

# On Performing Accurate Time Measurements of SGX Enclave Instructions

Miro Haller

Advisors: Prof. Dr. S. Capkun, I. Puddu, M. Schneider

# Motivation



Tesseract



IBM Cloud



**ETH** zürich

# Attacks on SGX Enclaves

- Cache side channel (Software Grand Exposure)
- Interrupt side channel (Nemesis)
- Foreshadow

# Attacks on SGX Enclaves

- Cache side channel (Software Grand Exposure)
- **Interrupt side channel** (Nemesis)
- Foreshadow

# Background – SGX Enclaves

- Threat model
- SGX enclave life cycle



# Background – SGX-Step



# Background – SGX-Step



# Background – SGX-Step



# Measurements

- Reduce interference
  - Hyper-Threading, dyn. frequency scaling, isolated core
- Terminology



## Legend:

|  |                      |
|--|----------------------|
|  | initial instructions |
|  | prepare instructions |
|  | test instruction     |

# Measurements – Example



# Challenges

1. Instruction tracking
2. Page borders
3. Cache conflicts
4. Incomparable enclaves
5. Constant time code
6. Verifying tests
7. Build advanced test cases
8. Two sources of noise
9. Synthetic state on AEX

# Challenges

1. Instruction tracking
2. Page borders
3. Cache conflicts
- 4. Incomparable enclaves**
5. Constant time code
6. Verifying tests
7. Build advanced test cases
8. Two sources of noise
9. Synthetic state on AEX

# Challenges – Incomparable Enclaves



Source: Jo Van Bulck, Frank Piessens, and Raoul Strackx. Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic. In ACM Conference on Computer and Communications Security, 2018.

$$\frac{rdx \parallel rax}{const}$$
$$\frac{rdx \parallel rax}{const}$$

⋮

# Challenges – Incomparable Enclaves



$$\frac{rdx \parallel rax}{const}$$
$$\frac{rdx \parallel rax}{const}$$

⋮

# Challenges – Incomparable Enclaves



$$\frac{rdx \parallel rax}{const}$$

---

$$\frac{rdx \parallel rax}{const}$$

⋮

# Challenges – Incomparable Enclaves



# Challenges – Incomparable Enclaves



$$\frac{rdx \parallel rax}{const}$$

---

$$\frac{rdx \parallel rax}{const}$$

⋮

# Applications – Double Peaks



# Applications – Double Peaks



movq reg, mem

movq reg, mem



nop

movq reg, mem

nop

movq reg, mem



# Applications – Double Peaks



movq reg, mem  
movq reg, mem

⋮

nop  
movq reg, mem  
nop  
movq reg, mem

⋮

test %rax, %rax  
movq reg, mem  
test %rax, %rax  
movq reg, mem

⋮

# Applications – Double Peaks



# Applications – Double Peaks

- Examples
- Possible explanation
  - Bypass the cache
  - Instruction termination
  - Microarchitectural state
- Supporting plots

# Applications – Double Peaks



# Applications – Double Peaks



# Applications – Side Channel Attack



# Applications – Side Channel Attack



# Conclusion

- Measuring is not trivial
- Increased precision
- Tool for further research
  - Double peaks
  - Difference between enclaves
  - Multi-steps
- Questions?

# Sources

- Microsoft Azure logo: [https://commons.wikimedia.org/wiki/File:Microsoft\\_Azure\\_Logo.svg](https://commons.wikimedia.org/wiki/File:Microsoft_Azure_Logo.svg)
- 1Password logo: <https://1password.com/de/press/>
- IBM Cloud logo: <https://www.cncf.io/logoshowcase/ibm/attachment/ibm-cloud/>

# Backup slides

# CPUID and RDTSCP

## **Code Snippet 1** Code benchmarking with *cpuid* and *rdtscp*

```
1: cpuid  
2: rdtsc  
3: Store timestamp  
4: <Measured code>  
5: rdtscp  
6: Store timestamp  
7: cpuid
```

# Method Comparison I

SGX-Step Method



Counter Method & Outside Enclave



## Legend:

|  |                                      |
|--|--------------------------------------|
|  | start/stop timer                     |
|  | test case 1:<br>initial instructions |
|  | prepare instructions                 |
|  | test instruction                     |

test case 2:

