Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software (arstechnica.com)

Posted by BeauHD on from the out-of-reach dept.

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

63 comments

  1. Starforce for the win by zlives · · Score: 4, Insightful

    DRM the gift that keeps on sucking dick.

    sorry about the rough language but this is about all that DRM deserves.

    1. Re:Starforce for the win by 110010001000 · · Score: 1

      Exactly. This is what it was designed for. More restrictions.

    2. Re:Starforce for the win by dryriver · · Score: 2

      Don't worry. All you'll need in the future will be Elon Musk's new AI brain implant chips. Those will - of course - come with no security vulnerabilities whatsoever. So there is no threat of brain-fucking malware or reality-censoring DRM code ever running amock in your now augmented brain and top-quality malware detection like McAffee BrainCleaner not being able to find it. A little more patience, brother. Soon you will not need to use those swiss-cheese Intel CPUs ever again. (Yes, that was sarcasm... Now where did I put that old copy of Neuromancer???)

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    3. Re:Starforce for the win by zlives · · Score: 3, Funny

      Johnny mnemonic called, and he knows kungfu

    4. Re:Starforce for the win by dryriver · · Score: 3, Funny

      Johnny Mnemonic can't make phonecalls right now, because a Windows 10 forced update related reboot-loop has rendered him incapacitated. He is lying facedown in the street thinking "Strawberries! I smell Strawberries!"

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    5. Re:Starforce for the win by zlives · · Score: 1

      "I knew you'd smell good."
      When something happens to you that hasn't happened before, don't you at least have to install chrome

    6. Re:Starforce for the win by Anonymous Coward · · Score: 0

      I agree.

    7. Re:Starforce for the win by arglebargle_xiv · · Score: 3, Insightful

      This confirming Rule 37 for DRM, if a vendor implements consumer-hostile technology for Hollywood, it'll be used as consumer-hostile technology by everyone else.

    8. Re:Starforce for the win by Opportunist · · Score: 1

      Whoa!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:Starforce for the win by Opportunist · · Score: 2

      No, you get burning chrome.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:Starforce for the win by muridae · · Score: 1

      of all the times to not have mod points. I'd trade all tomorrows parties for a few mod points right now!

  2. Computing industry by 110010001000 · · Score: 2

    The computing industry has gone downhill fast. It had a promising start with open systems and software, but now everything is about proprietary crap and hiding what the computer is doing.

    1. Re:Computing industry by dryriver · · Score: 4, Insightful

      That is because the investor capital that powers the computing industry today comes from feckless investors who don't give a crap whether computing goes downhill or uphill. People keep talking about "Intel, AMD, Apple, Nvidia, Microsoft". It is the ANONYMOUS investors who SUPPLY the MONEY that keeps these supposed powerhouses humming that DO NOT CARE what quality of computing gear or software is provided to the end customer. These guys want to put 5 Billion in, and get 15 Billion out 3 years later. Producing IT stuff that "actually works well" is not something they care about, because it is more expensive and cuts into profits. Then there is also the "sociopathic bevavior disorder" that frequently comes with having a lot of cash-slash-power. Its probably lots of fun for these investors to a) sell shit products to the end user and b) make a lot of extra profit BY VIRTUE of selling shit products to the end user. You eat shit while they buy another hotel chain or budget airline. Seriously, it is the completely INVISIBLE and UNACCOUNTABLE investors behind big IT that call the shots, not product engineers at Intel, Apple, or Microsoft. Name 1 computing science graduate you know who would have afflicted the attrocity that was Windows 8/10 on an end user of their own volition. It is the investors BEHIND the companies that are calling the shots in the 21st Century, not people with CS or EE degrees that actually CARE what they give the end user.

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    2. Re:Computing industry by Anonymous Coward · · Score: 0

      lol so make your own or don't use computers

    3. Re:Computing industry by 110010001000 · · Score: 2

      I totally agree. Greed ruined computing when the sociopathic MBAs moved in and pushed the geeks out of the decision making. Pretty sad, but fairly typical. Once money is to be made, the MBAs move in.

    4. Re:Computing industry by 110010001000 · · Score: 1

      I did make my own. What do you think of that "lol"?

    5. Re:Computing industry by dryriver · · Score: 1

      I have a better idea than you. When computer gear or software FUCKS UP as it often does, lets have legislation that lets us get FINANCIAL COMPENSATION directly from the INVESTORS that are behind the company. Example: An Intel CPU flaw lets malware ruin my productivity on a given computer? I get direct compensation from the oil-rich Arab or gas-rich Russian rich person who is responsible for Intel shipping CPUs with eggregious security flaws. See what I did there? Holding the INVESTOR not the PRODUCT ENGINEER responsible for fuckups?

