Art der Publikation: Beitrag in Sammelwerk

The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX

Biondo, Andrea; Conti, Mauro; Davi, Lucas; Frassetto, Tommaso; Sadeghi, Ahmad-Reza
Titel des Sammelbands:
Proc. of 27th USENIX Security Symposium
Link zum Volltext:
Download BibTeX


Intel Software Guard Extensions (SGX) isolate security-critical code inside a protected memory area called enclave. Previous research on SGX has demonstrated that memory corruption vulnerabilities within enclave code can be exploited to extract secret keys and bypass remote attestation. However, these attacks require kernel privileges, and rely on frequently probing enclave code which results in many enclave crashes. Further, they assume a constant, not randomized memory layout. In this paper, we present novel exploitation techniques against SGX that do not require any enclave crashes and work in the presence of existing SGX randomization approaches such as SGX-Shield. A key contribution of our attacks is that they work under weak adversarial assumptions, e.g., not requiring kernel privileges. In fact, they can be applied to any enclave that is developed with the standard Intel SGX SDK on either Linux or Windows.