Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

TL;DR

This paper systematically analyzes memory side-channel threats in Intel SGX, revealing multiple attack vectors and misconceptions, and demonstrating new attack techniques that challenge existing defenses and understanding of SGX security.

Contribution

It provides the first comprehensive analysis of SGX memory side channels, identifying eight attack vectors and introducing novel attack methods that expose weaknesses in current protections.

Findings

High-frequency AEXs can be avoided in key recovery attacks.

Enclave programs can be monitored at 64-byte granularity using combined cache and DRAM channels.

Multiple attack vectors, including TLB and DRAM, pose significant risks to SGX security.

Abstract

Side-channel risks of Intel's SGX have recently attracted great attention. Under the spotlight is the newly discovered page-fault attack, in which an OS-level adversary induces page faults to observe the page-level access patterns of a protected process running in an SGX enclave. With almost all proposed defense focusing on this attack, little is known about whether such efforts indeed raise the bar for the adversary, whether a simple variation of the attack renders all protection ineffective, not to mention an in-depth understanding of other attack surfaces in the SGX system. In the paper, we report the first step toward systematic analyses of side-channel threats that SGX faces, focusing on the risks associated with its memory management. Our research identifies 8 potential attack vectors, ranging from TLB to DRAM modules. More importantly, we highlight the common misunderstandings about SGX memory side channels, demonstrating that high frequent AEXs can be avoided when recovering EdDSA secret key through a new page channel and fine-grained monitoring of enclave programs (at the level of 64B) can be done through combining both cache and cross-enclave DRAM channels. Our findings reveal the gap between the ongoing security research on SGX and its side-channel weaknesses, redefine the side-channel threat model for secure enclaves, and can provoke a discussion on when to use such a system and how to use it securely.