Type of Publication: Article in Collected Edition

The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX

Author(s):

Biondo, Andrea; Conti, Mauro; Davi, Lucas; Frassetto, Tommaso; Sadeghi, Ahmad-Reza

Title of Anthology:

Proc. of 27th USENIX Security Symposium

Publication Date:

2018

Link to complete version:

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-biondo.pdf

Citation:

Download BibTeX

Abstract

Intel Software Guard Extensions (SGX) isolate security-critical code inside a protected memory area called enclave. Previous research on SGX has demonstrated that memory corruption vulnerabilities within enclave code can be exploited to extract secret keys and bypass remote attestation. However, these attacks require kernel privileges, and rely on frequently probing enclave code which results in many enclave crashes. Further, they assume a constant, not randomized memory layout. In this paper, we present novel exploitation techniques against SGX that do not require any enclave crashes and work in the presence of existing SGX randomization approaches such as SGX-Shield. A key contribution of our attacks is that they work under weak adversarial assumptions, e.g., not requiring kernel privileges. In fact, they can be applied to any enclave that is developed with the standard Intel SGX SDK on either Linux or Windows.