# Method Comparison II

**Table 31:** Overview over all measurement methods

|                                          | Outside Enclave                                           | Interrupt Method                                                        | Counter Method                                  |
|------------------------------------------|-----------------------------------------------------------|-------------------------------------------------------------------------|-------------------------------------------------|
| Serialising Instruction                  | <i>cpuid</i>                                              | <i>cpuid</i>                                                            | <i>sfence, lfence</i>                           |
| Additionally captured in the Measurement | <i>movs</i> to restore registers after first <i>cpuid</i> | ERESUME, AEX and some <i>movs</i> to save registers before <i>cpuid</i> | overlapping non-memory operations               |
| Timestamp                                | processor                                                 | processor                                                               | shared variable incremented by a counter thread |
| Special                                  | instruction timings outside enclaves                      | can be used even if we cannot control the enclave's code                | measurements directly inside enclaves           |

# Counter Method



# Counter Method Limitation



# Challenges – Brief Summary

- Incomparable enclaves
- Measuring across page borders
  - Support multiple pages of code
  - Deal with outliers at page borders
- Cache conflicts
  - Minimize cache pollution between AEX and ERESUME

# Challenges – Brief Summary

- Constant time code
  - Code between two measurements should be the same independent of the measured instruction
- Precise tracking of instructions
  - Time shifts between enclaves can desynchronise
  - Some assembly instructions perform two operations and can be interrupted in between
- Verifying tests
  - Prepare instructions influence test instructions
  - Make sure that they do not trigger exceptional behaviour

# Challenges – Brief Summary

- Build advanced test cases
  - Setting flags
  - Write to memory
- Two sources of noise
  - ERESUME/AEX
  - Instruction measurement
- Synthetic state on AEX
  - State that AEX creates on exit must be manually preserved

# C1: Incomparable Enclaves



# C2: Measuring Across Page Borders



# C3: Cache Conflicts



# C4: Constant Time Code



# C4: Constant Time Code



# C6 & C7: Precise Instruction Tracking



# C6 & C7: Precise Instruction Tracking



# C8: Verifying Tests



# C9: Setting Flags



# C10: Two Noise Sources



# C10: Two Noise Sources



# C10: Two Noise Sources



# C10: Two Noise Sources



# Applications – Double Peaks



# Applications – Double Peaks



# Applications – Double Peaks



# Applications – Double Peaks



# Applications – Double Peaks



# Double Peaks – Operand Dependent



# Applications – Operand Dependent



# Hidden Double Peaks



# Double Peaks Prepare NOPs



# No Double Peaks – Outside



# No Double Peaks – Counter Method



# Poor Man's CMOV – Short Code

```
1 .text
2 .global asm_poor_mans_cmov, asm_poor_mans_cmov_end
3 .align 0x1000 /* 4KiB */
4 .type asm_poor_mans_cmov, @function
5
6 .space 0x7
7 asm_poor_mans_cmov:
8     movb $1, (%rdi) // Start counting instructions
9     test %rax, %rax
10    movq %rcx, -8(%rsp)
11    test %rax, %rax
12    movq %rcx, -8(%rsp)
13    test %rax, %rax
14
15    test %rsi, %rsi
16    jnz .elseBranch
```

```
17    movq %rdx, -8(%rsp) // <-- measured
18    test %rax, %rax
19    movq %rdx, -8(%rsp)
20    test %rax, %rax
21    movq %rdx, -8(%rsp)
22    movb $0, (%rdi) // Stop counting instructions
23    ret
24 .elseBranch:
25    movq %rcx, -8(%rsp) // <-- measured
26    test %rax, %rax
27    movq %rcx, -8(%rsp)
28    test %rax, %rax
29    movq %rcx, -8(%rsp)
30    movb $0, (%rdi) // Stop counting instructions
31 asm_poor_mans_cmov_end:
32    ret
```

# Poor Man's CMOV – Precise results

- Results

|                 | Type<br>(Alignment) | Correctly<br>Captured | Mean | Standard<br>Deviation |
|-----------------|---------------------|-----------------------|------|-----------------------|
| <b>Our tool</b> | Long (0x07)         | 100%                  | 97.5 | 7.1                   |
|                 | Short (0x27)        | 100%                  | 54.6 | 8.1                   |
| <b>Nemesis</b>  | Long (0x07)         | 95.6%                 | 55.6 | 13.3                  |
|                 | Short (0x27)        | 27.7%                 | 59.5 | 3.7                   |

# Poor Man's CMOV – Long Version



# Poor Man's CMOV – 1 Cache Line

