

# SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control

*Jo Van Bulck*   Frank Piessens   Raoul Strackx

imec-DistriNet, KU Leuven

SysTEX'17, October 28, 2017

# Road Map

1 Introduction

2 SGX-Step Framework

3 Attack Scenarios

4 Conclusions



# What do these attacks have in common?



# Enclaves as a Black Box



# Enclaves as a Black Box



# Enclaves as a Black Box



# The Galloping Enclave Analogy



Source: [https://en.wikipedia.org/wiki/Sallie\\_Gardner\\_at\\_a\\_Gallop](https://en.wikipedia.org/wiki/Sallie_Gardner_at_a_Gallop)

# The Galloping Enclave Analogy



Copyright, 1878, by MUYBRIDGE.

MORSE'S Gallery, 417 Montgomery St., San Francisco.

## THE HORSE IN MOTION.

Illustrated by  
MUYBRIDGE.

**"SALLIE GARDNER," owned by LELAND STANFORD; running at a 1.40 gait over the Palo Alto track, 19th June, 1878.**

The negatives of these photographs were made at intervals of twenty-seven inches of distance, and about the twenty-fifth part of a second of time; they illustrate consecutive positions assumed in each twenty-seven inches of progress during a single stride of the mare. The vertical lines were twenty-seven inches apart; the horizontal lines represent elevations of four inches each. The exposure of each negative was less than the two-thousandth part of a second.

# High Resolution Side-Channels in Practice



Xu et al.: "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", Oakland 2015 [XCP15]

⇒ *Coarse-grained preemption (4 KB page leakage)*

# High Resolution Side-Channels in Practice



Hähnel et al.: "High-resolution side channels for untrusted operating systems", ATC 2017 [HCP17]

⇒ *Fine-grained preemption (64 B cache line leakage)*

# Road Map

1 Introduction

2 SGX-Step Framework

3 Attack Scenarios

4 Conclusions

# Timer-Based Attacks

**Goal:** interrupt each enclave instruction sequentially

# Timer-Based Attacks

**Goal:** interrupt each enclave instruction sequentially

Frequent **enclave** **preemption** challenge:

- (:( x86 HW *debug features* disabled in enclave mode
- (:) ... but full control over **timer devices**/scheduling

# Timer-Based Attacks

**Goal:** interrupt each enclave instruction sequentially

Frequent **enclave** **preemption** challenge:

- (:( x86 HW *debug features* disabled in enclave mode
- (:) ... but full control over **timer devices**/scheduling

Timer **interval prediction** challenge:

- (:( considerable *jitter* when configuring timer in kernel space

We also counted how many CPU instructions can be executed between such frequent timer interrupts by running a loop with an **ADD** instruction. On average, about 48.76 **ADD** instructions were executed between two timer interrupts (standard deviation: 2.75). This implies that, by using this frequent timer, we can

Inferring fine-grained control flow inside SGX enclaves with branch shadowing [LSG<sup>+</sup>17a]

# Timer-Based Attacks

**Goal:** interrupt each enclave instruction sequentially

Frequent **enclave** **preemption** challenge:

- (:( x86 HW *debug features* disabled in enclave mode
- (:) ... but full control over **timer devices**/scheduling

Timer **interval prediction** challenge:

- (:( considerable *jitter* when configuring timer in kernel space
- (:) ... but APIC can be **memory-mapped** in user space (!)

```
jo@sgx-laptop:~$ cat /proc/iomem | grep "Local APIC"
fee00000-fee00fff : Local APIC
jo@sgx-laptop:~$ sudo devmem2 0xFEE00030 h
/dev/mem opened.
Memory mapped at address 0x7f37dc187000.
Value at address 0xFEE00030 (0x7f37dc187030): 0x15
jo@sgx-laptop:~$ 
```

# Interrupting and Resuming Enclaves

## Enclave

```
while true do
    INST
    INST
    INST
    ...
    INST
endwh
```



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Interrupting and Resuming Enclaves



# Road Map

1 Introduction

2 SGX-Step Framework

3 Attack Scenarios

4 Conclusions

# Determining String Length

## strlen loop

**Note:** page fault-driven attacks cannot make progress

---

```
1 size_t strlen (char *str)
2 {
3     char *s;
4
5     for (s = str; *s; ++s);
6     return (s - str);
7 }
```

---

---

```
1     mov    %ordi,%rax
2     1: cmpb   $0x0,(%rax)
3     je     2f
4     inc    %rax
5     jmp    1b
6     2: sub    %ordi,%rax
7     retq
```

---

# Determining String Length

## strlen loop

**Note:** page fault-driven attacks cannot make progress

---

```
1 size_t strlen (char *str)
2 {
3     char *s;
4
5     for (s = str; *s; ++s);
6     return (s - str);
7 }
```

---

```
1      mov  %ordi,%rax
2 1:  cmpb $0x0,(%rax)
3      je   2f
4      inc  %rax
5      jmp  1b
6 2:  sub  %ordi,%rax
7      retq
```

---

⇒ tight loop: 4 instructions, single memory operand

# Determining String Length

## Protection from Side-Channel Attacks

Intel® SGX does not provide explicit protection from side-channel attacks. It is the enclave developer's responsibility to address side-channel attack concerns.

In general, enclave operations that require an OCall, such as thread synchronization, I/O, etc., are exposed to the untrusted domain. If using an OCall would allow an attacker to gain insight into enclave secrets, then there would be a security concern. This scenario would be classified as a side-channel attack, and it would be up to the ISV to design the enclave in a way that prevents the leaking of side-channel information.

An attacker with access to the platform can see what pages are being executed or accessed. This side-channel vulnerability can be mitigated by aligning specific code and data blocks to exist entirely within a single page.

