[TheRecord] New SmashEx attack breaks Intel SGX enclaves

Academics from universities in China, Singapore, and Switzerland have discovered a new attack method that can break the sanctity of Intel SGX enclaves and steal confidential data from inside an Intel CPU’s most secure area.

Named SmashEx, the attack impacts the Intel Software Guard eXtensions, also known as Intel SGX, a feature of almost all modern Intel processors that allows an OS or application to put sensitive data and operations inside a cryptographically secure area of the CPU named an “enclave.”

The SmashEx attack allows hostile software running on the same OS to abuse a feature that allows the CPU to pause SGX operations to enter the enclave and retrieve data. A high-level explanation provided by the research team is available below:

For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point. This feature enables enclave runtimes (e.g., Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exception or signal handling, but it also opens up enclaves to re-entrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle re-entrancy in their exceptional handling safely, which is complex on SGX. The SmashEx proof-of-concept exploits enable code reuse (e.g., ROP) and confidential data disclosure attacks in enclaves built with vulnerable enclave runtimes.

Researchers said that tests they carried out were successful in retrieving an RSA encryption key from inside an Intel SGX enclave used by a server to encrypt HTTPS traffic, and they were also able to dump the contents handled by the cURL app from inside a Microsoft Open Enclave, an enclave software toolkit used by Azure servers.

Over the past few years, we’ve seen similar attacks that broke SGX enclaves to retrieve data. Past examples include PlunderVoltSgxSpectreForeshadowBranchScopePlatypusV0LTpwnGame of ThreadsAsyncShockThe Guard’s Dilemma, and Iago.

In addition, a 2019 study of eight popular enclave software development kits, software libraries that are used by app makers to allow their apps to interact and store data inside enclaves, found 35 different vulnerabilities across all tested SDKs, including SGX.

But researchers say that the SmashEx attack is far more dangerous than the ones listed above, as it doesn’t merely just leak data from inside SGX enclaves but can also corrupt it—if needed.

Patches are available

As a result, details about the SmashEx attack were only published yesterday, on a dedicated website, after both Intel and Microsoft released patches to address the issue in their respective SDKs—namely the Intel SGX SDK (CVE-2021-0186) and the Open Enclave SDK (CVE-2021-33767).

To prevent attacks, applications that like to store sensitive information inside SGX enclaves will have to incorporate these updates in their code.

However, the research team says that there are many other SDKs that are affected by the SmashEx attack, whose developers will now have to issue their own set of patches, including SGX SDKs from Google, Apache, and Arm.

RuntimeVendorAffected SGX generationsIntel SGX SDKIntelSGX2Open EnclaveMicrosoftSGX1 and SGX2Google AsyloGoogleSGX2EdgelessRTEdgeless SystemsSGX1 and SGX2Rust SGX SDKApacheSGX2TeaclaveApacheSGX2SGX-LKLImperial College LondonSGX1 and SGX2CoSMIXTechnionSGX2VeracruzARMSGX2

The post New SmashEx attack breaks Intel SGX enclaves appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] New AdLoad Variant Bypasses Apple’s Security Defenses to Target macOS Systems

All posts, HackerNews

A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple’s on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection. “AdLoad,” […]

Read More

[HackerNews] Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail

All posts, HackerNews

Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gang’s AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. AnchorMail “uses an email-based [ […]

Read More

[ZDNet] Get unlimited StackSkills courses, a VPN lifetime sub, and a password manager for just $50

All posts, ZDNet

You can change your entire life with permanent unlimited access to thousands of training classes, as well as the tools to keep you safe if you choose courses that will allow you to work from exotic locations. Source: Read More (Latest topics for ZDNet in Security)

Read More