Skip to main content
Springer Nature Link
Log in

SnakeGX: A Sneaky Attack Against SGX Enclaves

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12726))

Included in the following conference series:

Abstract

Intel Software Guard eXtension (SGX) is a technology to create enclaves (i.e., trusted memory regions) hardware isolated from a compromised operating system. Recently, researchers showed that unprivileged adversaries can mount code-reuse attacks to steal secrets from enclaves. However, modern operating systems can use memory-forensic techniques to detect their traces. To this end, we propose SnakeGX, an approach that allows stealthier attacks with a minimal footprint; SnakeGX is a framework to implant a persistent backdoor in legitimate enclaves. Our solution encompasses a new architecture specifically designed to overcome the challenges SGX environments pose, while preserving their integrity and functionality. We thoroughly evaluate SnakeGX against StealthDB, which demonstrates the feasibility of our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We reported the flawed behavior to Intel, which acknowledged it.

  2. 2.

    SnakeGX’s source code is available at https://github.com/tregua87/snakegx.

  3. 3.

    At the time of writing, the last SDK version is 2.9.

  4. 4.

    SnakeGX’s source code is available at https://github.com/tregua87/snakegx.

References

  1. ROPgadget - gadgets finder and auto-roper. https://github.com/JonathanSalwan/ROPgadget (2011). Accessed Mar 2020

  2. Intel® software guard extensions (intel®sgx) - developer guide (2013). https://download.01.org/intel-sgx/linux-2.1.3/docs/Intel_SGX_Developer_Guide.pdf. Accessed June 2020

  3. Intel® software guard extensions programming reference (2013). https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf. Accessed June 2020

  4. Thoughts on intel’s upcoming software guard extensions (part 1) (2013). http://theinvisiblethings.blogspot.com/2013/08/thoughts-on-intels-upcoming-software.html. Accessed Nov 2018

  5. Thoughts on intel’s upcoming software guard extensions (part 2) (2013). http://theinvisiblethings.blogspot.com/2013/09/thoughts-on-intels-upcoming-software.html. Accessed Nov 2018

  6. Technology preview: private contact discovery for signal (2017). https://signal.org/blog/private-contact-discovery/. Accessed Nov 2018

  7. Intel architecture instruction set extensions programming reference (2018). https://software.intel.com/sites/default/files/managed/b4/3a/319433-024.pdf?_ga=1.118002441.1853754838.1418826886. Accessed Nov 2018

  8. SGX-Tor (2018). https://github.com/kaist-ina/SGX-Tor. Accessed Nov 2018

  9. Awesome SGX open source projects (2019). https://github.com/Maxul/Awesome-SGX-Open-Source. Accessed June 2020

  10. Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703. USENIX Association, Savannah (2016). https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov

  11. Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. (TOCS) 33(3), 8 (2015)

    Article  Google Scholar 

  12. Biondo, A., Conti, M., Davi, L., Frassetto, T., Sadeghi, A.R.: The guard’s dilemma: efficient code-reuse attacks against intel SGX. In: Proceedings of 27th USENIX Security Symposium (2018)

    Google Scholar 

  13. Bletsch, T.: Code-reuse attacks: new Frontiers and defenses. Ph.D. thesis (2011). aAI3463747

    Google Scholar 

  14. Bulck, J.V., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 991–1008. USENIX Association, Baltimore, August 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/bulck

  15. Checkoway, S., Shacham, H.: Iago attacks: why the system call API is a bad untrusted RPC interface. SIGARCH Comput. Archit. News 41(1), 253–264 (2013). https://doi.org/10.1145/2490301.2451145. http://doi.acm.org/10.1145/2490301.2451145

  16. Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 340–354. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_24

    Chapter  Google Scholar 

  17. Cloosters, T., Rodler, M., Davi, L.: TeeRex: discovery and exploitation of memory corruption vulnerabilities in SGX enclaves. In: 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, August 2020. https://www.usenix.org/conference/usenixsecurity20/presentation/cloosters

  18. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016, 86 (2016)

    Google Scholar 

  19. Davenport, S., Ford, R.: SGX: the good, the bad and the downright ugly. Virus Bulletin, p. 14 (2014)

    Google Scholar 

  20. Drake, J.D., Worsley, J.C.: Practical PostgreSQL. O’Reilly Media Inc., Sebastopol (2002)

    Google Scholar 

  21. Google: Asylo (2018). https://github.com/google/asylo. Accessed Mar 2020

  22. Graziano, M., Balzarotti, D., Zidouemba, A.: ROPMEMU: a framework for the analysis of complex code-reuse attacks. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 47–58. ACM, New York (2016). https://doi.org/10.1145/2897845.2897894. http://doi.acm.org/10.1145/2897845.2897894

