sgx-step v1.5 releases: A practical attack framework for precise enclave execution control
sgx-step
SGX-Step is an open-source framework to facilitate side-channel attack research on Intel SGX platforms. SGX-Step consists of an adversarial Linux kernel driver and userspace library that allow to configure untrusted page table entries and/or x86 APIC timer interrupts completely from userspace. Our research results have demonstrated several new and improved enclaved execution attacks that gather side-channel observations at a maximal temporal resolution (i.e., by interrupting the victim enclave after every single instruction).
| SGX-Step release | Publication details | Comments |
|---|---|---|
| v1.4.0 | Oakland’20 | Privileged interrupt/call gates (Plundervolt attack). |
| v1.3.0 | USEC’18 | Transient execution (Foreshadow attack). |
| v1.2.0 | CCS’18 | User space interrupt handling (Nemesis interrupt timing attack). |
| v1.1.0 | ESSoS’18 | IA32 support. |
| v1.0.0 | SysTEX’17 | Original SGX-Step framework. |
Abstract
Trusted execution environments such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGX’s strengthened adversary model also gives rise to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity.
This paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from userspace. We contribute and evaluate an improved approach to single-step enclaved execution at instruction-level granularity, and we show how SGX-Step enables several new or improved attacks. Finally, we discuss its implications for the design of effective defence mechanisms.
Overview
Crucial to the design of SGX-Step, as opposed to previous enclave preemption proposals, is the creation of user-space virtual memory mappings for physical memory locations holding page table entries, as well as for the local APIC memory-mapped I/O configuration registers and the x86 Interrupt Descriptor Table (IDT). This allows an untrusted, attacker-controlled host process to easily (i) track or modify enclave page table entries, (ii) configure the APIC timer one-shot/periodic interrupt source, (iii) trigger inter-processor interrupts, and (iv) register custom interrupt handlers completely within user space.
The above figure summarizes the sequence of hardware and software steps when interrupting and resuming an SGX enclave through our framework.
- The local APIC timer interrupt arrives within an enclaved instruction.
- The processor executes the AEX procedure that securely stores execution context in the enclave’s SSA frame, initializes CPU registers, and vectors to the (userspace) interrupt handler registered in the IDT.
- At this point, any attack-specific, spy code can easily be plugged in.
- The library returns to the user space AEP trampoline. We modified the untrusted runtime of the official SGX SDK to allow easy registration of a custom AEP stub. Furthermore, to enable precise evaluation of our approach on attacker-controlled benchmark debugs enclaves, SGX-Step can optionally be instrumented to retrieve the stored instruction pointer from the interrupted enclave’s SSA frame. For this, our /dev/sgx-step driver offers an optional IOCTL call for the privileged EDBGRD instruction.
- Thereafter, we configure the local APIC timer for the next interrupt by writing into the initial-count MMIO register, just before executing (6) ERESUME.
Changelog v1.5
* Stabilization fixes for custom interrupt handlers: avoid kernel panics by making sure the virtual address of the interrupt handler in the IDT is _always_ accessible, even when interrupting the kernel (KPTI address space) or after context switching to another process (via persistent shadow mapping in the kernel address space). Thanks @0xhilbert!
* Experimental Gramine port. Thanks @aegis2501!
* Support for Load Value Injection (LVI) attacks.
* Support for sending inter-processor interrupts through the local APIC.
* APIC precision microbenchmarks (AEX-Notify paper).
* Improve documentation.
Install && Use
Copyright (C) 2017 jovanbulck
