An Off-Chip Attack on Hardware Enclaves via the Memory Bus

This paper shows how an attacker can break the confidentiality of a hardware enclave with Membuster, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim. Membuster is qualitatively different from prior on-chip attacks to enclaves and is more difficult to thwart. We highlight several challenges for Membuster. First, DRAM requests are only visible on the memory bus at last-level cache misses. Second, the attack needs to incur minimal interference or overhead to the victim to prevent the detection of the attack. Lastly, the attacker needs to reverse-engineer the translation between virtual, physical, and DRAM addresses to perform a robust attack. We introduce three techniques, critical page whitelisting, cache squeezing, and oracle-based fuzzy matching algorithm to increase cache misses for memory accesses that are useful for the attack, with no detectable interference to the victim, and to convert memory accesses to sensitive data. We demonstrate Membuster on an Intel SGX CPU to leak confidential data from two applications: Hunspell and Memcached. We show that a single uninterrupted run of the victim can leak most of the sensitive data with high accuracy.

[1]  Michael K. Reiter,et al.  Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu , 2017, AsiaCCS.

[2]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[3]  Taesoo Kim,et al.  SGX-Bomb: Locking Down the Processor via Rowhammer Attack , 2017, SysTEX@SOSP.

[4]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[5]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[6]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[7]  Christof Fetzer,et al.  Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks , 2018, USENIX ATC.

[8]  Andrew Huang,et al.  Keeping Secrets in Hardware: The Microsoft Xbox™ Case Study , 2002, CHES.

[9]  Rüdiger Kapitza,et al.  Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[10]  Brad Fitzpatrick,et al.  Distributed caching with memcached , 2004 .

[11]  Dawn Xiaodong Song,et al.  Keystone: A Framework for Architecting TEEs , 2019, ArXiv.

[12]  J. Thomas Pawlowski,et al.  Hybrid memory cube (HMC) , 2011, 2011 IEEE Hot Chips 23 Symposium (HCS).

[13]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Sebastian Nowozin,et al.  Oblivious Multi-Party Machine Learning on Trusted Processors , 2016, USENIX Security Symposium.

[15]  Rüdiger Kapitza,et al.  Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution , 2017, USENIX Security Symposium.

[16]  Jonathan Katz,et al.  All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption , 2016, USENIX Security Symposium.

[17]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[18]  Rishabh Poddar,et al.  Oblix: An Efficient Oblivious Search Index , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[19]  M. Kuhn,et al.  The Advanced Computing Systems Association Design Principles for Tamper-resistant Smartcard Processors Design Principles for Tamper-resistant Smartcard Processors , 2022 .

[20]  Kapil Vaswani,et al.  EnclaveDB: A Secure Database Using SGX , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[21]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[22]  Satish Narayanasamy,et al.  InvisiMem: Smart memory defenses for memory bus side channel , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[23]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[24]  Daniel Gruss,et al.  Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory , 2017, USENIX Security Symposium.

[25]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[26]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[27]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[28]  Fan Zhang,et al.  Tesseract: Real-Time Cryptocurrency Exchange using Trusted Hardware , 2017, IACR Cryptol. ePrint Arch..

[29]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[30]  Ling Ren,et al.  Path ORAM , 2012, J. ACM.

[31]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[32]  Warren He,et al.  Proof of Luck: an Efficient Blockchain Consensus Protocol , 2016, SysTEX@Middleware.

[33]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[34]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[35]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[36]  Emin Gün Sirer,et al.  Teechain: a secure payment network with asynchronous blockchain access , 2017, SOSP.

[37]  Beng Chin Ooi,et al.  M2R: Enabling Stronger Privacy in MapReduce Computation , 2015, USENIX Security Symposium.

[38]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[39]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[40]  Christopher W. Fletcher,et al.  ZeroTrace : Oblivious Memory Primitives from Intel SGX , 2018, NDSS.

[41]  Josep Torrellas,et al.  Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[42]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[43]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[44]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[45]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[46]  Kartik Nayak,et al.  Oblivious Data Structures , 2014, IACR Cryptol. ePrint Arch..

[47]  Christos Gkantsidis,et al.  VC 3 : Trustworthy Data Analytics in the Cloud , 2014 .

[48]  Dongdai Lin,et al.  Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[49]  Fan Zhang,et al.  Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[50]  Yan Solihin,et al.  ObfusMem: A low-overhead access obfuscation for trusted memories , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[51]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[52]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[53]  Tony Tung,et al.  Scaling Memcache at Facebook , 2013, NSDI.

[54]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[55]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[56]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.