Practical Enclave Malware with Intel SGX

02/08/2019
by   Michael Schwarz, et al.
0

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/14/2021

A Policy-based Versioning SSD with Intel SGX

Privileged malware neutralizes software-based versioning systems and des...
research
10/23/2020

Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX

Since its debut, SGX has been used in many applications, e.g., secure da...
research
07/29/2021

Malware Classification Using Transfer Learning

With the rapid growth of the number of devices on the Internet, malware ...
research
05/26/2019

TEE-aided Write Protection Against Privileged Data Tampering

Unauthorized data alteration has been a longstanding threat since the em...
research
04/28/2020

SGX-SSD: A Policy-based Versioning SSD with Intel SGX

This paper demonstrates that SSDs, which perform device-level versioning...
research
12/27/2018

Sanctorum: A lightweight security monitor for secure enclaves

Enclaves have emerged as a particularly compelling primitive to implemen...
research
03/28/2021

An In-memory Embedding of CPython for Offensive Use

We offer an embedding of CPython that runs entirely in memory without "t...

Please sign up or login with your details

Forgot password? Click here to reset