Recently revealed SmashEx attack targets secure enclaves protected by Intel SGX

A multinational team of researchers has revealed a new attack, which they dubbed SmashEx, which can be used to collect and corrupt data from secure enclaves based on runtime environments that interact with Software Guard Extension technology ( SGX) from Intel.

Intel SGX is used to enable trusted runtime environments on compatible processors, and the researchers who discovered SmashEx have stated that this “allows user applications to be partitioned into isolated hardware compartments called enclaves, which are protected. privileged system software (for example, hypervisor and operating system). ). “Enclaves are meant to ensure the security and integrity of their content. Compromising these enclaves could give attackers access to vital information.

SmashEx is not the first attack against Intel SGX; researchers presented the first practical malware targeting the platform in February 2019. The Record also cited 10 other attacks on the technology in its report, showing that it is a fairly popular target.

But the team that discovered SmashEx said the attack was new for several reasons. “SmashEx is the first attack to demonstrate the exception handling attack vector on Intel SGX,” he said. “SmashEx does not assume any secondary channels or pre-existing memory security bugs in the enclave application code. […] Unlike secondary channel attacks on SGX enclaves such as Specter and controlled channel attacks, SmashEx can directly corrupt private enclave data and break the integrity of the enclave. “

The researchers shared two screenshots to demonstrate the capabilities of SmashEx. The first contains “an Intel SGX SSL en-enclave RSA private key” that would be used to encrypt secure traffic over the HTTPS protocol. The second describes the team “flushing all enclave data from Open Enclave cURL,” a ubiquitous program that “is used daily by virtually every Internet user in the world,” according to its managers. (Open Enclave being Microsoft’s cross-platform software development kit.)

Here’s the good news: Researchers waited until Intel patched SGX and Microsoft patched Open Enclave to disclose their attack. Intel has shared more information about the attack and its mitigation measures under the ID CVE-2021-0186; Microsoft has done the same for Open Enclave via the identifier CVE-2021-33767. Assuming system administrators install these fixes, which is still a dangerous assumption to make, this should limit the reach of SmashEx despite public disclosure of the attack.

Here’s the bad news: Researchers have confirmed that SmashEx can be used against seven other runtime environments from Arm, Google, and Apache, among others. They also stated that “if the runtime you are using is based on any of the runtimes listed above, you are almost certainly affected”, and that other runtime developers should see if they are affected by this as well. attack. Once the affected runtimes are discovered, they will need to release their own fixes to resolve this issue.

More information about SmashEx can be found on its website and the document detailing the attack. It was discovered by Jinhua Cui, Zhijingcheng Yu and Prateek Saxena from the National University of Singapore as well as Shweta Shinde from ETH Zurich.


Source link

Steven L. Nielsen

Leave a Reply

Your email address will not be published. Required fields are marked *