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    6. Re:Computing industry by dryriver · · Score: 1

      The MBAs essentially get paid to divert attention AWAY from the big investors calling the real shots behind the scenes. Everbody focuses on Jimmy J. Doe or whatever, the asshole MBA CEO who takes a once great software or hardware maker and turns it into a manufacturer of turds. It isn't Jimmy J. Doe the MBA who calls the shots - the really big investors do that behind the scenes. Jimmy J. Doe the MBA gets his salary and bonus for APPEARING to run the company. He doesn't. His job is to keep unhappy customer's eyes attention focused laser-like on him, and keep the INVESTORS who PAY him and call the real shots well out of sight. Most IT failures in the last 15 years are not the result of engineers screwing up. The investors order Jimmy J. Doe to build a shit product, Jimmy J. Doe orders the engineers to build a shit product. If the engineers don't do it, well - "you're fired".

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    7. Re:Computing industry by epine · · Score: 1

      It is the investors BEHIND the companies that are calling the shots ...

      You know, if you track it all the way through, the Wizard of Oz has a surprise ending.

      The Man Behind the Curtain
      Big Shadow, Little Creature

      Greedy people do shitty things behind closed doors. News at 11.

    8. Re:Computing industry by 110010001000 · · Score: 1

      The investors are MBAs too. Trust me, I have worked in the industry and know all about private investment funds coming in and changing everything.

    9. Re:Computing industry by Anonymous Coward · · Score: 0

      Don't you think it would be better to hang them?

    10. Re:Computing industry by Anonymous Coward · · Score: 0

      The computing industry has gone downhill fast. [...]

      Yep, because breasts.

    11. Re:Computing industry by AxeTheMax · · Score: 1

      I do see what you did there. You blamed foreigners for issues in products designed and mostly made in the US. Not just any foreigners, but those that are the standard targets of American prejudices.

    12. Re:Computing industry by Opportunist · · Score: 1

      So the solution would be to remove those investors?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:Computing industry by Opportunist · · Score: 1

      I was thinking of shooting them, but I like your idea better. Rope's cheaper than bullets and can be reused.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Works as designed by ugen · · Score: 2

    So a protected execution environment is protected from the rest of the system. Works as designed, then. That's the issue with anything (like weapons) - they don't differentiate whether they are used by "good" or "bad" guys (but for practical purposes "bad" guys get a lot more use out of them because they use these tools proactively, whereas "good" guys would only use them reactively).

    1. Re:Works as designed by zlives · · Score: 1

      "(the application, the operating system, and even the hypervisor) is potentially hostile" sounds like it was designed to be used for spyware. I guess it is working as advertised.

  4. It's 2019, let me respond with a meme by Anonymous Coward · · Score: 5, Funny

    Intel: Let's develop an architecture where an application can run with full protection from anything else running on the system.

    Malware authors: *writes malware to run on architecture*

    Intel: surprisedpikachu.png

  5. Opaque Glass House? by Anonymous Coward · · Score: 1

    One rock can shatter it but you don't get the benefit of looking in.

    1. Re:Opaque Glass House? by Opportunist · · Score: 1

      Pretty good analogy, actually.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. So-called benefits that aren't real by Anonymous Coward · · Score: 0

    And major security problems that are very real.

    This is why Gordon Moore got out. Too many sleazy managers out for themselves, lying their way through the hierarchy, contaminating the engineering process with incompetent political drones that keep coming up with crap ideas that they support with lies and marketing dollars.

    1. Re:So-called benefits that aren't real by Narcocide · · Score: 1

      Too true, too true.

  7. Emulate it (but: WHY run malware AND a scanner?) by Anonymous Coward · · Score: 0

    If people insist on running malware like this, can't they just run it in OpenSGX emulation, under QEMU? That ought to keep the actual memory used from being unreadable.

    Of course, it raises the whole damn question of why someone would be running malware and a malware scanner. It seems like if you want one, you wouldn't want the other.

  8. I wonder if you could use this by bobstreo · · Score: 3, Funny

    to mine bitcoins on other peoples computers.

    1. Re:I wonder if you could use this by JustAnotherOldGuy · · Score: 1

      to mine bitcoins on other peoples computers.

      Shhhhhhhhh.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  9. Old news, newly discovered by WoodstockJeff · · Score: 4, Interesting

    Doing a search on how to disable SGX, I found an article on how this can be used to write secure botnets... dated 2014. It's taken this long to publicly announce that this is a "bad thing"?

