27th usenix security symposium, baltimore, md, usa, 15-17 ... · the guard’s dilemma efficient...
TRANSCRIPT
The Guard’s DilemmaEfficient Code-Reuse Attacks Against Intel SGX
Andrea Biondo1, Mauro Conti1, Lucas Davi2, Tommaso Frassetto3, Ahmad-Reza Sadeghi3
1 University of Padua, Italy
2 University of Duisburg-Essen, Germany
3 TU Darmstadt, Germany
27th USENIX Security Symposium, Baltimore, MD, USA, 15-17 August 2018
Intel SGX (Software Guard eXtensions)
App
Enclave
App Code
Enclave Code
Entry/exit
Kernel
Encryption
Attestation
Physical memory
Remote server
2
Intel SGX (Software Guard eXtensions)
App
Enclave
App Code
Enclave Code
Entry/exit
Kernel
Encryption
Attestation
Physical memory
Remote server
3
SGX SDK
SGX provides strong isolation.
4
(that’s what it says on the box!)
Just like normal programs,SGX code can have bugs.
5
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
Code Injection
6
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
A
CB
D
F
E
Control-FlowHijacking
Gadget
Code Injection Code Reuse(e.g., Return-Oriented Programming)
Write⊕
eXecuteF
7
Control-Flow Attacks
A
CB
D
F
E
Control-FlowHijacking
Shellcode
A
CB
D
F
E
Control-FlowHijacking
Gadget
Code Injection Code Reuse(e.g., Return-Oriented Programming)
Write⊕
eXecute
Control FlowIntegrity
F
8
Related work
Dark-ROP[Lee et al., USENIX
Security 2017]
• Remote attestation + loader = no access to enclave code• ROP still feasible by finding gadgets through oracles
SGX-Shield[Seo et al., NDSS
2017]
• Fine-grained enclave randomization, W⊕X,Software Fault Isolation, Control Flow Integrity
• State-of-the-art hardening scheme
9
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Function 3
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
App-to-Enclave function call
(ECALL)
10
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Function 3
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
Enclave-to-App function call
(OCALL)
11
The SGX SDK
Source
SGX SDK
App
Enclave
Function 0 Function 1
Function 2 Exc. Handler
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS) Signal
OS KernelAEX
12
Exception
The Guard’s Dilemma
Novel SGX code-reuse attack
Dispatches ROP gadgets
Uses only existing tRTS functionality
Why?
13
Motivation
Widespread SDK usage
Easier exploitation
Existing hardening does not cover tRTS
14
The Basic Idea
App
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Counterfeit state
15
The ORET Primitive
OCALL
Save context in OCALL frame
Exit enclave
Execute untrusted function
Re-enter enclave
Restore context (do_oret)
Control-FlowHijacking
Fake OCALL frame
Partial registercontrol
Stack control
16
The CONT Primitive
Exception
Resume enclave
Call exception handlers
Restore exception context (continue_execution)
Control-FlowHijacking
Fake exception context
Full registercontrol
1° argument control
Exit enclave to OS handler
Re-enter, save context, exit (see paper)
17
The ORET+CONT Loop
ORET
rip, rsp rip, rdi, ...
CONT
rip, rdi rip, rsp, *
ROP Gadget
18
Attack Overview
19
① Payload Preparation• Find gadgets• Design gadget chain
② Fake Structures Prep.• n fake exception infos• 1 fake stack (ROP, OCALL)
③ Attack Execution• Launch first CONT
Gadget
ORET
CONT
Fake exc. info 1 Gadget 1
Fake exc. info 2 Gadget 2
Fake exc. info 3 Gadget 3
Fake stack
Example Attack
App
Enclave
vuln_f oth_f
get_key send_file
Trusted Runtime System (tRTS)
ORET: rip, stack → rdi + rip + …
CONT: rdi → rip + all registers Stack
rip
rdi
Other registers
20
SGX-Shield [Seo et al., NDSS 2017]
Source
SGX-Shield Runtime
App
Enclave
Rand. Unit 0 Rand. Unit 1
Rand. Unit 2 Rand. Unit 3SGX-Shield Toolchain
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
Fine-grained coderandomization
tRTS is not randomized
SGX SDK
21
Attacking SGX-Shield
Fine-grained code randomization
Reusing tRTS code (not randomized)
Coarse-grained Control Flow Integrity
Return edges are not properly instrumented→ ORET is possible
Other mitigations (SFI, W⊕X) assume CFI
22
SGX-Shield Exploit
Hijack return edge
Untrusted memory
Write shellcode to WX memory
Jump to shellcode
Stage 1ORET+CONT
Gather enclave keys
Copy keys to attacker’s memory
Stage 2Shellcode
23
Mitigations
SDK Hardening
Secret canaries in contexts
Mangling context data
External Hardening
Randomization of SDK code
Stronger CFI
24
Lessons Learned
• SGX presents significant hardening challenges• Strong attacker
• The SDK can increase an enclave’s attack surface• Powerful code-reuse primitives
• Low-level code hidden from sight
25
Conclusion
• We presented a novel code-reuse attack on Intel SGX
• Using «forgotten» code to bypass SoA hardening
• Underlines the need to consider implications of SDK usage
Questions?
26