Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software (arstechnica.com)

Posted by BeauHD on from the out-of-reach dept.

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

38 of 63 comments (clear)

  1. Starforce for the win by zlives · · Score: 4, Insightful

    DRM the gift that keeps on sucking dick.

    sorry about the rough language but this is about all that DRM deserves.

    1. Re:Starforce for the win by 110010001000 · · Score: 1

      Exactly. This is what it was designed for. More restrictions.

    2. Re:Starforce for the win by dryriver · · Score: 2

      Don't worry. All you'll need in the future will be Elon Musk's new AI brain implant chips. Those will - of course - come with no security vulnerabilities whatsoever. So there is no threat of brain-fucking malware or reality-censoring DRM code ever running amock in your now augmented brain and top-quality malware detection like McAffee BrainCleaner not being able to find it. A little more patience, brother. Soon you will not need to use those swiss-cheese Intel CPUs ever again. (Yes, that was sarcasm... Now where did I put that old copy of Neuromancer???)

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    3. Re:Starforce for the win by zlives · · Score: 3, Funny

      Johnny mnemonic called, and he knows kungfu

    4. Re:Starforce for the win by dryriver · · Score: 3, Funny

      Johnny Mnemonic can't make phonecalls right now, because a Windows 10 forced update related reboot-loop has rendered him incapacitated. He is lying facedown in the street thinking "Strawberries! I smell Strawberries!"

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    5. Re:Starforce for the win by zlives · · Score: 1

      "I knew you'd smell good."
      When something happens to you that hasn't happened before, don't you at least have to install chrome

    6. Re:Starforce for the win by arglebargle_xiv · · Score: 3, Insightful

      This confirming Rule 37 for DRM, if a vendor implements consumer-hostile technology for Hollywood, it'll be used as consumer-hostile technology by everyone else.

    7. Re:Starforce for the win by Opportunist · · Score: 1

      Whoa!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Starforce for the win by Opportunist · · Score: 2

      No, you get burning chrome.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:Starforce for the win by muridae · · Score: 1

      of all the times to not have mod points. I'd trade all tomorrows parties for a few mod points right now!

  2. Computing industry by 110010001000 · · Score: 2

    The computing industry has gone downhill fast. It had a promising start with open systems and software, but now everything is about proprietary crap and hiding what the computer is doing.

    1. Re:Computing industry by dryriver · · Score: 4, Insightful

      That is because the investor capital that powers the computing industry today comes from feckless investors who don't give a crap whether computing goes downhill or uphill. People keep talking about "Intel, AMD, Apple, Nvidia, Microsoft". It is the ANONYMOUS investors who SUPPLY the MONEY that keeps these supposed powerhouses humming that DO NOT CARE what quality of computing gear or software is provided to the end customer. These guys want to put 5 Billion in, and get 15 Billion out 3 years later. Producing IT stuff that "actually works well" is not something they care about, because it is more expensive and cuts into profits. Then there is also the "sociopathic bevavior disorder" that frequently comes with having a lot of cash-slash-power. Its probably lots of fun for these investors to a) sell shit products to the end user and b) make a lot of extra profit BY VIRTUE of selling shit products to the end user. You eat shit while they buy another hotel chain or budget airline. Seriously, it is the completely INVISIBLE and UNACCOUNTABLE investors behind big IT that call the shots, not product engineers at Intel, Apple, or Microsoft. Name 1 computing science graduate you know who would have afflicted the attrocity that was Windows 8/10 on an end user of their own volition. It is the investors BEHIND the companies that are calling the shots in the 21st Century, not people with CS or EE degrees that actually CARE what they give the end user.

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    2. Re:Computing industry by 110010001000 · · Score: 2

      I totally agree. Greed ruined computing when the sociopathic MBAs moved in and pushed the geeks out of the decision making. Pretty sad, but fairly typical. Once money is to be made, the MBAs move in.

    3. Re:Computing industry by 110010001000 · · Score: 1

      I did make my own. What do you think of that "lol"?

    4. Re:Computing industry by dryriver · · Score: 1

      I have a better idea than you. When computer gear or software FUCKS UP as it often does, lets have legislation that lets us get FINANCIAL COMPENSATION directly from the INVESTORS that are behind the company. Example: An Intel CPU flaw lets malware ruin my productivity on a given computer? I get direct compensation from the oil-rich Arab or gas-rich Russian rich person who is responsible for Intel shipping CPUs with eggregious security flaws. See what I did there? Holding the INVESTOR not the PRODUCT ENGINEER responsible for fuckups?

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    5. Re:Computing industry by dryriver · · Score: 1

      The MBAs essentially get paid to divert attention AWAY from the big investors calling the real shots behind the scenes. Everbody focuses on Jimmy J. Doe or whatever, the asshole MBA CEO who takes a once great software or hardware maker and turns it into a manufacturer of turds. It isn't Jimmy J. Doe the MBA who calls the shots - the really big investors do that behind the scenes. Jimmy J. Doe the MBA gets his salary and bonus for APPEARING to run the company. He doesn't. His job is to keep unhappy customer's eyes attention focused laser-like on him, and keep the INVESTORS who PAY him and call the real shots well out of sight. Most IT failures in the last 15 years are not the result of engineers screwing up. The investors order Jimmy J. Doe to build a shit product, Jimmy J. Doe orders the engineers to build a shit product. If the engineers don't do it, well - "you're fired".

