

# Lecture Secure, Trusted and Trustworthy Computing

## SGX Side-Channel Attacks

Prof. Dr.-Ing. Ahmad-Reza Sadeghi  
System Security Lab  
Technische Universität Darmstadt  
Germany  
Winter Term 2017/18

# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Intel Software Guard Extensions (SGX)

Assumptions:

- All software components untrusted



# Leakage in Intel's SGX



# Page Fault Attacks on SGX

Granularity: page 4K, good for big data structures

[Xu et al., IEEE S&P'15]



EPC: Enclave Page Cache

PT: Page Tables

PF: Page-Fault

# Page Fault Attacks on SGX

Granularity: page 4K, good for big data structures

[Xu et al., IEEE S&P'15]



EPC: Enclave Page Cache

PT: Page Tables

PF: Page-Fault

# Page Fault Attacks on SGX

Granularity: page 4K, good for big data structures

[Xu et al., IEEE S&P'15]



EPC: Enclave Page Cache

PT: Page Tables

PF: Page-Fault

# Page Fault Attacks on SGX

Granularity: page 4K, good for big data structures

[Xu et al., IEEE S&P'15]



EPC: Enclave Page Cache

PT: Page Tables

PF: Page-Fault

# Cache Attacks on SGX: Hack in The Box



EPC: Enclave Page Cache

# Cache Attacks on SGX: Hack in The Box



# Cache Attacks on SGX: Hack in The Box



EPC: Enclave Page Cache

# Cache Attacks on SGX: Hack in The Box



EPC: Enclave Page Cache

# Side-Channel Attacks Basics: Prime + Probe

# Cache-based Side-Channel Attacks

## Prime + Probe



# Cache-based Side-Channel Attacks

## Prime + Probe



# Cache-based Side-Channel Attacks

## Prime + Probe



# Cache-based Side-Channel Attacks

## Prime + Probe



# Cache-based Side-Channel Attacks

## Prime + Probe



cache line 2  
was used  
by victim

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Side-Channel Attacker Challenge: Noise

- “Classical” scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim’s secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software

# Cache Attacks on SGX



EPC: Enclave Page Cache

SMT: Simultaneous Multithreading

# Cache Attacks on SGX



EPC: Enclave Page Cache

SMT: Simultaneous Multithreading

# Cache Attacks on SGX



# Cache Attacks on SGX



# Current attacks

- Rely on (frequently) interrupting enclaves
  - Can be detected
- Make strong assumptions
  - Assume synchronization between victim and attacker

# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



# Our Attack

[Brasser et al., WOOT'17]



PCM: Performance Counter Monitor | SMT: Simultaneous Multithreading | APIC: Advanced Programmable Interrupt Controller

# Our Attack Use-Cases

Extracting 2048-bit RSA decryption key



Extracting genome sequences



[arXiv:1702.07521]

# Genome Sequencing



# Genome Sequencing

Attacker's goal: Identify k-mer sequences in the input string, allowing the identification of individuals



Genome Analysis Enclave (e.g. PRIMEX)

## Pre-processing

- Split input into sub-sequences (k-mer)
- Store k-mer positions in hash-table

## Analysis

- Statistical analysis, e.g., to identify correlation in the data

# Some Basics on Genomes



# Human Genome

- Nucleobases
  - Adenine (A)
  - Cytosine (C)
  - Guanine (G)
  - Thymine (T)
- Microsatellite
  - Forensic analysis
  - Genetic fingerprinting
  - Kinship analysis

```
TTGACCCACTGAATCACGTCTGACCGCGCTACGCGG  
TCACTTGCGGTGCCGTTTCTTTGTTACCGACGACCG  
ACCAGCGACAGCCACCGCGCGCTCACTGCCACCAAAA  
GAGTCATATCGATCGATCGATCGATCGATCGATCGAT  
CGATCGATCGATCGATCGATCGATCGATCGATCATCA  
CAGCCGACCAGTTCTGGAACGTTCCCGATACTGGAA  
CGGTCCAATGCAGTATCCCACCCCTCTCCATCGAC  
GCCAGTCGAATCACGCCGCCAGCCACCGTCCGCCAGC  
CGGCCAGAACATCCGATGACTCGCGGTCTCGTGTGG  
TGCCGGCCTCGCAGCCATTGTAUTGGCCCTGGCCGCA  
GTGTGGCTGCCGCTCCGATTGCCGGGCGCAGTCCG  
CCGGCAGCGGTGCCGCTCAGTCACCATCGGCAGCGT  
GGACGTCTGCCCTGCGAACCCAAACCGGGCACGCAAG  
GTGTTGATCACCCCGTCGATCAACAACCTCGGATCGG  
CAAGCGGGTCCCGCGCGTCAACGAGGTACGCTGCG  
CGGCGACGGTCTCCCTGCAACGGAAGACAGCCTGGGG
```

