Cybersecurity | |
Malware Guard Extension: abusing Intel SGX to conceal cache attacks | |
article | |
Schwarz, Michael1  Weiser, Samuel1  Gruss, Daniel1  Maurice, Clémentine2  Mangard, Stefan1  | |
[1] Graz University of Technology;CNRS, IRISA | |
关键词: Intel SGX; Side channel; Side-channel attack; Prime+Probe; | |
DOI : 10.1186/s42400-019-0042-y | |
学科分类:社会科学、人文和艺术(综合) | |
来源: Springer | |
【 摘 要 】
In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus, the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers.In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works, although in SGX enclaves, there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96 % of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 min.
【 授权许可】
CC BY
【 预 览 】
Files | Size | Format | View |
---|---|---|---|
RO202108110000131ZK.pdf | 1747KB | download |