The Guard’s DilemmaEfficient Code-Reuse Attacks Against Intel SGX

Andrea Biondo1, Mauro Conti1, Lucas Davi2, Tommaso Frassetto3, Ahmad-Reza Sadeghi3

1 University of Padua, Italy

2 University of Duisburg-Essen, Germany

3 TU Darmstadt, Germany

27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 August 2018

Intel SGX (Software Guard eXtensions)

App

Enclave

App Code

Enclave Code

Entry/exit

Kernel

Encryption

Attestation

Physical memory

Remote server

2

Intel SGX (Software Guard eXtensions)

App

Enclave

App Code

Enclave Code

Entry/exit

Kernel

Encryption

Attestation

Physical memory

Remote server

3

SGX SDK

SGX provides strong isolation.

4

(that’s what it says on the box!)

Just like normal programs,SGX code can have bugs.

5

Control-Flow Attacks

A

CB

D

F

E

Control-FlowHijacking

Shellcode

Code Injection

6

Control-Flow Attacks

A

CB

D

F

E

Control-FlowHijacking

Shellcode

A

CB

D

F

E

Control-FlowHijacking

Gadget

Code Injection Code Reuse(e.g., Return-Oriented Programming)

Write⊕

eXecuteF

7

Control-Flow Attacks

A

CB

D

F

E

Control-FlowHijacking

Shellcode

A

CB

D

F

E

Control-FlowHijacking

Gadget

Code Injection Code Reuse(e.g., Return-Oriented Programming)

Write⊕

eXecute

Control FlowIntegrity

F

8

Related work

Dark-ROP[Lee et al., USENIX

Security 2017]

• Remote attestation + loader = no access to enclave code• ROP still feasible by finding gadgets through oracles

SGX-Shield[Seo et al., NDSS

2017]

• Fine-grained enclave randomization, W⊕X,Software Fault Isolation, Control Flow Integrity

• State-of-the-art hardening scheme

9

The SGX SDK

Source

SGX SDK

App

Enclave

Function 0 Function 1

Function 2 Function 3

Compiler

App Code

Untrusted Runtime System (uRTS)

Trusted Runtime System (tRTS)

App-to-Enclave function call

(ECALL)

10

The SGX SDK

Source

SGX SDK

App

Enclave

Function 0 Function 1

Function 2 Function 3

Compiler

App Code

Untrusted Runtime System (uRTS)

Trusted Runtime System (tRTS)

Enclave-to-App function call

(OCALL)

11

The SGX SDK

Source

SGX SDK

App

Enclave

Function 0 Function 1

Function 2 Exc. Handler

Compiler

App Code

Untrusted Runtime System (uRTS)

Trusted Runtime System (tRTS) Signal

OS KernelAEX

12

Exception

The Guard’s Dilemma

Novel SGX code-reuse attack

Dispatches ROP gadgets

Uses only existing tRTS functionality

Why?

13

Motivation

Widespread SDK usage

Easier exploitation

Existing hardening does not cover tRTS

14

The Basic Idea

App

Enclave

Function 0 Function 1

Function 2 Function 3

Trusted Runtime System (tRTS)

Restore State

State

Counterfeit state

15

The ORET Primitive

OCALL

Save context in OCALL frame

Exit enclave

Execute untrusted function

Re-enter enclave

Restore context (do_oret)

Control-FlowHijacking

Fake OCALL frame

Partial registercontrol

Stack control

16

The CONT Primitive

Exception

Resume enclave

Call exception handlers

Restore exception context (continue_execution)

Control-FlowHijacking

Fake exception context

Full registercontrol

1° argument control

Exit enclave to OS handler

Re-enter, save context, exit (see paper)

17

The ORET+CONT Loop

ORET

rip, rsp rip, rdi, ...

CONT

rip, rdi rip, rsp, *

ROP Gadget

18

Attack Overview

19

① Payload Preparation• Find gadgets• Design gadget chain

② Fake Structures Prep.• n fake exception infos• 1 fake stack (ROP, OCALL)

③ Attack Execution• Launch first CONT

Gadget

ORET

CONT

Fake exc. info 1 Gadget 1

Fake exc. info 2 Gadget 2

Fake exc. info 3 Gadget 3

Fake stack

Example Attack

App

Enclave

vuln_f oth_f

get_key send_file

Trusted Runtime System (tRTS)

ORET: rip, stack → rdi + rip + …

CONT: rdi → rip + all registers Stack

rip

rdi

Other registers

20

SGX-Shield [Seo et al., NDSS 2017]

Source

SGX-Shield Runtime

App

Enclave

Rand. Unit 0 Rand. Unit 1

Rand. Unit 2 Rand. Unit 3SGX-Shield Toolchain

App Code

Untrusted Runtime System (uRTS)

Trusted Runtime System (tRTS)

Fine-grained coderandomization

tRTS is not randomized

SGX SDK

21

Attacking SGX-Shield

Fine-grained code randomization

Reusing tRTS code (not randomized)

Coarse-grained Control Flow Integrity

Return edges are not properly instrumented→ ORET is possible

Other mitigations (SFI, W⊕X) assume CFI

22

SGX-Shield Exploit

Hijack return edge

Untrusted memory

Write shellcode to WX memory

Jump to shellcode

Stage 1ORET+CONT

Gather enclave keys

Copy keys to attacker’s memory

Stage 2Shellcode

23

Mitigations

SDK Hardening

Secret canaries in contexts

Mangling context data

External Hardening

Randomization of SDK code

Stronger CFI

24

Lessons Learned

• SGX presents significant hardening challenges• Strong attacker

• The SDK can increase an enclave’s attack surface• Powerful code-reuse primitives

• Low-level code hidden from sight

25

Conclusion

• We presented a novel code-reuse attack on Intel SGX

• Using «forgotten» code to bypass SoA hardening

• Underlines the need to consider implications of SDK usage

Questions?

26