Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX

Huo, Tianlin; Meng, Xiaoni; Wang, Wenhao; Hao, Chunliang; Zhao, Pengshan; Zhai, Jing; Li, Mingshu

doi:10.46586/tches.v2020.i1.321-347

Cited by 18 publications

(19 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…PHT BranchScope [15], Bluethunder [24] Spectre-PHT [38] BTB SBPA [1], BranchShadow [40] Spectre-BTB [38]…”

Section: μ-Arch Buffermentioning

confidence: 99%

“…However, previous work showed that Intel SGX root attackers can mount high-resolution, low-noise side-channel attacks through the cache [7,46,52], branch predictors [15,24,40], page-table accesses [63,65,71], or interrupt timing [64]. In response to recent transient-execution attacks [11,53,61,67], which can extract enclave secrets from side-channel resistant software, Intel released microcode updates which flush microarchitectural buffers on every enclave entry and exit [25,29].…”

Section: B Intel Sgxmentioning

confidence: 99%

See 1 more Smart Citation

LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

Bulck

Moghimi

Schwarz

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

119

View full text Add to dashboard Cite

The recent Spectre attack first showed how to inject incorrect branch targets into a victim domain by poisoning microarchitectural branch prediction history. In this paper, we generalize injection-based methodologies to the memory hierarchy by directly injecting incorrect, attacker-controlled values into a victim's transient execution. We propose Load Value Injection (LVI) as an innovative technique to reversely exploit Meltdowntype microarchitectural data leakage. LVI abuses that faulting or assisted loads, executed by a legitimate victim program, may transiently use dummy values or poisoned data from various microarchitectural buffers, before eventually being re-issued by the processor. We show how LVI gadgets allow to expose victim secrets and hijack transient control flow. We practically demonstrate LVI in several proof-of-concept attacks against Intel SGX enclaves, and we discuss implications for traditional user process and kernel isolation.State-of-the-art Meltdown and Spectre defenses, including widespread silicon-level and microcode mitigations, are orthogonal to our novel LVI techniques. LVI drastically widens the spectrum of incorrect transient paths. Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation.

show abstract

“…PHT BranchScope [15], Bluethunder [24] Spectre-PHT [38] BTB SBPA [1], BranchShadow [40] Spectre-BTB [38]…”

Section: μ-Arch Buffermentioning

confidence: 99%

Section: B Intel Sgxmentioning

confidence: 99%

LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

Bulck

Moghimi

Schwarz

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

119

View full text Add to dashboard Cite

show abstract

“…For example, the slowdown of the target program and considerable communication overhead caused by triggering many branches could be leveraged as indicators of PHT attacks. In 2020, Huo et al [44] proposed Bluethunder, which is an evolutionary version of the BranchScope, creating collisions in a 2-level predictor to generate information leakage. Bluethunder makes improvements regarding the aforementioned third assumption in the BranchScope.…”

Section: Pht-based Attackmentioning

confidence: 99%

“…Firstly, exploring new uncovered attack surfaces that can be leveraged to attack SGX implementations is a promising research direction, which could prompt the research community to design new defending techniques to enhance the security of SGX. Moreover, most of the attack cases reviewed in Section 5 only abuse one attack surface (including [99], [91], [95], [39], [31], [69], [5], [17], [59], [21], [44], [94], [50]). Another promising research direction is to integrate newly discovered attack surfaces with those well-known ones (e.g., page table, CPU cache, and branch prediction table) to develop hybrid multi-level attack vectors with high precision.…”

Section: Future Directionsmentioning

confidence: 99%

Security Vulnerabilities of SGX and Countermeasures

et al. 2021

View full text Add to dashboard Cite

Trusted Execution Environments (TEEs) have been widely used in many security-critical applications. The popularity of TEEs derives from its high security and trustworthiness supported by secure hardware. Intel Software Guard Extensions (SGX) is one of the most representative TEEs that creates an isolated environment on an untrusted operating system, thus providing run-time protection for the execution of security-critical code and data. However, Intel SGX is far from the acme of perfection. It has become a target of various attacks due to its security vulnerabilities. Researchers and practitioners have paid attention to the security vulnerabilities of SGX and investigated optimization solutions in real applications. Unfortunately, existing literature lacks a thorough review of security vulnerabilities of SGX and their countermeasures. In this article, we fill this gap. Specifically, we propose two sets of criteria for estimating security risks of existing attacks and evaluating defense effects brought by attack countermeasures. Furthermore, we propose a taxonomy of SGX security vulnerabilities and shed light on corresponding attack vectors. After that, we review published attacks and existing countermeasures, as well as evaluate them by employing our proposed criteria. At last, on the strength of our survey, we propose some open challenges and future directions in the research of SGX security.

show abstract

“…Our attack leverages the SGX-Step [74] framework to forcibly step into a victim enclave code exactly one instruction at a time. While high-frequency timer interrupts have previously been leveraged to boost microarchitectural timing attacks [36,40,48,53,75], we exploit the architectural interrupt interface itself as a deterministic controlled-channel. Our attacks rely on the key observation that interrupts can force the enclave to advance exactly one instruction at a time.…”

Section: Introductionmentioning

confidence: 99%

CopyCat: Controlled Instruction-Level Attacks on Enclaves

Moghimi,

Van Bulck,

Heninger

et al. 2020

Preprint

View full text Add to dashboard Cite

The adversarial model presented by trusted execution environments (TEEs) has prompted researchers to investigate unusual attack vectors. One particularly powerful class of controlled-channel attacks abuses page-table modifications to reliably track enclave memory accesses at a page-level granularity. Crucially, in contrast to noisy microarchitectural timing leakages, this line of deterministic controlled-channel attacks abuses indispensable architectural interfaces and hence cannot be mitigated by tweaking microarchitectural resources.We propose an innovative controlled-channel attack, named COPYCAT, that deterministically counts the number of instructions executed within a single enclave code page. We show that combining the instruction counts harvested by COPYCAT with traditional, coarse-grained page-level leakage allows to accurately reconstruct enclave control flow at a maximal instruction-level granularity. COPYCAT can identify intra-page and intra-cache line branch decisions which may ultimately differ only in a single instruction, highlighting that even extremely subtle control flow deviations can deterministically be leaked from secure enclaves. We demonstrate the improved resolution and practicality of COPYCAT on Intel SGX platforms in an extensive study of single-trace and deterministic attacks against side-channel hardened cryptographic libraries. As a result, we disclose multiple vulnerabilities in the the latest version of widely-used cryptographic libraries: WolfSSL, Libgcrypt and OpenSSL, and propose novel algorithmic attacks to perform single-trace key extraction. Our findings mark the importance of stricter verification of cryptographic implementations, especially in the context of TEEs.

show abstract

Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX

Cited by 18 publications

References 9 publications

LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

Security Vulnerabilities of SGX and Countermeasures

CopyCat: Controlled Instruction-Level Attacks on Enclaves

Contact Info

Product

Resources

About