MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations in SGX

Moghimi, Ahmad; Wichelmann, Jan; Eisenbarth, Thomas; Sunar, Berk

doi:10.1007/978-3-319-76953-0_2

Cited by 33 publications

(42 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While there is a long line of work on dismantling SGX's confidentiality guarantees [69,11,46,73,50,25,72] as well as exploiting classical memory safety vulnerabilities in enclaves [45,8,70], Plundervolt represents the first attack that directly violates SGX's integrity guarantees for functionally correct enclave software. By directly breaking ISAlevel processor semantics, Plundervolt ultimately undermines even relaxed "transparent enclaved execution" paradigms [66] that solely require integrity of enclave computations while assuming unbounded side-channel leakage.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…To limit the performance penalty of such an approach, we propose leveraging commodity Hy-perThreading [36] features in Intel CPUs and turn them from a security concern into a security feature for fault resistancy. After a long list of SGX attacks [69,75,59,50] demonstrated how enclave secrets can be reconstructed from a sibling CPU core, Intel officially recommended disabling hyperthreading when using SGX enclaves [32]. However, this also imposes a significant performance impact on any non-SGX workloads.…”

Section: Countermeasuresmentioning

confidence: 99%

See 1 more Smart Citation

Plundervolt: Software-based Fault Injection Attacks against Intel SGX

Murdock

Oswald

Garcia

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

211

112

View full text Add to dashboard Cite

Dynamic frequency and voltage scaling features have been introduced to manage ever-growing heat and power consumption in modern processors. Design restrictions ensure frequency and voltage are adjusted as a pair, based on the current load, because for each frequency there is only a certain voltage range where the processor can operate correctly. For this purpose, many processors (including the widespread Intel Core series) expose privileged software interfaces to dynamically regulate processor frequency and operating voltage. In this paper, we demonstrate that these privileged interfaces can be reliably exploited to undermine the system's security. We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor's supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX's memory encryption/authentication technology cannot protect against Plundervolt. In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code. We finally discuss why mitigating Plundervolt is not trivial, requiring trusted computing base recovery through microcode updates or hardware changes.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Countermeasuresmentioning

confidence: 99%

Plundervolt: Software-based Fault Injection Attacks against Intel SGX

Murdock

Oswald

Garcia

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

211

112

View full text Add to dashboard Cite

show abstract

“…Prior work has shown that the L1 dTLB can be exploited for a reliable side-channel attack through the TLB [7] using a PRIME+PROBE-style attack. Memory Order Buffer (MOB) is yet another shared resource that can leak information by creating a false dependency across threads [43] and stalling the victim thread while the CPU decides whether store forwarding should proceed (in case of a true dependency).…”

Section: Related Workmentioning

confidence: 99%

ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Gras

Giuffrida

Kurth

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…An example was an aliasing issue caused by a stack store instruction at the beginning of the Spectre gadget. When the given load address to leak from happened to 4k-alias the address of the earlier stack store instruction, a stall introduced by the store-to-load forwarding logic [67,83] disrupted the signal. To address this issue, an option is to chain together multiple speculative gadgets [8] and perform stack pivoting before executing the Spectre gadget.…”

Section: Exploit 3: Breaking Software-based Xommentioning

confidence: 99%

“…Microarchitectural attacks. While early microarchitectural attacks such as classic cache side-channel attacks [69,98] or even more recent attacks [5,24,37,38,67,93] primarily focus on breaking crypto implementations, there is a large body of work on microarchitectural attacks to support software exploitation. Such attacks typically use side-channel disclosure to mimic limited memory read primitives [12,26,39] and fault attacks like Rowhammer to mimic limited memory write primitives [12,20,28,29,42,72,76,85,86,92].…”

Section: Related Workmentioning

confidence: 99%

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectrelike attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectrestyle disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations in SGX

Cited by 33 publications

References 36 publications

Plundervolt: Software-based Fault Injection Attacks against Intel SGX

Plundervolt: Software-based Fault Injection Attacks against Intel SGX

ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Speculative Probing

Contact Info

Product

Resources

About