Article

Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution

Authors:

Nico Weichbrodt,

Rüdiger Kapitza,

Frank Piessens,

Raoul StrackxAuthors Info & Claims

SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

Pages 1041 - 1056

Published: 16 August 2017 Publication History

Abstract

Protected module architectures, such as Intel SGX, enable strong trusted computing guarantees for hardware-enforced enclaves on top a potentially malicious operating system. However, such enclaved execution environments are known to be vulnerable to a powerful class of controlled-channel attacks. Recent research convincingly demonstrated that adversarial system software can extract sensitive data from enclaved applications by carefully revoking access rights on enclave pages, and recording the associated page faults. As a response, a number of state-of-the-art defense techniques has been proposed that suppress page faults during enclave execution.

This paper shows, however, that page table-based threats go beyond page faults. We demonstrate that an untrusted operating system can observe enclave page accesses without resorting to page faults, by exploiting other side-effects of the address translation process. We contribute two novel attack vectors that infer enclaved memory accesses from page table attributes, as well as from the caching behavior of unprotected page table memory. We demonstrate the effectiveness of our attacks by recovering EdDSA session keys with little to no noise from the popular Libgcrypt cryptographic software suite.

References

[1]

ANATI, I., GUERON, S., JOHNSON, S., AND SCARLATA, V. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy (2013), vol. 13.

[2]

ARNAUTOV, S., TRACH, B., GREGOR, F., KNAUTH, T., MARTIN, A., PRIEBE, C., LIND, J., MUTHUKUMARAN, D., O'KEEFFE, D., STILLWELL, M. L., ET AL. SCONE: Secure Linux containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (2016), USENIX Association, pp. 689-703.

[3]

BAUMANN, A., PEINADO, M., AND HUNT, G. Shielding applications from an untrusted cloud with Haven. In 11th USENIX Symposium on Operating Systems Design and Implementation (2014), USENIX Association, pp. 267-283.

[4]

BERNSTEIN, D. J., DUIF, N., LANGE, T., SCHWABE, P., AND YANG, B.-Y. High-speed high-security signatures. Journal of Cryptographic Engineering 2, 2 (2012), 77-89.

[5]

BRASSER, F., MÜLLER, U., DMITRIENKO, A., KOSTIAINEN, K., CAPKUN, S., AND SADEGHI, A.-R. Software grand exposure: SGX cache attacks are practical. arXiv preprint arXiv:1702.07521 (2017).

[6]

CHECKOWAY, S., AND SHACHAM, H. Iago attacks: Why the system call API is a bad untrusted RPC interface. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2013), ACM, pp. 253-264.

[7]

CHEN, S., ZHANG, X., REITER, M. K., AND ZHANG, Y. Detecting privileged side-channel attacks in shielded execution with déjà vu. In Proceedings of the 12th ACM on Asia Conference on Computer and Communications Security (ASIA CCS) (2017), ACM, pp. 7-18.

[8]

COPPENS, B., VERBAUWHEDE, I., DE BOSSCHERE, K., AND DE SUTTER, B. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In 2009 IEEE Symposium on Security and Privacy (2009), IEEE, pp. 45-60.

[9]

COSTAN, V., AND DEVADAS, S. Intel SGX explained. Tech. rep., Computer Science and Artificial Intelligence Laboratory MIT, 2016. https://eprint.iacr.org/2016/086.pdf.

[10]

COSTAN, V., LEBEDEV, I., AND DEVADAS, S. Sanctum: Minimal hardware extensions for strong software isolation. In 25th USENIX Security Symposium (2016), USENIX Association, pp. 857-874.

[11]

EVTYUSHKIN, D., ELWELL, J., OZSOY, M., PONOMAREV, D., GHAZALEH, N. A., AND RILEY, R. Iso-x: A flexible architecture for hardware-managed isolated execution. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture (2014), IEEE, pp. 190-202.

[12]

FERRAIUOLO, A., WANG, Y., XU, R., ZHANG, D., MYERS, A., AND SUH, E. Full-processor timing channel protection with applications to secure hardware compartments. Computing and information science technical report, Cornell University, November 2015.