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    6. Re:Computing industry by epine · · Score: 1

      It is the investors BEHIND the companies that are calling the shots ...

      You know, if you track it all the way through, the Wizard of Oz has a surprise ending.

      The Man Behind the Curtain
      Big Shadow, Little Creature

      Greedy people do shitty things behind closed doors. News at 11.

    7. Re:Computing industry by 110010001000 · · Score: 1

      The investors are MBAs too. Trust me, I have worked in the industry and know all about private investment funds coming in and changing everything.

    8. Re:Computing industry by AxeTheMax · · Score: 1

      I do see what you did there. You blamed foreigners for issues in products designed and mostly made in the US. Not just any foreigners, but those that are the standard targets of American prejudices.

    9. Re:Computing industry by Opportunist · · Score: 1

      So the solution would be to remove those investors?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:Computing industry by Opportunist · · Score: 1

      I was thinking of shooting them, but I like your idea better. Rope's cheaper than bullets and can be reused.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Works as designed by ugen · · Score: 2

    So a protected execution environment is protected from the rest of the system. Works as designed, then. That's the issue with anything (like weapons) - they don't differentiate whether they are used by "good" or "bad" guys (but for practical purposes "bad" guys get a lot more use out of them because they use these tools proactively, whereas "good" guys would only use them reactively).

    1. Re:Works as designed by zlives · · Score: 1

      "(the application, the operating system, and even the hypervisor) is potentially hostile" sounds like it was designed to be used for spyware. I guess it is working as advertised.

  4. It's 2019, let me respond with a meme by Anonymous Coward · · Score: 5, Funny

    Intel: Let's develop an architecture where an application can run with full protection from anything else running on the system.

    Malware authors: *writes malware to run on architecture*

    Intel: surprisedpikachu.png

  5. Opaque Glass House? by Anonymous Coward · · Score: 1

    One rock can shatter it but you don't get the benefit of looking in.

    1. Re:Opaque Glass House? by Opportunist · · Score: 1

      Pretty good analogy, actually.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. I wonder if you could use this by bobstreo · · Score: 3, Funny

    to mine bitcoins on other peoples computers.

    1. Re:I wonder if you could use this by JustAnotherOldGuy · · Score: 1

      to mine bitcoins on other peoples computers.

      Shhhhhhhhh.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  7. Old news, newly discovered by WoodstockJeff · · Score: 4, Interesting

    Doing a search on how to disable SGX, I found an article on how this can be used to write secure botnets... dated 2014. It's taken this long to publicly announce that this is a "bad thing"?

  8. Re:So-called benefits that aren't real by Narcocide · · Score: 1

    Too true, too true.

  9. Too bad the headline isn't reversed by Nkwe · · Score: 1, Insightful

    "Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software" actually sounds pretty cool from a technical point of view. Terrifying, but also cool. It would have been way cooler if the headline was "Researchers use Intel SGX to Put Operating Systems and their Associated Software Beyond the Reach of Malware" or even better, "Operating System Vendors use Intel SGX to Protect their Users from Malware"

  10. Is this a Windows only vulnerability, or...? by rnmartinez · · Score: 1

    Is this pretty much an every OS issue like Spectre/Meltdown?

    1. Re:Is this a Windows only vulnerability, or...? by Altrag · · Score: 1

      It's in the chip so.. every intel-based system is vulnerable. Just a question of how easy through os makes it to abuse those powers.. and pretty much all os' will make it easy (at least for admin/root/whatever) because that's the entire function -- you can't enable "good" uses without also enabling "bad" uses.
      Of course that only becomes relevant once average consumers care about "good" usages (playing movies or games or whatever drm crap it's actually a designed for.) Prior to that happening, consumer-focused os' can just leave the feature disabled/blocked.

  11. Wonderful by JustAnotherOldGuy · · Score: 1

    "Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code"

    Well now we're fucked.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  12. Features that make developers smile by Errol+backfiring · · Score: 1

    I clearly recall Internet Explorer being announced with "Features that make developers smile". I think this was IE6 And yes, it made all hackers laugh out loud. It made developers cry off course about the new load of attack vectors. "SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes." It does not take more than two seconds to realize that this "feature" is far more beneficial to malware than to user-approved software. Intel is the new Microsoft. IE6 seems to have become a feature of the processor.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  13. Re:Emulate it (but: WHY run malware AND a scanner? by Opportunist · · Score: 1

    When you're analyzing what malware does, you want to run malware. Preferably in a lab condition where you can watch and analyze what it does. So you can then create a malware scanner that finds and neutralizes the threat.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Re:"Hey, here's a knife" by Opportunist · · Score: 1

    This thing is closer to a gun than a knife, though. A gun only has one function, it shoots bullets with the intent to hit something. This isn't something you "have to" have to survive. You can pretty much go through your life without ever touching a gun, let alone firing it.

    A knife, on the other hand, is something that you almost have to use. There are certain things in everyday (civilized) life that you can only do sensibly with a knife.

    This is quite similar. You can go through your computer life without ever needing this. Obviously, since it didn't even exist until a couple years ago.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. I feel nostalgic... by vbdasc · · Score: 1

    I feel nostalgic for the times when customer backlash forced Intel to withdraw the "Processor Serial Number" misfeature from their new Pentium III CPUs. And this was back when the x86 architecture was the undisputed king, not on the path to irrelevance like it's now.