  23. Hähnel, M., Cui, W., Peinado, M.: High-resolution side channels for untrusted operating systems. In: 2017 USENIX Annual Technical Conference (USENIX ATC 2017), pp. 299–312. USENIX Association, Santa Clara (2017). https://www.usenix.org/conference/atc17/technical-sessions/presentation/hahnel

  24. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium, pp. 383–398 (2009)

    Google Scholar 

  25. Kittel, T., Vogl, S., Kirsch, J., Eckert, C.: Counteracting data-only malware with code pointer examination. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 177–197. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_9

    Chapter  Google Scholar 

  26. Kuvaiskii, D., et al.: SGXBOUNDS: memory safety for shielded execution. In: Proceedings of the Twelfth European Conference on Computer Systems, EuroSys 2017, pp. 205–221. ACM, New York (2017). https://doi.org/10.1145/3064176.3064192. http://doi.acm.org/10.1145/3064176.3064192

  27. Lee, J., et al.: Hacking in darkness: return-oriented programming against secure enclaves. In: USENIX Security, pp. 523–539 (2017)

    Google Scholar 

  28. Microsoft: Open enclave SDK (2019). https://openenclave.io/sdk/. Accessed Mar 2020

  29. Murdock, K., Oswald, D., Garcia, F.D., Van Bulck, J., Gruss, D., Piessens, F.: Plundervolt: software-based fault injection attacks against intel SGX. In: Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P 2020) (2020)

    Google Scholar 

  30. Nguyen, H., Ganapathy, V.: EnGarde: mutually-trusted inspection of SGX enclaves. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 2458–2465, June 2017. https://doi.org/10.1109/ICDCS.2017.35

  31. Oleksenko, O., Trach, B., Krahn, R., Silberstein, M., Fetzer, C.: Varys: protecting SGX enclaves from practical side-channel attacks. In: 2018 USENIX Annual Technical Conference (USENIX ATC 2018), pp. 227–240. USENIX Association, Boston (2018). https://www.usenix.org/conference/atc18/presentation/oleksenko

  32. Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 58–65. IEEE (2011)

    Google Scholar 

  33. van Prooijen, J.: The design of malware on modern hardware. Technical report (2016)

    Google Scholar 

  34. Rozas, C.: Intel® software guard extensions (Intel® SGX) (2013)

    Google Scholar 

  35. Schuster, F., et al: VC3: trustworthy data analytics in the cloud using SGX. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 38–54. IEEE (2015)

    Google Scholar 

  36. Schwarz, M., Lipp, M.: When good turns evil: Using intel SGX to stealthily steal bitcoins. Black Hat Asia (2018)

    Google Scholar 

  37. Schwarz, M., Weiser, S., Gruss, D.: Practical enclave malware with intel SGX. CoRR abs/1902.03256 (2019). http://arxiv.org/abs/1902.03256

  38. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1

    Chapter  Google Scholar 

  39. Seo, J., et al.: SGX-shield: enabling address space layout randomization for SGX programs. In: NDSS (2017)

    Google Scholar 

  40. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561, CCS 2007. ACM, New York (2007). https://doi.org/10.1145/1315245.1315313. http://doi.acm.org/10.1145/1315245.1315313

  41. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)

    Google Scholar 

  42. Stancill, B., Snow, K.Z., Otterness, N., Monrose, F., Davi, L., Sadeghi, A.-R.: Check my profile: leveraging static analysis for fast and accurate detection of ROP gadgets. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 62–81. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_4

    Chapter  Google Scholar 

  43. Che Tsai, C., Porter, D.E., Vij, M.: Graphene-SGX: a practical library OS for unmodified applications on SGX. In: 2017 USENIX Annual Technical Conference (USENIX ATC 2017), pp. 645–658. USENIX Association, Santa Clara (2017). https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai

  44. Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F.D., Piessens, F.: A tale of two worlds: assessing the vulnerability of enclave shielding runtimes. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1741–1758. ACM (2019)

    Google Scholar 

  45. Vinayagamurthy, D., Gribov, A., Gorbunov, S.: StealthDB: a scalable encrypted database with full SQL query support. In: Proceedings on Privacy Enhancing Technologies 2019(3) (2019)

    Google Scholar 

  46. Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: NDSS (2014)

    Google Scholar 

  47. Wang, H., et al.: Towards memory safe enclave programming with rust-SGX. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2333–2350. ACM (2019)

    Google Scholar 

  48. Weiser, S., Mayr, L., Schwarz, M., Gruss, D.: SGXJail: defeating enclave malware via confinement. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), pp. 353–366. USENIX Association, Chaoyang District, Beijing, September 2019. https://www.usenix.org/conference/raid2019/presentation/weiser

  49. yerzhan7: Sgx\_sqlite. https://github.com/yerzhan7/SGX_SQLite. Accessed Jan 2019

Download references

Acknowledgments

We would thank Lorenzo Cavallaro and Fabio Pierazzi for the fruitful discussions and insights. We would also thank the anonymous reviewers for their valuable comments.

