Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing

TL;DR

This paper introduces a novel side-channel attack called branch shadowing that reveals fine-grained control flow inside SGX enclaves by exploiting branch prediction history, and proposes countermeasures including hardware and software defenses.

Contribution

The paper presents the first branch shadowing attack on SGX enclaves, demonstrating its effectiveness against recent security schemes and proposing Zigzagger as a practical mitigation.

Findings

Successfully attacked ORAM, Sanctum, SGX-Shield, T-SGX.

Developed novel techniques using Intel PT, LBR, and APIC.

Proposed Zigzagger as a software countermeasure.

Abstract

In this paper, we explore a new, yet critical, side-channel attack against Intel Software Guard Extension (SGX), called a branch shadowing attack, which can reveal fine-grained control flows (i.e., each branch) of an enclave program running on real SGX hardware. The root cause of this attack is that Intel SGX does not clear the branch history when switching from enclave mode to non-enclave mode, leaving the fine-grained traces to the outside world through a branch-prediction side channel. However, exploiting the channel is not so straightforward in practice because 1) measuring branch prediction/misprediction penalties based on timing is too inaccurate to distinguish fine-grained control-flow changes and 2) it requires sophisticated control over the enclave execution to force its execution to the interesting code blocks. To overcome these challenges, we developed two novel exploitation techniques: 1) Intel PT- and LBR-based history-inferring techniques and 2) APIC-based technique to control the execution of enclave programs in a fine-grained manner. As a result, we could demonstrate our attack by breaking recent security constructs, including ORAM schemes, Sanctum, SGX-Shield, and T-SGX. Not limiting our work to the attack itself, we thoroughly studied the feasibility of hardware-based solutions (e.g., branch history clearing) and also proposed a software-based countermeasure, called Zigzagger, to mitigate the branch shadowing attack in practice.