Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software (arstechnica.com)

Posted by BeauHD on from the out-of-reach dept.

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

8 of 63 comments (clear)

  1. Starforce for the win by zlives · · Score: 4, Insightful

    DRM the gift that keeps on sucking dick.

    sorry about the rough language but this is about all that DRM deserves.

    1. Re:Starforce for the win by zlives · · Score: 3, Funny

      Johnny mnemonic called, and he knows kungfu

    2. Re:Starforce for the win by dryriver · · Score: 3, Funny

      Johnny Mnemonic can't make phonecalls right now, because a Windows 10 forced update related reboot-loop has rendered him incapacitated. He is lying facedown in the street thinking "Strawberries! I smell Strawberries!"

      --
      Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    3. Re:Starforce for the win by arglebargle_xiv · · Score: 3, Insightful

      This confirming Rule 37 for DRM, if a vendor implements consumer-hostile technology for Hollywood, it'll be used as consumer-hostile technology by everyone else.

  2. It's 2019, let me respond with a meme by Anonymous Coward · · Score: 5, Funny

    Intel: Let's develop an architecture where an application can run with full protection from anything else running on the system.

    Malware authors: *writes malware to run on architecture*

    Intel: surprisedpikachu.png

  3. I wonder if you could use this by bobstreo · · Score: 3, Funny

    to mine bitcoins on other peoples computers.

  4. Old news, newly discovered by WoodstockJeff · · Score: 4, Interesting

    Doing a search on how to disable SGX, I found an article on how this can be used to write secure botnets... dated 2014. It's taken this long to publicly announce that this is a "bad thing"?

  5. Re:Computing industry by dryriver · · Score: 4, Insightful

    That is because the investor capital that powers the computing industry today comes from feckless investors who don't give a crap whether computing goes downhill or uphill. People keep talking about "Intel, AMD, Apple, Nvidia, Microsoft". It is the ANONYMOUS investors who SUPPLY the MONEY that keeps these supposed powerhouses humming that DO NOT CARE what quality of computing gear or software is provided to the end customer. These guys want to put 5 Billion in, and get 15 Billion out 3 years later. Producing IT stuff that "actually works well" is not something they care about, because it is more expensive and cuts into profits. Then there is also the "sociopathic bevavior disorder" that frequently comes with having a lot of cash-slash-power. Its probably lots of fun for these investors to a) sell shit products to the end user and b) make a lot of extra profit BY VIRTUE of selling shit products to the end user. You eat shit while they buy another hotel chain or budget airline. Seriously, it is the completely INVISIBLE and UNACCOUNTABLE investors behind big IT that call the shots, not product engineers at Intel, Apple, or Microsoft. Name 1 computing science graduate you know who would have afflicted the attrocity that was Windows 8/10 on an end user of their own volition. It is the investors BEHIND the companies that are calling the shots in the 21st Century, not people with CS or EE degrees that actually CARE what they give the end user.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.