Skip to main content
SpringerLink
Log in

Aion Attacks: Manipulating Software Timers in Trusted Execution Environment

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

Abstract

Side-channel attacks are a threat to secure software running in a Trusted Execution Environment (TEE). To protect Intel SGX applications from these attacks, researchers have proposed mechanisms to detect cache-probing and repeated interrupts that these attacks rely on. These defenses often rely on high-resolution timers. However, since there is no trusted high-resolution timer hardware module, developers have resorted to software timers, which unfortunately underestimate the scope of possible attacks. In this paper, we propose Aion attacks that manipulate the speed of a reference software timer to subvert defensive mechanisms against SGX side-channel attacks. Specifically, we introduce a CPU thermal attack that leverages the thermal management mechanism to change the execution speed of the timer thread, and a cache eviction attack that evicts the target timer counters and forces the system to load them from memory instead of cache. We evaluated the above Aion attacks and introduced an analytical model and show that software timers cannot be improved to fit the defenders under our attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: Proceedings of USENIX WOOT, Vancouver, Canada (2017)

    Google Scholar 

  2. Brotzman, R., Liu, S., Zhang, D., Tan, G., Kandemir, M.: CaSym: cache aware symbolic execution for side channel detection and mitigation. In: Proceedings of IEEE S&P, San Fransico, USA (2019)

    Google Scholar 

  3. Bulck, J.V., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: Proceedings of USENIX Security, Baltimore, USA, August 2018

    Google Scholar 

  4. Bulck, J.V., Weichbrodt, N., Kapitza, R., Piessens, F., Strackx, R.: Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution. In: Proceedings of USENIX Security, Vancouver, Canada (2017)

    Google Scholar 

  5. Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with Déjà Vu. In: Proceedings of ASIA CCS, Abu Dhabi, UAE (2017)

    Google Scholar 

  6. Costan, V., Devadas, S.: Intel SGX explained. Cryptology ePrint Archive, Report 2016/086 (2016). https://ia.cr/2016/086

  7. Dall, F., et al.: CacheQuote: efficiently recovering long-term secrets of SGX EPID via cache attacks. In: Proceedings of CHES, Amsterdam, Netherlands (2018)

    Google Scholar 

  8. Gözfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on Intel SGX. In: Proceedings of EuroSec, Belgrade, Serbia (2017)

    Google Scholar 

  9. Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: Proceedings of IEEE S&P, San Jose, USA (2015)

    Google Scholar 

  10. Hähnel, M., Cui, W., Peinado, M.: High-Resolution side channels for untrusted operating systems. In: Proceedings of USENIX ATC, Santa Clara, USA (2017)

    Google Scholar 

  11. Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual (2021)

    Google Scholar 

  12. Klimov, A., Shamir, A.: A new class of invertible mappings. In: Proceedings of CHES, San Francisco Bay, CA, USA (2002)

    Google Scholar 

  13. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of IEEE S&P, San Jose, USA (2015)

    Google Scholar 

  14. Maurice, C., Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Proceedings of RAID, Kyoto, Japan (2015)

    Google Scholar 

  15. Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: Proceedings of CHES, Taipei, Taiwan (2017)

    Google Scholar 

  16. Neve, M., Seifert, J.P.: Advances on access-driven cache attacks on AES. In: Proceedings of SAC Workshop, Montreal, Canada, pp. 147–162 (2006)

    Google Scholar 

  17. Oleksenko, O., Trach, B., Krahn, R., Martin, A., Fetzer, C., Silberstein, M.: Varys: protecting SGX enclaves from practical side-channel attacks. In: Proceedings of USENIX ATC, Boston, USA (2018)

    Google Scholar 

  18. Qureshi, M.K.: CEASER: mitigating conflict-based cache attacks via encrypted-address and remapping. In: Proceedings of IEEE MICRO, Fukuoka, Japan (2018)

    Google Scholar 

  19. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Proceedings of DIMVA, Bonn, Germany (2017)

    Google Scholar 

  20. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of NDSS, San Diego, USA (2017)

    Google Scholar 

  21. Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: Proceedings of SysTEX, Shanghai, China (2017)

    Google Scholar 

  22. Vila, P., Kopf, B., Morales, J.F.: Theory and practice of finding eviction sets. In: Proceedings of IEEE S&P, San Francisco, USA, pp. 39–54 (2019)

    Google Scholar 

  23. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying cache-based timing channels in production software. In: Proceedings of USENIX Security, Vancouver, Canada (2017)

    Google Scholar 

  24. Wang, W., et al.: Leaky cauldron on the dark land: understanding memory side-channel hazards in SGX. In: Proceedings of CCS, Dallas, USA (2017)

    Google Scholar 

  25. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: Proceedings of IEEE S&P, San Jose, USA (2015)

    Google Scholar 

  26. Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of USENIX Security, San Diego, USA (2014)

    Google Scholar 

Download references

Acknowledgement

We would like to thank Professor Yinqian Zhang, Dr. Sanchuan Chen and Oleksii Oleksenko for their help in SGX defensive frameworks. We appreciate Dr. Lianying Zhao, Tony Liao and colleagues from Baidu Research for their valuable advice on this paper.

Author information

Authors and Affiliations

  1. University of Toronto, Toronto, Canada

    Wei Huang, Shengjie Xu & David Lie

  2. NIO, San Jose, USA

    Yueqiang Cheng

Authors
  1. Wei Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shengjie Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yueqiang Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Lie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Huang .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Huang, W., Xu, S., Cheng, Y., Lie, D. (2021). Aion Attacks: Manipulating Software Timers in Trusted Execution Environment. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation