Researchers from the University of Defense Science and Technology of the People's Liberation Army, the National University of Singapore and the Swiss Higher Technical School in Zurich have developed a new method to attack isolated Intel SGX enclaves (Software Guard eXtensions).
The attack was called SmashEx and it was caused by reentry problems when handling exceptions during runtime component work for Intel SGX. The proposed attack method allows, if there is control over the operating system, to determine confidential data located in the enclave, or organize the copy of your code in the memory of the enclave and its execution.
Let's remember that technology SGX appeared on XNUMXth generation Intel Core processors (skylake) and offers a series of instructions that allow user-level applications are assigned private memory areas, enclaves, whose content cannot be read or changed even by the kernel and code executed in ring0, SMM and VMM modes.
It is impossible to transfer control to code in the enclave using functions traditional transition and manipulations with registers and the stack; New specially created EENTER, EEXIT, and ERESUME statements are used to transfer control to the enclave that perform authorization checks. At the same time, the code placed in the enclave can use calling methods classics for calling functions within the enclave and a special instruction to call external functions. Enclave memory encryption is used to protect against hardware attacks, such as connecting to a DRAM module.
The problem is related to the fact that SGX technology allows the operating system to interrupt execution of an enclave by throwing a hardware exception, and the primitives for atomic handling of such exceptions are not properly implemented in enclaves. Unlike the operating system kernel and regular applications, code inside enclaves does not have access to primitives to organize atomic actions during asynchronous exception handling. Without the specified atomic primitives, the enclave can be interrupted at any time and rerun, even when critical sections are running in the enclave and it is in an insecure state (for example, when CPU registers are not saved / restored) .
For normal operation, the technology SGX allows you to interrupt the execution of an enclave with hardware exceptions configurable. This feature allows enclave runtimes to implement exception handling or signal handling within the enclave, but it can also cause reentry errors. The SmashEx attack relies on exploiting flaws in the SDK due to the exception handler repeated call situation not being handled properly. It is important that in order to exploit the vulnerability, the attacker must be able to interrupt the execution of the enclave, that is, he must control the work of the system environment.
After throwing an exception, the attacker receives a small window of time during which it is possible to intercept the flow of execution by manipulating the input parameters. In particular, if you have access to the system (the environment outside the enclave), you can create a new exception immediately after executing the statement to enter the enclave (EENTER), which will lead to the return of control to the system at the stage where The stack configuration for the enclave has not been completed yet, the state of the CPU registers is saved.
The system can then return control to the enclave, But since the enclave stack was not configured at the time of the interrupt, the enclave will run with the stack that resides in system memory, which can be used to apply return-oriented programming (ROP) exploitation techniques. Oriented Programming).
When using the ROP technique, the attacker does not try to put his code in memory, but instead operates on the parts of the machine instructions that are already available in the loaded libraries, ending with a control return instruction (as a rule , these are the end of the functions library). The work of the exploit is reduced to building a chain of calls to similar blocks ("gadgets") to obtain the required functionality.
Exploit prototypes prepare to enclaves with runtime based on Intel SGX SDK (CVE-2021-0186) and Microsoft OpenEnclave (CVE-2021-3376).
In the first case, the ability to extract the RSA key used in the web server for HTTPS was demonstrated, and in the second case, it was possible to determine the content received by the cURL utility running inside the enclave.
The vulnerability has already been patched in software on Intel SGX SDK 2.13 and Open Enclave 0.17.1 versions.
Source: https://jasonyu1996.github.io