Malware Guard Extension: Using SGX to Conceal Cache Attacks

Michael Schwarz (1); Samuel Weiser (1); Daniel Gruss (1); Cl\'ementine; Maurice (1); Stefan Mangard (1) ((1) Graz University of Technology)

arXiv:1702.08719·cs.CR·May 23, 2019·47 cites

Malware Guard Extension: Using SGX to Conceal Cache Attacks

Michael Schwarz (1), Samuel Weiser (1), Daniel Gruss (1), Cl\'ementine, Maurice (1), Stefan Mangard (1) ((1) Graz University of Technology)

PDF

Open Access

TL;DR

This paper demonstrates a novel malware attack on Intel SGX enclaves that uses cache side-channel techniques to extract RSA private keys, even with SGX protections in place, highlighting security vulnerabilities.

Contribution

It introduces the first malware running on real SGX hardware that exploits SGX features to conceal cache side-channel attacks targeting co-located enclaves.

Findings

01

Successfully extracted 96% of RSA private key from a single trace

02

Automated attack recovered full RSA key within 5 minutes from 11 traces

03

Demonstrated cache attacks across Docker containers on SGX hardware

Abstract

In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSecurity and Verification in Computing · Cloud Data Security Solutions · Advanced Malware Detection Techniques