Scientists have found a way to run malicious code on Intel processors so antivirus software could not analyze or identify malware using processor features to protect against bad code. In addition to the fact that malware is generally more difficult to analyze, bad actors could use this protection, for example, to write ransomware programs that never reveal their encryption keys in read-only memory, making it very difficult to recover from attacks.
Michael Schwarz, Samuel Weiser and Daniel Gruss (one of last year's Specter attack investigators) at Graz University of Technology, use the feature Intel has introduced with the Skylake processors SGX (Software Guard eXtensions). encryption is enabled by SGX where both the code and the data to which the code works are secured to ensure their confidentiality (no one else in the system can spy on) and integrity (any code fraud or data can be to be determined). Enclave content is transparently encrypted each time it is written to RAM and decrypted when reading. The processor controls access to enclave memory: any attempt to access enclave memory from code outside enclave is blocked; decryption and encryption are limited to encryption
SGX has been promoted as a solution to various security issues when a developer wants to protect code, data, or both from prying eyes. For example, the SGX enclave operating on a cloud platform can be used to run individual proprietary algorithms so that even the cloud provider cannot determine what algorithms work. The client's SGX encryption can be used in a similar way to run DRM (Digital Rights Management) restrictions; the decryption process and the decryption keys that DRM can store in the enclave, so they are not readable to another part of the system. There are biometrics on the market that use SGX encryption to process biometric data and safely store it so that it cannot be damaged.
SGX was designed for this particular threat model: enclave is trustworthy and contains something sensitive, but everything else (program, operating system and even hypervisor) is potentially hostile. Although there have been attacks on this threat model (eg improperly written SGX enclaves may be vulnerable to time attacks or Meltdown style attacks), it seems to be robust until certain best practices are followed
Ignore Intel's threat model
Scientists use this credibility for uncomfortable purposes and the question: what will happen if the code is malicious in the enclave? By design, SGX will not allow antimalware software to scan or analyze malicious software. This would be a viable place to add malicious code. However, the code in the enclave is rather limited. In particular, it has no provision for operating the operating system; it cannot open files, read data from disk or write to disk. All these things must be done outside the enclave. So naively it would seem that the hypothetical application of ransomware based on SGX should be a good code for the SGX enclave: units that list all your documents, read and rewrite them with their encrypted versions would not be protected. Only an encryption operation would take place in an enclave
However, the encryption code has the ability to read and write in any unencrypted process memory; though no one can look inside the enclave, but the enclave can be viewed freely inside. Scientists have used this ability to read process memory and find the information they need to create a reverse-load (ROP) payload to run the selected code. These chains consist of small executable code snippets that are part of the host program to do what the host program did not intend to do.
This reading and writing required some deception. If an encryption code tries to read unallocated memory or write to a memory that is unallocated or read-only, the usual behavior is to create exceptions and the processor to disable the enclave to handle the exception. This would make it impossible to scan the host memory, because once an exception has occurred, malicious encryption will no longer appear and the program is likely to fail. To cope with this problem, the researchers reviewed a method that was also useful in the Meltdown attack: they used another Intel processor, Transactional Synchronization eXtensions (TSX).
TSX provides a limited transaction memory form. Transactional memory allows the thread to change the stack of different memory locations and then publish those changes in one atomic update to see other threads either or from all . without any intermediate stages. If the second thread attempted to change the same memory and the first thread made all the changes, the attempt to post the changes is terminated.
The purpose of TSX is to facilitate multi-data structures that do not use locks to protect their changes; Correctly, it can be much faster than locks, especially in heavy loads. However, TSX has very handy side effects: attempts to read or write undistributed or unwanted memory from the transaction do not give rise to exceptions. Instead, they just stop the deal. Critically, this deal interrupts the enclave; instead, it is handled inside the enclave.
This gives the harmful enclave everything you need to do your dirty work. It scans the main process memory to find ROP payload components and somewhere to write down that payload, then redirects the processor to release that payload. Usually, a payload would do something like marking a memory section as an executable, so a malware can put its own set of support functions ̵
Signed, sealed and delivered
The processor will not insert any old code into the enclave. Enclave developers need a "commercial contract" with Intel to create enclaves. Under this agreement, Intel supports the developer-owned code signing certificate and adds it to the white list. Intel's special enclave (indirectly trusted by the processor) checks each code when it is loaded to ensure it is signed by one of the white lists. The malware developer may not want to enter into such an agreement with Intel, and the terms of the contract explicitly prohibit the development of the SGX malware, although there may be some doubt as to the value of this restriction.
write an enclave into which the payload was loaded and then executed; the loader should have a white list but not. However, this method is useful because, although the encryption code works in in encrypted memory, the encrypted libraries stored on the disk are not encrypted. Dynamic Charge can be encrypted on disk, but only when it is embedded in an enclave. The loader itself would not be malicious, giving some expected negativity that something was useless. In fact, enclave can be completely benign, but it has exploited drawbacks that allow attackers to submit their malicious code; SGX does not protect against simple old coding errors
This particular aspect of SGX has been widely criticized because it is a user of all sorts of SGX applications. Accordingly, the second-generation SGX system (including certain eighth generation or newer) processor releases this limitation, allowing for enclaves that are not signed by Intel's white list signatories
. can be used so that it should not be possible: malware can be stored inside the encryption so that the encrypted code with malware will never be exposed to the host operating system, including anti-virus software. In addition, malicious software is not limited to enclaves: it can restore host access to the operating system API by opening doors to attacks, such as Encrypting Victim Software.
About this threat model …
This attack is esoteric, but as SGX is becoming more common, scientists will increasingly try and find ways to break it down and choose. We've seen similar things after installing hardware support equipment; that opened the door to a new rootkit variety that can hide itself from the operating system, a valuable feature and use for bad things
Intel was informed of the study by
Intel is aware of this research based on assumptions that are not part of the Intel® SGX threat model. The meaning of Intel SGX is code execution in a protected enclave; however, Intel SGX does not guarantee that the code in the enclave is from a trusted source. In all cases, we recommend using applications, files, applications, and plugins from trusted sources. Customer protection remains our top priority, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and collaboration with Intel on a coordinated vulnerability disclosure.
In other words, as far as Intel is concerned, SGX works the way it should, protecting the contents of the enclave from the rest of the system. If you run something nasty inside the enclave, the company does not make any promises that there will be no bad things on your computer; SGX is simply not designed to protect it.
This may be but SGX gives developers some powerful opportunities they didn't have before. "How bad guys will mix with it?" there is an obvious question to ask, because if it gives them a certain advantage, link it to it.