# Genome Preprocessing

AGCAGCATCAGGTAC...



**Indexer**



**Hash Table**

# Genome Preprocessing



# Genome Preprocessing



# Genome Preprocessing



# Genome Preprocessing



# Genome Preprocessing



- Hash table access pattern
  - Hash table entry 8 bytes
  - Cache line size 64 bytes
  - Collisions
- Genome unstructured
- Microsatellites structured

TTGACCCACTGAATCACGTCTGACCGCGCGTACGGTCACTTGC  
GGTGCCTTTCTTGTACGACGACCGACCAGCGACAGCCACC  
GCGCGCTCACTGCCACCAAAAGAGTCATATCGATCGATCGATCGA  
TCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGAT  
CATCACAGCCGACCAGTTCTGGAACGTTCCGATACTGGAACGG  
TCCTAATGCAGTATCCCACCCCTCCATCGACGCCAGTCGAAT  
CACGCCGCCAGCCACCGTCCGCCAGCCGGCCAGAACATCCGATGAC  
TCGGCGGTCTCGTGTGGTGCCGGCTCGCAGCCATTGTAUTGGC  
CCTGGCCGCAGTGTGGCTGCCGCTCCGATTGCCGGGCGCAGTC  
CGCCGGCAGCGGTGCGGTCTCAGTCACCATGGCGACGTGGACGT  
CTCGCCTGCGAACCCAACCACGGGCACGCAGGTGTTGATCACCCC

# Microsatellites and Processed k-mers



The microsatellite will activate cache lines 2, 4, 5 and 0 repeatedly

# Genome Sequencing Attack Results

- Monitor cache lines associated to satellite
- High activity in cache lines reveal occurrence of satellite in input string



# SGX Specific Side-Channel Defenses

- Page-fault side-channel defenses
  - T-SGX: Uses TSX feature to detect enclave interrupt [Shih et al., NDSS'17]
  - Déjà Vu : Uses TSX to detect enclave slowdown [Chen et al., AsiaCCS'17]
    - Detect interrupts as indicator for an attack
    - Rely on Intel TSX, not available on all SGX-enable processors
- Cache side-channel defense
  - Cloak: Prime cache before accessing sensitive data [Schuster et al., USNIX 2017]
    - Requires annotations of sensitive data
    - Relies on Intel TSX, not available on all SGX-enabled processors



# Hardware-based Side-Channel Defenses

- Time-interleaved cache sharing, flush on each context switch
  - Ineffective on SMT-enabled systems where caches are shared contemporaneously
  - E.g., [Costan et al., USENIX Sec'16]
- Cache partitioning / coloring
  - Reduces the amount of cache available to individual software
  - E.g., [Domnister et al., TACO'12]
- Randomized cache mappings
  - Frequency analysis or predictable access patterns can reveal randomization secret
  - E.g., [Wang et al., ISCA'07]



# General Software-only Side-Channel Defenses

- Side-channel resilient software design
  - Not applicable to all applications
  - Manual hardening of software required
- Monitoring for attack effects
  - Requires privileged entity (not available in SGX model)
- Oblivious execution / ORAM
  - Too inefficient, ORAM metadata needs to be protected as well



# Summary: SGX – All Problems Solved?

- Side channels more drastic than originally thought
- Current add-on defenses not practical or effective
- Academic research provides many solutions that are not deployed
- Generic software-only side-channel defenses required
  - No security expertise of enclave developers (no annotations)
  - Hardware extensions/features not available in *all* SGX-enabled CPUs



**Thank You!  
Questions?**

