SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution

TL;DR

This paper introduces SgxPectre Attacks, exploiting speculative execution vulnerabilities in Intel SGX enclaves to compromise confidentiality, allowing attackers to steal cryptographic keys and forge attestations, thereby defeating SGX security guarantees.

Contribution

The paper systematically demonstrates the feasibility of SgxPectre Attacks, explores attack vectors, and evaluates existing countermeasures against these new speculative execution vulnerabilities.

Findings

Successfully stole seal and attestation keys from SGX enclaves

Most SGX runtimes are vulnerable due to common code patterns

Existing countermeasures are insufficient to prevent SgxPectre Attacks

Abstract

This paper presents SgxPectre Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality and integrity of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes. An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX. To demonstrate the practicality of our SgxPectre Attacks, we have systematically explored the possible attack vectors of branch target injection, approaches to win the race condition during enclave's speculative execution, and techniques to automatically search for code patterns required for launching the attacks. Our study suggests that any enclave program could be vulnerable to SgxPectre Attacks since the desired code patterns are available in most SGX runtimes (e.g., Intel SGX SDK, Rust-SGX, and Graphene-SGX). Most importantly, we have applied SgxPectre Attacks to steal seal keys and attestation keys from Intel signed quoting enclaves. The seal key can be used to decrypt sealed storage outside the enclaves and forge valid sealed data; the attestation key can be used to forge attestation signatures. For these reasons, SgxPectre Attacks practically defeat SGX's security protection. This paper also systematically evaluates Intel's existing countermeasures against SgxPectre Attacks and discusses the security implications.