A Survey of Published Attacks on Intel SGX

Intel Software Guard Extensions (\kw{SGX}) provides a trusted execution environment (\kw{TEE}) to run code and operate sensitive data.\kw{SGX} provides runtime hardware protection where both code and data are protected even if other code components are malicious.However, recently many attacks targeting \kw{SGX} have been identified and introduced that can thwart the hardware defence provided by \kw{SGX}.In this paper we present a survey of all attacks specifically targeting Intel \kw{SGX} that are known to the authors, to date.We categorized the attacks based on their implementation details into 7 different categories.We also look into the available defence mechanisms against identified attacks and categorize the available types of mitigations for each presented attack. (Less)

[1]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[2]  Yuval Yarom,et al.  CacheOut: Leaking Data on Intel CPUs via Cache Evictions , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[3]  Dongdai Lin,et al.  Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[4]  Andrew Baumann,et al.  Autarky: closing controlled channels with self-paging enclaves , 2020, EuroSys.

[5]  Yuan Xiao,et al.  SgxPectre: Stealing Intel Secrets from SGX Enclaves Via Speculative Execution , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[7]  Flavio D. Garcia,et al.  Plundervolt: Software-based Fault Injection Attacks against Intel SGX , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[8]  Frank Piessens,et al.  Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic , 2018, CCS.

[9]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[10]  Christopher W. Fletcher,et al.  ZeroTrace : Oblivious Memory Primitives from Intel SGX , 2018, NDSS.

[11]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[12]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[13]  Ville Leppänen,et al.  Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization , 2018, ArXiv.

[14]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[15]  Kaveh Razavi,et al.  CrossTalk: Speculative Data Leaks Across Cores Are Real , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[16]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[17]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[19]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[21]  Frank Piessens,et al.  The Heisenberg Defense: Proactively Defending SGX Enclaves against Page-Table-Based Side-Channel Attacks , 2017, ArXiv.

[22]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[23]  Daniel Gruss,et al.  Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory , 2017, USENIX Security Symposium.

[24]  Michael K. Reiter,et al.  Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu , 2017, AsiaCCS.

[25]  Thomas F. Wenisch,et al.  Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution , 2018 .

[26]  Shweta Shinde,et al.  Preventing Your Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks , 2015, ArXiv.

[27]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[28]  MutluOnur,et al.  Flipping bits in memory without accessing them , 2014 .

[29]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[31]  Frank Piessens,et al.  Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution , 2018, ESSoS.

[32]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[33]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[34]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[35]  Taesoo Kim,et al.  SGX-Bomb: Locking Down the Processor via Rowhammer Attack , 2017, SysTEX@SOSP.

[36]  Thomas Eisenbarth,et al.  MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations , 2017, International Journal of Parallel Programming.

[37]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[38]  Mara Hvistendahl A Tale of Two Worlds. , 2016, Scientific American.

[39]  Jian Zhai,et al.  Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[40]  Thomas Eisenbarth,et al.  CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[41]  Rüdiger Kapitza,et al.  Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution , 2017, USENIX Security Symposium.

[42]  Insik Shin,et al.  SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs , 2017, NDSS.

[43]  Brent Byunghoon Kang,et al.  Hacking in Darkness: Return-oriented Programming against Secure Enclaves , 2017, USENIX Security Symposium.

[44]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[45]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[46]  Yangchun Fu,et al.  Sgx-Lapd: Thwarting Controlled Side Channel Attacks via Enclave Verifiable Page Faults , 2017, RAID.

[47]  D.B.T.,et al.  Fallout , 1961, Neurology.

[48]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[49]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[50]  Daniel Genkin,et al.  SGAxe: How SGX Fails in Practice , 2020 .

[51]  Thomas F. Wenisch,et al.  Breaking Virtual Memory Protection and the SGX Ecosystem with Foreshadow , 2019, IEEE Micro.

[52]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[53]  Bhavani M. Thuraisingham,et al.  Securing Data Analytics on SGX with Randomization , 2017, ESORICS.

[54]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.