Hardware Enclave Attacks CS261

Size: px

Start display at page:

Download "Hardware Enclave Attacks CS261"

Bryan Anderson
5 years ago
Views:

1 Hardware Enclave Attacks CS261

2 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor Off-chip devices 2

3 Attacks on Hardware Enclaves Attacks on Intel services: Traditional server-based attacks (not interesting) Attacks on enclave code: Exploiting software vulnerabilities Interesting API-based attacks: Iago attacks (ASPLOS 13) Attacks on Intel CPUs: Cache timing side channels, Spectre / Meltdown (Foreshadow) Controlled-channel attacks 3

4 Enclave Page Permissions Physical Memory EPC Process Enclave 1. EPCM VA V RWX SECS 2. Page Table Enclave Page Permission = EPCM[RWX] AND PT[RWX] VA RWX PA 4

5 Page Faults in Enclaves Physical Memory EPC Process AEP: ERESUME Enclave X = *(addr); Page Fault RAX: RBX: RIP: AEP (Async Exit Pointer) Fault Addr: addr & ~(FFF) OS Kernel Leaking the higher 52 bits (i.e., 64-12) of page fault address 5

6 Target Code Input-dependent branches if (secret & 0x1) process_one(); else process_zero(); Page A Page B Input-dependent data access data_array[secret << 12] = 1; secret = 0 secret = 1 secret = 2 Page X Page X + 1 Page X + 2 6

7 Distinguishing Same Page Addresses f2() { f4(); f1() { f2(); f3(); f3() { f5(); Page B f2() Page A f1() Page D f4(), f5() Page C f3() f4() { f5() { 7

8 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A 8

9 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B 9

10 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D 10

11 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A 11

12 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A C 12

13 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A C D f4() f5() 13

14 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page Fault Page A f1() Page B f2() R Page D f4(), f5() Page addresses: A R Page C f3() R R 14

15 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page B f2() Page A f1() Page D f4(), f5() Page addresses: A B R Mark executable R X to continue Page C f3() R R 15

16 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() R Page B Page C f2() R X f3() Page D f4(), f5() R Page addresses: A B D R 16

17 Example: Hunspell Checker Phase 1: inserts dictionary into hash buckets Phase 2: looks up words from a secret document 17

18 Hunspell Insertion Hash::add_word(std::string word) { struct hentry *hp = malloc(); int i = hash(word); struct hentry *dp = tableptr[i]; while (dp->next!= NULL) { dp = dp->next; strcpy(hp->word, word); dp->next = hp; Word word1 word2 word3 word4 Pages A, D B, D A, E B, D, F Page(tableptr[i]) Page(node 1) Page(node 2) Page(new node) 18

19 Hunspell Lookup Hash::lookup(std::string word) { int i = hash(word); struct hentry *dp = tableptr[i]; while (dp!= NULL) { if (!strcmp(hp->word, word)) return dp; dp = dp->next; Word word1 word2 word3 word4 Pages A, D B, D A, E B, D, F Page(tableptr[i]) Page(node 1) Page(node 2) Match with the oracle 19

20 Side Channels vs Controlled Channels Cache Side Channels Controlled Channels Granularity Cachelines (64-byte) Pages (4KB) Noisiness Highly noisy Noiseless and Lossless Synchronization Scope Two-phase synchronization (e.g., PRIME+PROBE, FLUSH+RELOAD) Common to most platforms No synchronization with the victim Specific to enclaves Privileges Non-root Need root privileges 20

21 Mitigation ASLR (Address Space Layout Randomization)? Not working Can detect entry points and start-up patterns Self-paging Some architecture (e.g., RISC-V) suggests self-paging in enclaves The OS never gets any page faults Detecting attacks Execution time, page fault count, etc Forbidding page faults from enclave code T-SGX 21

22 T-SGX (NDSS 17) Intel TSX (Transactional Synchronization Extensions) Any fault abort handler unsigned status; // Begin a transaction if ((status = _xbegin()) == _XBEGIN_STARTED) { // Run any code Page Fault _xend(); else { // Abort Can forbid all page faults in enclaves (i.e., no paging) 22

23 Other Enclave Attacks Page table access/dirty bits (USENIX 17) Recently read access bit; Recently written dirty bit Can be observed without page faults Branch Predictor States (USENIX 17) Enclave and non-enclave code shares branch predictor states Can observe which branches are taken Addresses on memory bus (CCS 13) Every memory command (read / write) is visible on bus Can observe with a DIMM interposer 23

24 Questions? Hardware Enclave Attacks 24

Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May