    1. Re:Old news, newly discovered by Anonymous Coward · · Score: 0

      No, the feature wasn't even released until 2015. And in 2017 it was shown you can use Prime+Probe to bypass the enclave protection with proposed countermeasures released later that year and the next. Similarly, there have been people warning about the dangers of all sorts of boot-time firmware for ages. Or SMM. The only thing this adds is a proof of concept instead of reasonable conjecture.

      So, it's great that the researchers went through the effort. It seems they had to bypass multiple mitigations against their attack to achieve their goal. I definite salute them for showing us the risk is not just hypothetical but real. Having said that, I don't think it really changes anything.

  10. "Hey, here's a knife" by Anonymous Coward · · Score: 0

    "What will you, an average person, do?"
    Guess I'll stab someone because knives can cut, right?

    Sadly almost anything that is particularly useful can be abused the hardest.
    Again, if we liken it to guns vs knives, far easier to control the flow of guns, but how the fuck are you going to control knives? You literally can't. It's a foundation to modern society.
    Good security is a similar problem. If you get so advanced with your security, bad actors can also abuse the absolute hell out of it.

    The only solution I can see, at a rough guess, is trusted security keys given to security companies, which itself open a gaping security hole to the system and basically kills off any smaller security companies usefulness since any random bad actor could use dirty money to make some start-up, beg for access, system broke.
    Then you would need some method to revoke keys, but if a system is already screwed, they could just update the firmware and block your update mechanism. Firmwares can and do lie.
    There's no easy solution to this, because, as always, the computing industry thinks it is a better idea to revoke control from the users of devices via hidden hardware and software interfaces.

    1. Re:"Hey, here's a knife" by Opportunist · · Score: 1

      This thing is closer to a gun than a knife, though. A gun only has one function, it shoots bullets with the intent to hit something. This isn't something you "have to" have to survive. You can pretty much go through your life without ever touching a gun, let alone firing it.

      A knife, on the other hand, is something that you almost have to use. There are certain things in everyday (civilized) life that you can only do sensibly with a knife.

      This is quite similar. You can go through your computer life without ever needing this. Obviously, since it didn't even exist until a couple years ago.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Researchers Find Traces of Liquid Satan on INTEL by Anonymous Coward · · Score: 0

    I picture them researching this like it was a great unsolved problem of science. "How can we Fuck Up Everything, Forever?".

    Thanks Intel, you've finally made the world safer for pay-per-view video streams. God forbid you collect money only once. The security of your rent model will live on, even if nobody feels comfortable sitting in front of your computers ever again. This is real progress. Brilliant, essential technology.

  12. Re:So block sources of it getting to you by Anonymous Coward · · Score: 0

    I guess APK has psychic precognitive powers so his blacklist will always 100% cover every possible site that may host malware. Amazing! He should seriously be on TV. He should also claim that $1 million award for proof of ESP. In fact I bet he already knew I was going to post this!

  13. Too bad the headline isn't reversed by Nkwe · · Score: 1, Insightful

    "Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software" actually sounds pretty cool from a technical point of view. Terrifying, but also cool. It would have been way cooler if the headline was "Researchers use Intel SGX to Put Operating Systems and their Associated Software Beyond the Reach of Malware" or even better, "Operating System Vendors use Intel SGX to Protect their Users from Malware"

  14. So block sources of it getting to you by Anonymous Coward · · Score: 0

    See subject: Via APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less.

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

    * ONLY 1 of its kind in GUI 4 Linux (soon 4 MacOS).

    APK

    P.S.=> Protects vs. scripts/trackers (kernelmode faster vs. usermode slower NoScript vs. 3rd party script)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware download/malcript/email malicious payload

  15. Re:So block sources of it getting to you by Anonymous Coward · · Score: 0

    No one wants to hear your bullshit. If they did they would have said "APK can you come and smear some of your host file bullshit all over the page". Since this didn't happen you can be assured that no one wants to hear from you. You add nothing to this discussion.

  16. Is this a Windows only vulnerability, or...? by rnmartinez · · Score: 1

    Is this pretty much an every OS issue like Spectre/Meltdown?

    1. Re:Is this a Windows only vulnerability, or...? by Altrag · · Score: 1

      It's in the chip so.. every intel-based system is vulnerable. Just a question of how easy through os makes it to abuse those powers.. and pretty much all os' will make it easy (at least for admin/root/whatever) because that's the entire function -- you can't enable "good" uses without also enabling "bad" uses.
      Of course that only becomes relevant once average consumers care about "good" usages (playing movies or games or whatever drm crap it's actually a designed for.) Prior to that happening, consumer-focused os' can just leave the feature disabled/blocked.

  17. Wonderful by JustAnotherOldGuy · · Score: 1

    "Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code"

    Well now we're fucked.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  18. Re:So block sources of it getting to you by Anonymous Coward · · Score: 0

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

    You do realize that this is gibberish, right?