[13]

GÖTZFRIED, J., ECKERT, M., SCHINZEL, S., AND MÜLLER, T. Cache attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security (EuroSec'17) (2017).

[14]

GRAS, B., RAZAVI, K., BOSMAN, E., BOS, H., AND GIUFFRIDA, C. ASLR on the line: Practical cache attacks on the MMU. In 24th Annual Network and Distributed System Security Symposium (NDSS) (2017).

[15]

GRUSS, D., MAURICE, C., FOGH, A., LIPP, M., AND MANGARD, S. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS) (2016).

[16]

GRUSS, D., MAURICE, C., WAGNER, K., AND MANGARD, S. Flush+flush: A fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2016).

[17]

GRUSS, D., SPREITZER, R., AND MANGARD, S. Cache template attacks: Automating attacks on inclusive last-level caches. In 24nd USENIX Security Symposium (2015), USENIX Association, pp. 897-912.

[18]

HOEKSTRA, M., LAL, R., PAPPACHAN, P., PHEGADE, V., AND DEL CUVILLO, J. Using innovative instructions to create trustworthy software solutions. In HASP@ ISCA (2013), p. 11.

[19]

HOFMANN, O. S., KIM, S., DUNN, A. M., LEE, M. Z., AND WITCHEL, E. Inktag: Secure applications on an untrusted operating system. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2013), ACM, pp. 265-278.

[20]

HUND, R., WILLEMS, C., AND HOLZ, T. Practical timing side channel attacks against kernel space ASLR. In 2013 IEEE Symposium on Security and Privacy (2013), IEEE, pp. 191-205.

[21]

INTEL CORPORATION. Intel Software Guard Extensions Programming Reference, October 2014. Reference no. 329298-002US.

[22]

INTEL CORPORATION. Intel 64 and IA-32 Architectures Optimization Reference Manual, June 2016. Reference no. 248966-033.

[23]

INTEL CORPORATION. Intel 64 and IA-32 Architectures Software Developer's Manual, June 2016. Reference no. 325462-059US.

[24]

JANG, Y., LEE, S., AND KIM, T. Breaking kernel address space layout randomization with Intel TSX. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS) (2016), ACM, pp. 380-392.

[25]

KOCH, W., AND SCHULTE, M. The Libgcrypt Reference Manual, December 2016. Version 1.7.4.

[26]

KOCHER, P. C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference (1996), Springer, pp. 104-113.

[27]

KOEBERL, P., SCHULZ, S., SADEGHI, A.-R., AND VARADHARAJAN, V. TrustLite: A security architecture for tiny embedded devices. In Proceedings of the Ninth European Conference on Computer Systems (2014), ACM, pp. 10:1-10:14.

[28]

LEE, S., SHIH, M.-W., GERA, P., KIM, T., KIM, H., AND PEINADO, M. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium (2017), USENIX Association.

[29]

MAENE, P., GÖTZFRIED, J., DE CLERCQ, R., MÜLLER, T., FREILING, F., AND VERBAUWHEDE, I. Hardware-based trusted computing architectures for isolation and attestation. IEEE Transactions on Computers, 99 (2017).

[30]

MCCUNE, J. M., LI, Y., QU, N., ZHOU, Z., DATTA, A., GLIGOR, V. D., AND PERRIG, A. TrustVisor: Efficient TCB reduction and attestation. In 2010 IEEE Symposium on Security and Privacy (2010), IEEE, pp. 143-158.

[31]

MCCUNE, J. M., PARNO, B., PERRIG, A., REITER, M. K., AND ISOZAKI, H. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the 2008 EuroSys Conference (2008), ACM, pp. 315-328.

[32]

MCKEEN, F., ALEXANDROVICH, I., BERENZON, A., ROZAS, C. V., SHAFI, H., SHANBHOGUE, V., AND SAVAGAONKAR, U. R. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (2013), ACM, pp. 10:1-10:1.