Author information

Authors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Flavio Toffalini & Jianying Zhou

  2. Cisco Systems, Inc., Vimercate, Italy

    Mariano Graziano

  3. University of Padua, Padua, Italy

    Mauro Conti

Authors
  1. Flavio Toffalini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mariano Graziano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jianying Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Flavio Toffalini .

Editor information

Editors and Affiliations

  1. Waseda University, Tokyo, Japan

    Kazue Sako

  2. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Nils Ole Tippenhauer

Appendices

A Code-Reuse Technique

To show the feasibility of SnakeGX, we choose for our proof-of-concept the technique described by Biondo et al. [12]. This means that SnakeGX uses ROP. However, as stated in Sect. 3, SnakeGX does not rely on a specific technique, but it does require one to control its behavior. Moreover, we adapted their approach to work on the Intel SGX SDK newer versions.

In the original approach, the authors exploited asm_oret() and continue_execution() functions. More precisely, they crafted a set of fake frame in order to create a loop between these functions. In the x64 architecture, the first four function parameters are passed by registers. Therefore, the authors used asm_oret() for setting continue_execution() registers pointing to a controlled structure. However, as also Biondo underlined, it is more complicated to use asm_oret() for SDK 2.0. This is why in our approach we substituted asm_oret() with a glue gadget. This might be any gadget that sets the input register for the continue_execution() function. Since we developed our proof-of-concept for Linux 64bit, continue_execution() expects the first argument (i.e., a sgx_exception_info_t address) in the rdi register. This is achievable by using a classic pop rdi gadget. Windows, instead, follows a different calling convention and continue_execution() expects an ocall_context address shifted by 8 byes in the rcx register. Therefore we used a pop rcx as a glue gadget. In our evaluation, we found pop rdi and pop rcx gadgets in the Intel SGX SDK version for Linux and Windows, respectively.

Fig. 6.
figure 6

Chain used in the proof-of-concept of SnakeGX.

Full size image

Figure 6 describes our code-reuse technique. The attacker crafts a fake stack that can reside inside or outside the enclave, we used both approaches. The fake stack is composed by frames, one of which contains in order: (i) a glue gadget address, (ii) a fake sgx_exception_info_t address, (iii) the continue_execution() address. Once the first glue gadget is triggered, it will set rdi (or rcx in Windows) register pointing to the fake sgx_exception_info_t structure. Then, the continue_execution() will set registers according to sgx_exception_info_t and it will also pivot to the actual gadget. Since continue_execution() allows us to control all general registers, we can easily invoke another function instead of a simple gadget (e.g., memcpy in Frame 1). Finally, the gadget will return at the beginning of the next frame. At this point, the CPU will trigger a new glue gadget and the attack continues.

Our technique is more flexible compared to the one described by Biondo. By using a glue gadget, we can easily drive continue_execution() without relying on other SDK functions that might change in future versions.

B Conditional Chain

Conditional ROP-chain, the chain is triggered by using sgx_exception_info_t structure that configures the initial registers (see Appendix A). The SP register is perturbed if the value of &lastKey differs from the value of &key in order to pivot a true or a false ROP-chain, respectively.

figure a

C Context-Switch Chain

Details of the sgx_exception_info_t structures used to leak the key and to switch outside the enclave. The structures are used according to the techniques described in Appendix A.

figure b

Details of the outside ROP-chains used to resume payload inside the enclave.

figure c

D Preliminary Analysis of Assumptions

Table 3 contains a list of 27 stand-alone SGX projects extracted from [9]. For each project, we indicate their category, if it used the Intel SGX SDK, the number of trusted threads for each enclave of the project, and a note. We also list details for each enclave, if the project contains many. We counted 24 out of 27 projects developed on top of Intel SGX SDK, two projects use alternative SDKs (i.e., Open Enclave SDK [28] and Graphene [43]), while one contains a simulated enclave. Among the projects based on the Intel SGX SDK, we counted a total of 31 enclaves, and 24 out of 31 are multi-threading (\(77\%\)).

Table 3. SGX open-source projects extracted from [9].
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Toffalini, F., Graziano, M., Conti, M., Zhou, J. (2021). SnakeGX: A Sneaky Attack Against SGX Enclaves. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12726. Springer, Cham. https://doi.org/10.1007/978-3-030-78372-3_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78372-3_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78371-6

  • Online ISBN: 978-3-030-78372-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics