Researchers from universities in Singapore, China, and Switzerland have discovered a novel way to compromise the security of SGX, the Trusted Execution Environment provided by Intel. The attack allows a privileged attacker to retrieve secrets processed in a secure enclave, by which the benefit of the enclave is lost. While the attack is based on a weakness in the SGX hardware design, it became exploitable by operating system components that did not mitigate the weakness. Various vendors have released advisories and patches after being informed in May 2021.
SGX (Secure Guard Extension) was developed to offer security to applications, even if the operating system is compromised. This feature would, for instance, allow operating secure internet connections while the system is not immune against malware. While normal applications heavily rely on the operating system, an application running in an SGX enclave would be minimally dependent on the operating system and be able to protect its assets. However, enclaves still need an operating system to manage the enclaves, e.g., to create them and to start sessions.
The new vulnerability affects the management of enclaves, specifically the processing of exceptions. Modern systems support asynchronous exception handling, which is very convenient in complex devices, running many parallel tasks, and having many potential conflict situations. Exceptions allow for smooth handling of special situations, resulting in a good user experience. The operating system’s task is to pass exceptions to the enclave and support stopping and restarting its applications. This is where the vulnerability applies. With the interruption of an enclave application process, the operating system gets temporary access to some registers, as they are copied in order to support reentrancy.
The researchers show that a compromised operating system can actually modify the enclave register backup during exception handling, allowing a hijack of the application and an extraction of its assets. While the attack is complex, in the sense that it requires a compromised operating system, it defeats exactly the purpose of the enclave, to protect an application against an untrusted platform. Although the attack could be prevented with a hardware modification, it can also (more easily) be mitigated by the operating system component that services SGX (the SGX runtime), applying more cautious exception handling.
There are multiple software libraries that offer SGX support, including the Intel SGX SDK, and many of them appeared vulnerable to this attack. All library vendors have been informed and are working on, or provide, solutions. Intel has given this problem an 8.2 score, which is a high risk in the CVSS rating. End users are especially at risk when malware compromises their systems and should be cautious when insufficient malware protection is in place.
As an application provider relying on SGX, you should recompile and distribute your application to work with the patched SGX library. As an end-user, you can update your system with the newest patch to be protected against this attack.
Trusted Execution Environments are an important security enabler in multi-purpose devices and instrumental in the defense against malware. We have to understand that the technology is still young, and therefore anticipate growing pains. While this issue is only one example out of many incidents, it is still good to embrace the concept and keep pushing for more security. Application providers should inform themselves on the state of the art, and demand tested products.
Contributed by Marc Witteman and Team Riscure. If you have any questions, contact us at firstname.lastname@example.org.