[33]

MOGHIMI, A., IRAZOQUI, G., AND EISENBARTH, T. Cachezoom: How SGX amplifies the power of cache attacks. arXiv preprint arXiv:1703.06986 (2017).

[34]

NOORMAN, J., VAN BULCK, J., MÜHLBERG, J. T., PIESSENS, F., MAENE, P., PRENEEL, B., VERBAUWHEDE, I., GÖTZFRIED, J., MÜLLER, T., AND FREILING, F. Sancus 2.0: A low-cost security architecture for IoT devices. ACM Transactions on Privacy and Security (TOPS) (2017).

[35]

OSVIK, D. A., SHAMIR, A., AND TROMER, E. Cache attacks and countermeasures: the case of AES. In Cryptographers' Track at the RSA Conference (2006), Springer, pp. 1-20.

[36]

SCHUSTER, F., COSTA, M., FOURNET, C., GKANTSIDIS, C., PEINADO, M., MAINAR-RUIZ, G., AND RUSSINOVICH, M. Vc3: Trustworthy data analytics in the cloud using SGX. In 2015 IEEE Symposium on Security and Privacy (2015), IEEE, pp. 38-54.

[37]

SCHWARZ, M., WEISER, S., GRUSS, D., MAURICE, C., AND MANGARD., S. Malware guard extension: Using SGX to conceal cache attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2017).

[38]

SEO, J., LEE, B., KIM, S., AND SHIH, M.-W. SGX-Shield: Enabling address space layout randomization for sgx programs. In 24th Annual Network and Distributed System Security Symposium (NDSS) (2017).

[39]

SHIH, M.-W., LEE, S., KIM, T., AND PEINADO, M. T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs. In 24th Annual Network and Distributed System Security Symposium (NDSS) (2017).

[40]

SHINDE, S., CHUA, Z. L., NARAYANAN, V., AND SAXENA, P. Preventing page faults from telling your secrets. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIA CCS) (2016), ACM, pp. 317-328.

[41]

SHINDE, S., TIEN, D. L., TOPLE, S., AND SAXENA, P. Panoply: Low-TCB linux applications with SGX enclaves. In 24th Annual Network and Distributed System Security Symposium (NDSS) (2017).

[42]

STRACKX, R., AND PIESSENS, F. Fides: Selectively hardening software application components against kernel-level or process-level malware. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS) (2012), ACM, pp. 2-13.

[43]

TRAMER, F., ZHANG, F., LIN, H., HUBAUX, J.-P., JUELS, A., AND SHI, E. Sealed-glass proofs: Using transparent enclaves to prove and sell knowledge. In 2nd IEEE European Symposium on Security and Privacy (Euro S&P) (2017), IEEE.

[44]

TSAI, C.-C., ARORA, K. S., BANDI, N., JAIN, B., JANNEN, W., JOHN, J., KALODNER, H. A., KULKARNI, V., OLIVEIRA, D., AND PORTER, D. E. Cooperation and security isolation of library OSes for multi-process applications. In Proceedings of the Ninth European Conference on Computer Systems (2014), ACM, p. 9.

[45]

TSAI, C.-C., PORTER, D. E., AND VIJ, M. Graphene-SGX: A practical library OS for unmodified applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC) (2017), USENIX Association.

[46]

WANG, W., CHEN, G., PAN, X., ZHANG, Y., WANG, X., BINDSCHAEDLER, V., TANG, H., AND GUNTER, C. A. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. arXiv preprint arXiv:1705.07289 (2017).

[47]

WEICHBRODT, N., KURMUS, A., PIETZUCH, P., AND KAPITZA, R. Asyncshock: Exploiting synchronisation bugs in Intel SGX enclaves. In European Symposium on Research in Computer Security (ESORICS) (2016), Springer.

[48]

XU, Y., CUI, W., AND PEINADO, M. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In 2015 IEEE Symposium on Security and Privacy (2015), IEEE, pp. 640-656.

[49]

YAROM, Y., AND BENGER, N. Recovering OpenSSL ECDSA nonces using the flush+ reload cache side-channel attack. IACR Cryptology ePrint Archive 2014 (2014), 140.

