An Off-Chip Attack on Hardware Enclaves via the Memory Bus

TL;DR

This paper introduces Membuster, an off-chip attack method that exploits memory bus snooping to extract sensitive data from hardware enclaves with minimal interference, demonstrating its effectiveness on Intel SGX systems.

Contribution

The paper presents Membuster, a novel off-chip attack technique that bypasses existing defenses by observing memory bus activity and reverse-engineering address translations.

Findings

Successfully leaked sensitive data from SGX enclaves

Achieved high accuracy in extracting confidential information

Demonstrated minimal interference during attack execution

Abstract

This paper shows how an attacker can break the confidentiality of a hardware enclave with Membuster, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim. Membuster is qualitatively different from prior on-chip attacks to enclaves and is more difficult to thwart. We highlight several challenges for Membuster. First, DRAM requests are only visible on the memory bus at last-level cache misses. Second, the attack needs to incur minimal interference or overhead to the victim to prevent the detection of the attack. Lastly, the attacker needs to reverse-engineer the translation between virtual, physical, and DRAM addresses to perform a robust attack. We introduce three techniques, critical page whitelisting, cache squeezing, and oracle-based fuzzy matching algorithm to increase cache misses for memory accesses that are useful for the attack, with no detectable interference to the victim, and to convert memory accesses to sensitive data. We demonstrate Membuster on an Intel SGX CPU to leak confidential data from two applications: Hunspell and Memcached. We show that a single uninterrupted run of the victim can leak most of the sensitive data with high accuracy.