The researchers has found a way to run malicious code in systems with Intel processors in such a way that malware can not be analyzed or identified by antivirus software, using its own processor features to protect the bad code Also doing malware is generally more difficult to check, bad actors can use this protection, for example, write ransomware applications that will never reveal their encryption keys to readable memory, which became more difficult to recover from attacks.
held at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind the Specter attack last year) , uses a tamper k introduced by Intel using Skylake processors called SGX ("Software Guard eXtensions"). SGX allows programs to prevent enclaves where both code and code-operated data are protected to ensure their confidentiality (no other system can spy on them) and integrity (any code tampering or data viewing). The contents of an enclave are clearly encrypted every time it is written in RAM and decrypted to readability. The processor covers access to the enclave memory: any attempt to access the enclave memory from the code outside the enclave is blocked; Decryption and encryption are only applicable for code within the enclave.
SGX is promoted as a solution to a set of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, a SGX enclave that runs on a cloud platform can be used to run custom proprietary algorithms, such that even cloud providers can not determine what algorithms do. On a client computer, the SGX enclave can be used in a similar way to implement DRM restrictions (digital rights management); the decryption process and decryption keys used by DRM can be performed within the enclave, which can not be read in other systems. There are biometric products in the market that use SGX enclaves for processing biometric data and safely storing this way so that it can not be changed.
SGX is designed for a particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. Although there are no threats to this threat model (for example, improperly written SGX enclaves may be vulnerable to attacks on attacks or Meltdown style attacks), it looks like it's not until some of the best practices are followed.
Ignore Intel's threat model
Researchers use that body for abominable purposes and take into account the question: what happens if this is the enclave code that is malicious ? SGX by design would be impossible for antimalware software to investigate or analyze malware operation. This would be a good place to put the malicious code. However, the code in an enclave is strictly restricted. In particular, it has no provision to make calls to the operating system; it can not open files, read data from disk, or write to disk. All things to do from outside the enclave. That way, they will appear that a hypothetical application of the SGX ransomware will require SGX's enclave outside out of : the pieces to write all your documents, read them, and overwrite them in their encrypted version protected. Only running encryption itself will occur within the enclave.
However, the enclave code is capable of reading and writing anywhere in an incomplete process memory; whereas nothing from outside the enclave may look inside, anything within the enclave is free to look outside. Researchers use this ability to scan through the memory of the process and find the information needed to make a return oriented programming (ROP) shipment to run the code they choose. These chains together include small fragments of the executable code part of the host application to do things that the host application does not want.
Some deception is necessary to carry out reading and writing. If the enclave code is attempting to read an unrecorded memory or write in memory that is not read-only, the common behavior is for an exception to be generated and for the enclave switch processor to handle the exception. It may scan the host memory impossible, since once the exception occurs, the malicious enclave is no longer running, and in all probability the program crashes. To cope with this, researchers have also revamped a strategy that also found to be useful in the Meltdown attack: they use another feature of the Intel processor, Transactional Synchronization eXtensions (TSX).
TSX provides a compressed form of transactional memory. Transactional memory allows a thread to change a group of different memory locations and then publish changes to a single atomic update, such as other thread see either no changes or all of the change, without seeing any of the intermediate partially written stages. If a second thread attempts to change the same memory while the first thread makes all the changes, then the attempt to publish the changes is deleted.
The purpose of TSX is to make it easier to develop multithreaded & # 39; do not use locks to protect their modifications; done correctly, these can be faster than locked structures, especially under heavy loads. But TSX has a side effect that is particularly convenient: attempts to read or write unreasonable or inappropriate memory from within a transaction do not result in exceptions. Instead, they simply delete the transaction. Critically, this transaction no longer circumvent the enclave; Instead, it is held inside the enclave.
It provides a hazard to enclave all it needs to do its dirty work. It scans the memory of the host process to find the components for its ROP payload and in one place to write the shipment, then the processor redirects to run the shipment. Often the shipment does something like mark a memory section as enforced, so malware can put its own set of supporting functions-for example, ransomware needs to list files, open it, read them, and then overwrite them-where it can be accessed. Critical encryption occurs within the enclave, which is impossible to get the encryption key or even study malware to find out what algorithm it uses to encrypt data.
Signed, sealed, and delivered
loaded any old code in an enclave. Enclave developers need a "commerce agreement" with Intel to develop enclaves. Under this agreement, Intel grants the developer's code-signing certificate and adds it to a whitelist. A special enclave built by Intel (which is explicitly trusted by the processor) then checks each piece of code while being loaded to make sure it has been signed by one of the whitelisted certificates. A malware developer may not want to enter into such an agreement with Intel, and the terms of the agreement expressly prohibit the development of malware on SGX, although one may ask the cost of this restriction.
It can be included by writing an enclave that loads a shipment from the disk and then is executed; the loader needs a whitelisted signature, but the cargo does not. This strategy is still useful, because while the enclave code runs in encrypted memory, the enclave libraries stored on the disk are not encrypted on their own . With dynamic loading, the on-disk shipment can be encrypted and decrypted only once entered into the enclave. The loader itself will not be malicious, giving some amount of incredible deniability that anything nefarious is intended. In fact, an enclave may be perfectly pleasing but contain defects that the attackers may allow to enter their malicious code inside; SGX does not protect against plain-old coding errors.
SGX's particular aspect is widely criticized, as it makes Intel an oversight of the types for all SGX applications. Accordingly, SGX's second-generation systems (which include some eighth generation or more branded processors) rest in this restriction, making it possible to start enclaves not signed by identical marks of Intel.
Thus, SGX research suggests that it can be used in a way that should not be possible: malware can live within a protected enclave such that the unencrypted malware code is not exposed to the host operating system, including antivirus software. Additionally, malware is not blocked by the enclave: it can harm the host application to access the operating system API, opening the door to attacks such as ransomware-style encryption of files victim.
About the threat model …
The attack is private, but as SGX becomes more common, researchers will wear more and more ways to collapse and join it . We have seen similar things in the introduction of hardware virtualization support; which opened the door to a new breed of rootkit that could hide itself from the operating system, getting an important feature and using it for bad things.
Intel is knowledgeable about research, response:
Intel knows this research based on assumptions that are outside the threat model for Intel® SGX. The cost of Intel SGX is to carry out the code in a protected enclave; However, Intel SGX does not guarantee that the code implemented in the enclave is from a trusted source. In all cases, we recommend using programs, files, apps, and plugins from trusted sources. Protecting customers will continue to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their continued research and for Intel work on interdisciplinary disclosure weakness.
In short, until Intel is concerned, SGX is working as it should, protecting enclave contents from the rest of the system. If you run something bad inside the enclave, the company makes no promises that bad things will not happen on your computer; SGX is not just designed to protect against that.
That may be so, but SGX gives developers some powerful capabilities they could not have. "How can bad people get hurt?" is a clear question to ask, because if it gives them some advantage, disrupt it here.