[50]

YAROM, Y., AND FALKNER, K. Flush+reload: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium (2014), USENIX Association, pp. 719-732.

Cited By

Lau SBourgeat TPit-Claudel CChlipala ALuo BLiao XXu JKirda ELie D(2024)Specification and Verification of Strong Timing Isolation of Hardware EnclavesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690203(1121-1135)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690203
Volos SFournet CHofmann JKöpf BOleksenko OLuo BLiao XXu JKirda ELie D(2024)Principled Microarchitectural Isolation on Cloud CPUsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690183(183-197)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690183
Li MYang YChen GYan MZhang YQuek TGao DZhou JCardenas A(2024)SoK: Understanding Design Choices and Pitfalls of Trusted Execution EnvironmentsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644993(1600-1616)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644993
Show More Cited By

Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Preventing Page Faults from Telling Your Secrets
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

New hardware primitives such as Intel SGX secure a user-level process in presence of an untrusted or compromised OS. Such "enclaved execution" systems are vulnerable to several side-channels, one of which is the page fault channel. In this paper, we ...
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Cryptography without Hardly Any Secrets ?
Proceedings of the 28th Annual International Conference on Advances in Cryptology - EUROCRYPT 2009 - Volume 5479

The absolute privacy of the secret-keys associated with cryptographic algorithms has been the corner-stone of modern cryptography. Still, in practice, keys do get compromised at times for a variety or reasons. A particularly disturbing loss of secrecy ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

August 2017

1479 pages

ISBN:9781931971409

Editors:
Engin Kirda
Northeastern University
,
Thomas Ristenpart
Cornell Tech

Sponsors

Google Inc.
IBMR: IBM Research
NSF
Facebook: Facebook
CISCO

Publisher

USENIX Association

United States

Publication History

Published: 16 August 2017

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lau SBourgeat TPit-Claudel CChlipala ALuo BLiao XXu JKirda ELie D(2024)Specification and Verification of Strong Timing Isolation of Hardware EnclavesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690203(1121-1135)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690203
Volos SFournet CHofmann JKöpf BOleksenko OLuo BLiao XXu JKirda ELie D(2024)Principled Microarchitectural Isolation on Cloud CPUsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690183(183-197)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690183
Li MYang YChen GYan MZhang YQuek TGao DZhou JCardenas A(2024)SoK: Understanding Design Choices and Pitfalls of Trusted Execution EnvironmentsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644993(1600-1616)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644993
Kato FCao YYoshikawa M(2023)Olive: Oblivious Federated Learning on Trusted Execution Environment against the Risk of SparsificationProceedings of the VLDB Endowment10.14778/3603581.360358316:10(2404-2417)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.14778/3603581.3603583
Ghaniyoun MBarber KXiao YZhang YTeodorescu RSolihin YHeinrich M(2023)TEESec: Pre-Silicon Vulnerability Discovery for Trusted Execution EnvironmentsProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589070(1-15)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589070
Fan SHua ZXia YChen HZang BSolihin YHeinrich M(2023)ISA-Grid: Architecture of Fine-grained Privilege Control for Instructions and RegistersProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589050(1-15)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589050
Sasy SJohnson AGoldberg IYin HStavrou ACremers CShi E(2022)Fast Fully Oblivious Compaction and ShufflingProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560603(2565-2579)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560603
Anzai SMisono MNakamura RKuga YShinagawa TSerafini MXu H(2022)Towards isolated execution at the machine levelProceedings of the 13th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3546591.3547530(68-77)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3546591.3547530
Jiang JSoriente CKarame G(2022)On the Challenges of Detecting Side-Channel Attacks in SGXProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545972(86-98)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545972
Zhu JHou RMeng DMalka MKolodner HBellosa FGabel M(2022)TACCProceedings of the 15th ACM International Conference on Systems and Storage10.1145/3534056.3534943(58-71)Online publication date: 6-Jun-2022
https://dl.acm.org/doi/10.1145/3534056.3534943
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten