Slashdot Mirror
SgxSpectre Attack Can Extract Data From Intel SGX Enclaves (bleepingcomputer.com)
An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.
According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.
Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.
According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.
Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.
6 dead in Oh High Oh.
Yet another proprietary Intel-only technology that doesn't even work, great job.
Congratulations on your stupid comment.
At least a patch will be available soon for this. Anyone know how many apps out there actually use SGX?
Anyone know how many apps out there actually use SGX?
On Linux (and other open source OS, i.e.: the only distributions where code for nearly all the software is available and can be recompiled with a retpoline-enabled compiler, such as the recent GCC 7.3.1, and thus the only environment where there's any hope for spectre counter measures to be actually deployed):
probably close do zero, anyway.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Wrong.
I think its because of SEVERAL YEARS OF MIS-MANAGEMENT, those whom seek to extract the most with the least effort and get the fuck out before they get caught..
Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size.
How about cache padding?
Whats next??
New xploit.
Send a custom crafted packet or Frame through an applicance, Swtich, router, network interface, CPU, etc that triggers something else (undocumented) like an increased DDOS from the inside at the applicance level. A step ahead, whos to say it cant be hacked to participate in a HUGE DDDOS (Dirty Distributed Denial Of Service)
I am serious, who's to say it's not possible now??
Intel, We'll sell ya shit, and hopefully you'll figure it out long after we are Gone. Intel High Assurance Platforms. We Know you like fancy Terminology.
How well do these cache timing attacks happen when you don't control the hardware and all sorts of other activities are swapping stuff in and out of the cache?
Sounds like the place a Bluray decryption key would be placed.
Rust is perfectly secure! How can so many adamant evangelists be wrong?
Why guess when you can know? Measure!
...I can't wait for the decryption keys for UHD BR to be leaked via this method. Being forced to use an SGX enabled Intel rig for an HTPC with UHD BR capability is bullshit.
Do you think the player program will require you to have the patch for this vulnerability installed in order to play discs? Once such a patch is released, that is.
No. There's a reason DVDs stayed cracked after libdvdcss was released.
True, but BluRay discs are not DVDs. The decryption key will be disabled and all new discs will require the software be updated. The thing about this crack is that there appears to be no way to prevent the new key from also being captured.
You had best write protect your BD rom drive's flash chip then. I'd imagine crapywood's publishers will revoke the keys the second they find a set somewhere. Never mind they'll stop encrypting using them too, so even the write protect only lets you keep using what you have.
First thing to realize regarding these attacks is that SGX protects from other traditional attacks originating from OS. Therefore, there is increased focus on side channel on Intel SGX. I found www.fortanix.com/assets/Fortanix_Side_Channel_Whitepaper.pdf a very comprehensive document. Side channels operate in every digital system. In fact, one can even harden against Spectre type attacks in SGX just like one would outside SGX.
The whitepaper is written by Fortanix guys who are invested in SGX so the whitepaper may be biased but reading through it, seems like side channels are overblown.