Slashdot Mirror

← Back to Stories (view on slashdot.org)

SgxSpectre Attack Can Extract Data From Intel SGX Enclaves (bleepingcomputer.com)

Posted by EditorDavid on from the raising-the-Spectre dept.

An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.

According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.

Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.

8 of 28 comments (clear)

  1. Patch: meh... by DrYak · · Score: 1

    Anyone know how many apps out there actually use SGX?

    On Linux (and other open source OS, i.e.: the only distributions where code for nearly all the software is available and can be recompiled with a retpoline-enabled compiler, such as the recent GCC 7.3.1, and thus the only environment where there's any hope for spectre counter measures to be actually deployed):
    probably close do zero, anyway.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Patch: meh... by serviscope_minor · · Score: 1

      On Linux (and other open source OS, i.e.: the only distributions where code for nearly all the software is available and can be recompiled with a retpoline-enabled compiler, such as the recent GCC 7.3.1, and thus the only environment where there's any hope for spectre counter measures to be actually deployed): probably close do zero, anyway.

      Unless you're running Gentoo of course. Then if you accidently look at your computer wrong you'll trigger a full rebuild of everything (with -funroll-ALL-the-things, naturally) and you'll have a fully patched system next month.

      --
      SJW n. One who posts facts.
  2. Does it only work when you control the hardware by jader3rd · · Score: 1

    How well do these cache timing attacks happen when you don't control the hardware and all sorts of other activities are swapping stuff in and out of the cache?

  3. But.. by DCFusor · · Score: 1

    Rust is perfectly secure! How can so many adamant evangelists be wrong?

    --
    Why guess when you can know? Measure!
    1. Re:But.. by HiThere · · Score: 1

      FWIW, this has nothing to do with Rust.

      OTOH, I don't think there's anywhere a claim that things written in Rust are guaranteed to be secure, so that's another problem with your assertion.

      FWIW, this is either a hardware or a microcode flaw, and a high level programming language isn't even going to address the issue.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:But.. by serviscope_minor · · Score: 1

      Rust is perfectly secure! How can so many adamant evangelists be wrong?

      I've always found the techno-luddism on slashdot interesting. Technology is awesome and amazing and new things are cool except that actually it reached it's peak in 1989 with ANSI C and basically everything else has been downhill from there and none of the news ideas are anything but bloat and cruft (seriously who actually says "cruft" anyway).

      --
      SJW n. One who posts facts.
  4. I recognize that this is by and large bad, but... by Red_Chaos1 · · Score: 2

    ...I can't wait for the decryption keys for UHD BR to be leaked via this method. Being forced to use an SGX enabled Intel rig for an HTPC with UHD BR capability is bullshit.

  5. Intel SGX side channel by NovaSupreme · · Score: 1

    First thing to realize regarding these attacks is that SGX protects from other traditional attacks originating from OS. Therefore, there is increased focus on side channel on Intel SGX. I found www.fortanix.com/assets/Fortanix_Side_Channel_Whitepaper.pdf a very comprehensive document. Side channels operate in every digital system. In fact, one can even harden against Spectre type attacks in SGX just like one would outside SGX.

    The whitepaper is written by Fortanix guys who are invested in SGX so the whitepaper may be biased but reading through it, seems like side channels are overblown.