time gcd computation and modular inversion." CHES 2019.

SLIDE 53

Interrupt Driven Attacks and Single Stepping

Amplifying Transient Execution Attacks
Foreshadow, ZombieLoad, LVI, CrossTalk
Amplifying Microarchitectural Side Channels
CacheZoom, BranchScope, Branch Shadowing,

Bluethunder , etc.

Interrupt Latency as a Side Channel
Nemesis, Frontal Attack

53

SLIDE 54

Comparison to other Attacks

54

SLIDE 55

Comparison to other Attacks

Some do not work when hyper-threadnig is disabled (Strong TCB of Intel SGX)

55

SLIDE 56

Comparison to other Attacks

Some do not work when hyper-threadnig is disabled (Strong TCB of Intel SGX)
Some can be mitigated by flushing/isolating microarchitectural buffers.

56

SLIDE 57

Comparison to other Attacks

Some do not work when hyper-threadnig is disabled (Strong TCB of Intel SGX)
Some can be mitigated by flushing/isolating microarchitectural buffers.
Some only apply to legacy enclave (32-bit)

57

SLIDE 58

Comparison to other Attacks

Some do not work when hyper-threadnig is disabled (Strong TCB of Intel SGX)
Some can be mitigated by flushing/isolating microarchitectural buffers.
Some only apply to legacy enclave (32-bit)
Some are limited to be applied synchronously.

58

SLIDE 59

CopyCat and Macro-fusion

Fused instructions are counted as one.
Confirm/RE of the behavior of macro-fusion on Intel CPUs
Macro-fusion is dependent on the program layout → deterministic
The offset of a cmp+branch within a cache line
True when hyperthreading is disabled (Intel SGX TCB)

59 https://en.wikichip.org/wiki/macro-operation_fusion

SLIDE 60

Conclusion

Instruction Level Granularity
Imbalance number of instructions
Leak the outcome of branches

60

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Deterministic – Ctrl Channel

µarch Side Channel

This work

SLIDE 61

Conclusion

Instruction Level Granularity
Imbalance number of instructions
Leak the outcome of branches
Fully Deterministic and reliable
Millions of instructions tested
Attacks match the exact leakage model

61

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Deterministic – Ctrl Channel

µarch Side Channel

This work

SLIDE 62

Conclusion

Instruction Level Granularity
Imbalance number of instructions
Leak the outcome of branches
Fully Deterministic and reliable
Millions of instructions tested
Attacks match the exact leakage model of branches
Easy to scale and replicate
No reverse engineering of branches and

microarchitectural components

Tracking all the branches synchronously

62

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Deterministic – Ctrl Channel

µarch Side Channel

This work

SLIDE 63

Conclusion

Instruction Level Granularity
Imbalance number of instructions
Leak the outcome of branches
Fully Deterministic and reliable
Millions of instructions tested
Attacks match the exact leakage model of branches
Easy to scale and replicate
No reverse engineering of branches and

microarchitectural components

Tracking all the branches synchronously
Branchless programming is hard!

63

SGX Attacks Intel’s Responsibility Software Dev Responsibility

Deterministic – Ctrl Channel

µarch Side Channel

This work

SLIDE 64

Future Directions – Other TEE Models

Virtual Machine TEE
AMD SEV
Intel TDX
What are other ways to interrupt a

TEE in the above models?

What is the impact?
Guest OSS
Cryptographic Services
Other Applications
…

64

SLIDE 65

Future Directions – Non-cryptographic Application of Enclaves

Data-dependent secret-processing applications
Confidential Deep Learning (
Trusted Database (EnclaveDB)
Automated Leakage Analysis and Exploit Generation
Fuzzing and Taint Analysis
Dynamic Analysis

65

SLIDE 66

Future Directions – Mitigation

Compiler-based Solutions
Balancing secret-dependent branches with dummy instructions
System-level Mitigation
Self-paging Enclave (Autarky)

66

SLIDE 67

Questions?!

67 https://github.com/j

vanbulck/sgx-step