More important, the application enclave should use an appropriate crypto implementation that is side channel attack resistant inside the enclave if side-channel attacks are a concern.

Source: <https://software.intel.com/en-us/node/703016>

# Attacking strlen

Page fault adversary

Progress ⇒ both code + data pages present 😊



# Attacking strlen

Single-stepping adversary

Execute + interrupt  $\Rightarrow$  data page accessed ? 😊



# Attacking `strlen`

Single-stepping adversary

Execute + interrupt  $\Rightarrow$  data page accessed ? 😊



Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclave execution", USENIX 2017 [VBWK<sup>+</sup>17]

# Defeating Zigzagger Branch Obfuscation

## Conditional control flow

⇒ vulnerable to *interrupt-driven BTB probing* attacks [LSG<sup>+</sup>17a]

### Original code

```
if (a!=0) {
    <code1>
}
else if (b!=0) {
    <code2>
}
else{
    <code3>
}
<code4>
```

# Defeating Zigzagger Branch Obfuscation

Zigzagger compile-time hardening

⇒ obfuscate target with `cmove` + tight `jmp` sequence



# Defeating Zigzagger Branch Obfuscation

## Zigzagger security argument

“our APIC timer trick is not fine-grained enough to distinguish each branches in practice” [LSG<sup>+</sup>17b]



# Defeating Zigzagger Branch Obfuscation

## Zigzagger security argument

... but SGX-Step breaks at every single instruction (!)



# Defeating Zigzagger Branch Obfuscation

## Zigzagger security argument

... but SGX-Step breaks at every single instruction (!)



# Single-Stepping Microbenchmarks

**Table:** Interrupts categorized according to the number of instructions executed in the victim enclave (i.e., zero-step, single-step, or multi-step). When laptop/desktop experimental results differ, we present the laptop measurements first.

| <b>Experiment</b> | <b>0-Step</b> | <b>1-Step</b> | <b>&gt;1</b> | <b>1-Step Ratio</b> |
|-------------------|---------------|---------------|--------------|---------------------|
| nop               | 2,083 / 1,617 | 100,000       | 0            | 97.96 / 98.41%      |
| strlen            | 8,829 / 4,982 | 460,000       | 0            | 98.12 / 98.93%      |
| Zigzagger         | 5,739 / 2,872 | 210,000       | 0            | 97.34 / 98.65%      |

# Single-Stepping Microbenchmarks

Accuracy/temporal resolution

⇒ *never execute +1 instruction per step*

**Table:** Interrupts categorized according to the number of instructions executed in the victim enclave (i.e., zero-step, single-step, or multi-step). When laptop/desktop experimental results differ, we present the laptop measurements first.

| Experiment | 0-Step        | 1-Step  | >1 | 1-Step Ratio   |
|------------|---------------|---------|----|----------------|
| nop        | 2,083 / 1,617 | 100,000 | 0  | 97.96 / 98.41% |
| strlen     | 8,829 / 4,982 | 460,000 | 0  | 98.12 / 98.93% |
| Zigzagger  | 5,739 / 2,872 | 210,000 | 0  | 97.34 / 98.65% |

# Single-Stepping Microbenchmarks

## Practicality

⇒ Low superfluous (zero-step) IRQ rate

**Table:** Interrupts categorized according to the number of instructions executed in the victim enclave (i.e., zero-step, single-step, or multi-step). When laptop/desktop experimental results differ, we present the laptop measurements first.

| Experiment | 0-Step        | 1-Step  | >1 | 1-Step Ratio   |
|------------|---------------|---------|----|----------------|
| nop        | 2,083 / 1,617 | 100,000 | 0  | 97.96 / 98.41% |
| strlen     | 8,829 / 4,982 | 460,000 | 0  | 98.12 / 98.93% |
| Zigzagger  | 5,739 / 2,872 | 210,000 | 0  | 97.34 / 98.65% |

# Road Map

1 Introduction

2 SGX-Step Framework

3 Attack Scenarios

4 Conclusions

# Conclusion

## Take-Away message

Enclaves can be executed *one* instruction at a time

# Conclusion

## Take-Away message

Enclaves can be executed *one* instruction at a time

⇒ **Practical** and **precise** attack framework

# Conclusion

## Take-Away message

Enclaves can be executed *one* instruction at a time

- ⇒ **Practical** and **precise** attack framework
- ⇒ Defeat defenses based on **atomic behavior**:
  - *temporal* dimension: Zigzagger branch obfuscation [LSG<sup>+</sup>17a]
  - *spatial* dimension: page-aligned code/data [Int17]

# Thank you! Questions?



<https://github.com/jovanbulck/sgx-step>

# References



M. Hänel, W. Cui, and M. Peinado.

High-resolution side channels for untrusted operating systems.

In *2017 USENIX Annual Technical Conference, ATC '17*. USENIX Association, 2017.



Intel Corporation.

*Intel software guard extensions developer guide*, June 2017.

[software.intel.com/en-us/documentation/sgx-developer-guide](http://software.intel.com/en-us/documentation/sgx-developer-guide).



S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado.

Inferring fine-grained control flow inside SGX enclaves with branch shadowing.

In *Proceedings of the 26th USENIX Security Symposium*. USENIX Association, August 2017.



S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado.

Inferring fine-grained control flow inside SGX enclaves with branch shadowing.

[arXiv:1611.06952v3](https://arxiv.org/abs/1611.06952v3), June 2017.



J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx.

Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution.

In *Proceedings of the 26th USENIX Security Symposium*. USENIX Association, August 2017.



Y. Xu, W. Cui, and M. Peinado.

Controlled-channel attacks: Deterministic side channels for untrusted operating systems.

In *IEEE Symposium on Security and Privacy*, pp. 640–656. IEEE, 2015.