CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction

02/19/2020
by   Daniel Moghimi, et al.
0

The adversarial model presented by trusted execution environments (TEEs) has prompted researchers to investigate unusual attack vectors. One particularly powerful class of controlled-channel attacks abuses page-table modifications to reliably track enclave memory accesses at a page-level granularity. Crucially, in contrast to noisy microarchitectural timing leakages, this line of deterministic controlled-channel attacks abuses indispensable architectural interfaces and hence cannot be mitigated by tweaking microarchitectural resources. We propose an innovative controlled-channel attack, named CopyCat, that deterministically counts the number of instructions executed within a single enclave code page. We show that combining the instruction counts harvested by CopyCat with traditional, coarse-grained page-level leakage allows to accurately reconstruct enclave control flow at a maximal instruction-level granularity. CopyCat can identify intra-page and intra-cache line branch decisions which may ultimately differ only in a single instruction, highlighting that even extremely subtle control flow deviations can deterministically be leaked from secure enclaves. We demonstrate the improved resolution and practicality of CopyCat on Intel SGX platforms in an extensive study of single-trace and deterministic attacks against side-channel hardened cryptographic libraries. As a result, we disclose multiple vulnerabilities in the the latest version of widely-used cryptographic libraries: WolfSSL, Libgcrypt and OpenSSL, and propose novel algorithmic attacks to perform single-trace key extraction. Our findings mark the importance of stricter verification of cryptographic implementations, especially in the context of TEEs.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/21/2017

MemJam: A False Dependency Attack against Constant-Time Crypto Implementations

Cache attacks exploit memory access patterns of cryptographic implementa...
research
08/10/2021

Util::Lookup: Exploiting key decoding in cryptographic libraries

Implementations of cryptographic libraries have been scrutinized for sec...
research
07/27/2023

SEV-Step: A Single-Stepping Framework for AMD-SEV

The ever increasing popularity and availability of Trusted Execution Env...
research
08/16/2018

MicroWalk: A Framework for Finding Side Channels in Binaries

Microarchitectural side channels expose unprotected software to informat...
research
07/25/2022

A Dataset Generation Framework for profiling Disassembly attacks using Side-Channel Leakages and Deep Neural Networks

Various studies among side-channel attacks have tried to extract informa...
research
01/25/2023

Clueless: A Tool Characterising Values Leaking as Addresses

Clueless is a binary instrumentation tool that characterises explicit ca...
research
03/05/2019

SMoTherSpectre: exploiting speculative execution through port contention

Spectre, Meltdown, and related attacks have demonstrated that kernels, h...

Please sign up or login with your details

Forgot password? Click here to reset