27th usenix security symposium, baltimore, md, usa, 15-17 ... · the guard’s dilemma efficient...
TRANSCRIPT
![Page 1: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/1.jpg)
The Guard’s DilemmaEfficient Code-Reuse Attacks Against Intel SGX
Andrea Biondo1, Mauro Conti1, Lucas Davi2, Tommaso Frassetto3, Ahmad-Reza Sadeghi3
1 University of Padua, Italy
2 University of Duisburg-Essen, Germany
3 TU Darmstadt, Germany
27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 August 2018
![Page 2: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/2.jpg)
Intel SGX (Software Guard eXtensions)
App
Enclave
App Code
Enclave Code
Entry/exit
Kernel
Encryption
Attestation
Physical memory
Remote server
2
![Page 3: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/3.jpg)
Intel SGX (Software Guard eXtensions)
App
Enclave
App Code
Enclave Code
Entry/exit
Kernel
Encryption
Attestation
Physical memory
Remote server
3
SGX SDK
![Page 4: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/4.jpg)
SGX provides strong isolation.
4
(that’s what it says on the box!)
![Page 5: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/5.jpg)
Just like normal programs,SGX code can have bugs.
5
![Page 6: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/6.jpg)
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
Code Injection
6
![Page 7: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/7.jpg)
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
A
CB
D
F
E
Control-FlowHijacking
Gadget
Code Injection Code Reuse(e.g., Return-Oriented Programming)
Write⊕
eXecuteF
7
![Page 8: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/8.jpg)
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
A
CB
D
F
E
Control-FlowHijacking
Gadget
Code Injection Code Reuse(e.g., Return-Oriented Programming)
Write⊕
eXecute
Control FlowIntegrity
F
8
![Page 9: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/9.jpg)
Related work
Dark-ROP[Lee et al., USENIX
Security 2017]
• Remote attestation + loader = no access to enclave code• ROP still feasible by finding gadgets through oracles
SGX-Shield[Seo et al., NDSS
2017]
• Fine-grained enclave randomization, W⊕X,Software Fault Isolation, Control Flow Integrity
• State-of-the-art hardening scheme
9
![Page 10: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/10.jpg)
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Function 3
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
App-to-Enclave function call
(ECALL)
10
![Page 11: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/11.jpg)
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Function 3
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
Enclave-to-App function call
(OCALL)
11
![Page 12: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/12.jpg)
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Exc. Handler
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS) Signal
OS KernelAEX
12
Exception
![Page 13: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/13.jpg)
The Guard’s Dilemma
Novel SGX code-reuse attack
Dispatches ROP gadgets
Uses only existing tRTS functionality
Why?
13
![Page 14: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/14.jpg)
Motivation
Widespread SDK usage
Easier exploitation
Existing hardening does not cover tRTS
14
![Page 15: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/15.jpg)
The Basic Idea
App
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Counterfeit state
15
![Page 16: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/16.jpg)
The ORET Primitive
OCALL
Save context in OCALL frame
Exit enclave
Execute untrusted function
Re-enter enclave
Restore context (do_oret)
Control-FlowHijacking
Fake OCALL frame
Partial registercontrol
Stack control
16
![Page 17: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/17.jpg)
The CONT Primitive
Exception
Resume enclave
Call exception handlers
Restore exception context (continue_execution)
Control-FlowHijacking
Fake exception context
Full registercontrol
1° argument control
Exit enclave to OS handler
Re-enter, save context, exit (see paper)
17
![Page 18: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/18.jpg)
The ORET+CONT Loop
ORET
rip, rsp rip, rdi, ...
CONT
rip, rdi rip, rsp, *
ROP Gadget
18
![Page 19: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/19.jpg)
Attack Overview
19
① Payload Preparation• Find gadgets• Design gadget chain
② Fake Structures Prep.• n fake exception infos• 1 fake stack (ROP, OCALL)
③ Attack Execution• Launch first CONT
Gadget
ORET
CONT
Fake exc. info 1 Gadget 1
Fake exc. info 2 Gadget 2
Fake exc. info 3 Gadget 3
Fake stack
![Page 20: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/20.jpg)
Example Attack
App
Enclave
vuln_f oth_f
get_key send_file
Trusted Runtime System (tRTS)
ORET: rip, stack → rdi + rip + …
CONT: rdi → rip + all registers Stack
rip
rdi
Other registers
20
![Page 21: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/21.jpg)
SGX-Shield [Seo et al., NDSS 2017]
Source
SGX-Shield Runtime
App
Enclave
Rand. Unit 0 Rand. Unit 1
Rand. Unit 2 Rand. Unit 3SGX-Shield Toolchain
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
Fine-grained coderandomization
tRTS is not randomized
SGX SDK
21
![Page 22: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/22.jpg)
Attacking SGX-Shield
Fine-grained code randomization
Reusing tRTS code (not randomized)
Coarse-grained Control Flow Integrity
Return edges are not properly instrumented→ ORET is possible
Other mitigations (SFI, W⊕X) assume CFI
22
![Page 23: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/23.jpg)
SGX-Shield Exploit
Hijack return edge
Untrusted memory
Write shellcode to WX memory
Jump to shellcode
Stage 1ORET+CONT
Gather enclave keys
Copy keys to attacker’s memory
Stage 2Shellcode
23
![Page 24: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/24.jpg)
Mitigations
SDK Hardening
Secret canaries in contexts
Mangling context data
External Hardening
Randomization of SDK code
Stronger CFI
24
![Page 25: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/25.jpg)
Lessons Learned
• SGX presents significant hardening challenges• Strong attacker
• The SDK can increase an enclave’s attack surface• Powerful code-reuse primitives
• Low-level code hidden from sight
25
![Page 26: 27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 ... · The Guard’s Dilemma Efficient Code-Reuse Attacks Against Intel SGX Andrea Biondo 1, Mauro Conti , Lucas Davi2, Tommaso](https://reader033.vdocuments.mx/reader033/viewer/2022042222/5ec88b6c4d7a8b3dc578e0d1/html5/thumbnails/26.jpg)
Conclusion
• We presented a novel code-reuse attack on Intel SGX
• Using «forgotten» code to bypass SoA hardening
• Underlines the need to consider implications of SDK usage
Questions?
26