    I mean really- just try and read it and you'll see it's pure word salad.

    Even if what you're so desperately trying to say is true, it's an indecipherable word-stream that looks like it was written by a tweaker. Why would I ever consider buying or using a product that looks like the description was taken straight out of a bad Scrabble game?

  19. Re:So block sources of it getting to you by Anonymous Coward · · Score: 0

    Sounds like you don't want anyone hearing truth apk put out based on YOUR bullshit.

  20. Re:So block sources of it getting to you by Anonymous Coward · · Score: 0

    It's not anyone's fault you can't read but your own you illiterate troll.

  21. Hosts efficacy recently vs. threats by Anonymous Coward · · Score: 0

    See subject & results in https://tech.slashdot.org/comm... https://yro.slashdot.org/comme... https://it.slashdot.org/commen... https://linux.slashdot.org/com... https://news.slashdot.org/comm... https://apple.slashdot.org/com... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://search.slashdot.org/co... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://apple.slashdot.org/com... https://tech.slashdot.org/comm... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://science.slashdot.org/c...

    * That's only recently while I've been on Linux (July 2018) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VERIFIABLE UNDENIABLE REALITY (see those links as proof). ... & that's ONLY what /. reported on (there were FAR more)

    APK

    P.S.=> "It's working: Neville... it's working!" - "I AM LEGEND" + HOSTNAME USE IS DOWN IN MALWARE https://unit42.paloaltonetwork... (my ACT OF FAITH is JUSTIFIED by fact)... apk

  22. "reasearchers" by Anonymous Coward · · Score: 0

    Really fucking helpful research there guys.

    I'd call this more like weapons development and then advertising for a buyer.

    Research. Riiigghhht.

  23. Yes, since the CPU is not the OS. by Anonymous Coward · · Score: 0

    As you may have read correctly, this is a hardware feature. And unless you use a custom-etched ROM chip for your OS, that means it's OS independent. :)

  24. Features that make developers smile by Errol+backfiring · · Score: 1

    I clearly recall Internet Explorer being announced with "Features that make developers smile". I think this was IE6 And yes, it made all hackers laugh out loud. It made developers cry off course about the new load of attack vectors. "SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes." It does not take more than two seconds to realize that this "feature" is far more beneficial to malware than to user-approved software. Intel is the new Microsoft. IE6 seems to have become a feature of the processor.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  25. Re:Emulate it (but: WHY run malware AND a scanner? by Opportunist · · Score: 1

    When you're analyzing what malware does, you want to run malware. Preferably in a lab condition where you can watch and analyze what it does. So you can then create a malware scanner that finds and neutralizes the threat.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  26. Here's the solution! by Anonymous Coward · · Score: 0

    Now all we need is a way to run _all_ of our own software in the same sort of isolated environment, so that the malware can't find out what _we_ are doing!

    Oh, wait a minute...

  27. What? by Anonymous Coward · · Score: 0

    "Found a way"? I think it is more like it is being used as advertised? Only it is of bad intention. Duh not a research !

  28. how i enlarged my penis by Anonymous Coward · · Score: 0

    There are still real herbal doctors out there, despite the fact that there are lot of scammers out there that claim to be doctors, I got my penis enlarged with the help of Dr. Okpoko, and he also provided remedy for me which cured me from premature ejaculation and erectile dysfunction, I haven't been able to satisfy my wife since I got married, until I decided to check online on the internet if I could get help to my problem, so luckily I met his email address on one of the site I checked, I saw where his email was posted with a testimonial of how he help cured a guy from erectile dysfunction, so I decided to contact him and explain to him my own present predicament, and he promised to help me out, I thought he was trying to take advantage of me and just get my money because I have lost a lot of money in the past trying to get over this problem, but to my greatest surprise, he actually provided a solution for me as we agreed, after he received money from me to get the items he used in preparing the remedy he sent to me,
    if there is anyone here that need remedy to erectile dysfunction, premature ejaculatuion or anyone that need penis enlargement, kindly contact him on his email address and be a happy man and make your wife or girl friend happy as well
    his email address is
    adamokpoko@gmail.com or whatsApp him on +2348151731392

    he also has cure to various diseases such as cancer, herpes, leukemia, kidney problems, diabetes and lots more,
    THANK YOU FOR READING

  29. I feel nostalgic... by vbdasc · · Score: 1

    I feel nostalgic for the times when customer backlash forced Intel to withdraw the "Processor Serial Number" misfeature from their new Pentium III CPUs. And this was back when the x86 architecture was the undisputed king, not on the path to irrelevance like it's now.