Hardware Enclave Attacks - University of California, Berkeley
Transcript of Hardware Enclave Attacks - University of California, Berkeley
![Page 1: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/1.jpg)
Hardware Enclave Attacks
CS261
![Page 2: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/2.jpg)
Process
Threat Model of Hardware Enclaves
2
Enclave
EnclaveCode
EnclaveData
Trusted
IntelAttestation
Service(IAS)
Process Process
OtherEnclave
OS and/or Hypervisor
Untrusted
Off-chip devices
![Page 3: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/3.jpg)
Attacks on Hardware Enclaves
• Attacks on Intel services:
• Traditional server-based attacks (not interesting)
• Attacks on enclave code:
• Exploiting software vulnerabilities
• Interesting API-based attacks: Iago attacks (ASPLOS’13)
• Attacks on Intel CPUs:
• Cache timing side channels, Spectre / Meltdown (Foreshadow)
• Controlled-channel attacks
3
![Page 4: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/4.jpg)
Enclave Page Permissions
4
Process
Enclave
Physical Memory
EPC
VAPA
RWX
2. Page Table
1. EPCM
VA V RWX SECS
Enclave Page Permission= EPCM[RWX] AND PT[RWX]
![Page 5: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/5.jpg)
Page Faults in Enclaves
5
Process
Enclave
Physical Memory
EPC
X = *(addr);
OS Kernel
Page Fault
RAX: 00000000 RBX: 00000000…RIP: AEP (Async Exit Pointer)Fault Addr: addr & ~(FFF)
Leaking the higher 52 bits(i.e., 64 -12)of page fault address
AEP:ERESUME
![Page 6: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/6.jpg)
Target Code
• Input-dependent branches
• Input-dependent data access
6
if (secret & 0x1) process_one();else process_zero();
Page A
Page B
data_array[secret << 12] = 1; Page Xsecret = 0
Page X + 1secret = 1
Page X + 2secret = 2
![Page 7: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/7.jpg)
Distinguishing Same Page Addresses
7
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
f4() {…
}
f5() {…
}
![Page 8: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/8.jpg)
Distinguishing Same Page Addresses
8
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
Af4() {
…}
f5() {…
}
![Page 9: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/9.jpg)
Distinguishing Same Page Addresses
9
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A Bf4() {
…}
f5() {…
}
![Page 10: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/10.jpg)
Distinguishing Same Page Addresses
10
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A B Df4() {
…}
f5() {…
}
![Page 11: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/11.jpg)
Distinguishing Same Page Addresses
11
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A B D B Af4() {
…}
f5() {…
}
![Page 12: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/12.jpg)
Distinguishing Same Page Addresses
12
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A B D B A Cf4() {
…}
f5() {…
}
![Page 13: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/13.jpg)
Distinguishing Same Page Addresses
13
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A B D B A C Df4() {
…}
f5() {…
}
f4() f5()
![Page 14: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/14.jpg)
Update the Page Table
14
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
f4() {…
}
f5() {…
}
R
R
R
R
A
Page Fault
![Page 15: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/15.jpg)
Update the Page Table
15
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
Af4() {
…}
f5() {…
}
R
R
R
R
B
XMark executableto continue
![Page 16: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/16.jpg)
Update the Page Table
16
f1() {…f2();…f3();…
}
f2() {…f4();…
}
f3() {…f5();…
}
f1()
f2() f3()
f4(), f5()
Page B
Page A
Page C
Page D
Page addresses:
A B Df4() {
…}
f5() {…
}
R
R
X R
R
![Page 17: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/17.jpg)
Example: Hunspell Checker
• Phase 1: inserts dictionary into hash buckets
• Phase 2: looks up words from a secret document
17
![Page 18: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/18.jpg)
Hunspell Insertion
• Hash::add_word(std::string word) {
struct hentry *hp = malloc(…);
int i = hash(word);
struct hentry *dp = tableptr[i];
while (dp->next != NULL) {
dp = dp->next;
}
strcpy(hp->word, word);
dp->next = hp;
}
18
Page(tableptr[i])
Page(node 1)Page(node 2)…
Page(new node)
Word Pages
word1 A, D
word2 B, D
word3 A, E
word4 B, D, F
![Page 19: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/19.jpg)
Hunspell Lookup
• Hash::lookup(std::string word) {
int i = hash(word);
struct hentry *dp = tableptr[i];
while (dp != NULL) {
if (!strcmp(hp->word, word))
return dp;
dp = dp->next;
}
}
19
Page(tableptr[i])
Page(node 1)Page(node 2)…
Word Pages
word1 A, D
word2 B, D
word3 A, E
word4 B, D, F
Match with the oracle
![Page 20: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/20.jpg)
Side Channels vs Controlled Channels
Cache Side Channels Controlled Channels
Granularity Cachelines (64-byte) Pages (4KB)
Noisiness Highly noisy Noiseless and Lossless
Synchronization Two-phase synchronization(e.g., PRIME+PROBE,
FLUSH+RELOAD)
No synchronization with the victim
Scope Common to most platforms
Specific to enclaves
Privileges Non-root Need root privileges
20
![Page 21: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/21.jpg)
Mitigation
• ASLR (Address Space Layout Randomization)?
• Not working Can detect entry points and “start-up” patterns
• Self-paging
• Some architecture (e.g., RISC-V) suggests self-paging in enclaves
• The OS never gets any page faults
• Detecting attacks
• Execution time, page fault count, etc
• Forbidding page faults from enclave code T-SGX
21
![Page 22: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/22.jpg)
T-SGX (NDSS’17)
• Intel TSX (Transactional Synchronization Extensions)
• Any fault abort handler
22
unsigned status;
// Begin a transactionif ((status = _xbegin()) == _XBEGIN_STARTED) {
// Run any code_xend();
} else {// Abort
}
Page Fault
• Can forbid all page faults in enclaves (i.e., no paging)
![Page 23: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/23.jpg)
Other Enclave Attacks
• Page table access/dirty bits (USENIX‘17)
• Recently read access bit; Recently written dirty bit
• Can be observed without page faults
• Branch Predictor States (USENIX’17)
• Enclave and non-enclave code shares branch predictor states
• Can observe which branches are taken
• Addresses on memory bus (CCS’13)
• Every memory command (read / write) is visible on bus
• Can observe with a DIMM interposer
23
![Page 24: Hardware Enclave Attacks - University of California, Berkeley](https://reader031.fdocuments.in/reader031/viewer/2022022001/62104987571e9e7e0f63d302/html5/thumbnails/24.jpg)
Questions?Hardware Enclave Attacks
24