Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow
  Randomization by Hosseinzadeh, Shohreh et al.
ar
X
iv
:1
80
8.
06
47
8v
1 
 [c
s.C
R]
  2
0 A
ug
 20
18
Mitigating Branch-Shadowing Attacks on Intel SGX
using Control Flow Randomization
Shohreh Hosseinzadeh∗
University of Turku, Finland
shohos@utu.fi
Hans Liljestrand∗
Aalto University, Finland
hans.liljestrand@aalto.fi
Ville Leppänen
University of Turku, Finland
ville.leppanen@utu.fi
Andrew Paverd
Aalto University, Finland
andrew.paverd@ieee.org
Abstract
Intel Software Guard Extensions (SGX) is a promising hardware-
based technology for protecting sensitive computations from po-
tentially compromised system software. However, recent research
has shown that SGX is vulnerable to branch-shadowing – a side
channel attack that leaks the fine-grained (branch granularity) con-
trol flow of an enclave (SGX protected code), potentially revealing
sensitive data to the attacker. The previously-proposed defense
mechanism, called Zigzagger, attempted to hide the control flow,
but has been shown to be ineffective if the attacker can single-step
through the enclave using the recent SGX-Step framework.
Taking into account these stronger attacker capabilities, we pro-
pose a new defense against branch-shadowing, based on control
flow randomization. Our scheme is inspired by Zigzagger, but pro-
vides quantifiable security guarantees with respect to a tunable se-
curity parameter. Specifically, we eliminate conditional branches
and hide the targets of unconditional branches using a combina-
tion of compile-time modifications and run-time code randomiza-
tion.
We evaluated the performance of our approach by measuring
the run-time overhead of ten benchmark programs of SGX-Nbench
in SGX environment.
CCS Concepts • Security and privacy → Side-channel anal-
ysis and countermeasures;
Keywords Intel SGX; side-channel attack; branch-shadowing at-
tack; control flow randomization
1 Introduction
Intel Software Guard Extension (SGX) [12] is a recent hardware-
based TrustedExecutionEnvironment (TEE) providing secure com-
putation and guaranteeing the integrity and confidentiality of data
within an enclave. The enclave is protected from all other software
on the platform, including potentially malicious system software
(e.g., operating system, hypervisor, and BIOS). Additionally, SGX
enables hardware-based measurement, attestation, and integrity
verification of application code.
Although Intel has stated that side-channel attacks are beyond
the scope of SGX [11], recent research has demonstrated that SGX
is susceptible to several side-channel attacks, which could leak se-
cret information. They have also proposed defenses for making
SGX enclave resistant to side channels. In particular, Lee et al. [17]
demonstrated a branch-shadowing side channel attack that allows
∗S. Hosseinzadeh and H. Liljestrand contributed equally to this work, which
was done while S. Hosseinzadeh was visiting the Secure Systems Group at Aalto
University.
untrusted software to learn the precise control flow of code run-
ning inside an enclave. If this control flow depends on any secret
information, this side channel would leak the secret information.
Fundamentally, the attack works by abusing the CPU’s Branch Pre-
diction Unit (BPU). The BPU is used to improve performance by al-
lowing pipelining of instructions before exact branching decisions
are known, i.e., whether branches are taken or not and the target
of indirect branches. The BPU bases its decisions on recent branch
history, which is stored in the CPU’s internal Branch Target Buffer
(BTB). Two critical factors allow this attack to proceed: 1) BTB en-
tries created by branches inside the enclave are not cleared when
the enclave exits; and 2) BTB entries only contain the lower 31 bits
of the branch instruction’s address, allowing the attacker to create
shadow branch instructions outside the enclave that map to the
same BTB entries as the enclave’s branches. The attacker executes
the victim enclave, interrupts it immediately after the branch in-
struction, executes his shadow branch code and checks whether
the branches were correctly predicted, thus revealing whether the
BTB entry had been created by the enclave.
Lee et al. [17] also proposed a software-based defense against
the branch-shadowing attack, calledZigzagger. Using compile-time
instrumentation, Zigzagger converts all conditional and uncondi-
tional branches into unconditional branches targeting Zigzagger’s
trampolines, i.e., minimal code sections that hold intermediate jumps
— bounces — to the target locations. The Zigzagger trampolines
initiate a series of jumps back-and-forth to different branches. The
idea is that the attacker cannot interrupt the enclave with suffi-
cient precision to shadow the target branch in this rapid series of
jumps. However, the recent SGX-Step framework [21] invalidates
this assumption by showing how an enclave can be interrupted
with single instruction granularity, thus breaking the Zigzagger
defense.
The recent Spectre [16] attacks, and their subsequent SGX-specific
SGXPectre variant [6] are similar to branch-shadowing in that they
exploit the BPU. However, we have confirmed experimentally that
neither recent firmware patches [15], nor the Retpoline compiler-
basedmitigation [14] affect the ability to performbranch-shadowing
attacks.
To overcome this challenge, we present a new defense against
branch-shadowing, even if the attacker can single-step through the
enclave. Similar to Zigzagger, we use compile-time modifications
to convert all branch instructions into unconditional branches tar-
geting our in-enclave trampoline code. At run-time, we then ran-
domize the layout of our trampoline, forcing the attacker to shadow
all possible locations. The finite size of the BTB limits the number
of guesses the attacker can perform, and thus we can quantify and
1
limit the success probability of a branch-showing attack using the
size of the trampoline as a tunable security parameter.
Our contributions are therefore:
• Experimental analysis demonstrating that the recent Spectremit-
igation techniques do not affect the branch-shadowing attack
(Section 3).
• A new approach for defending against branch-shadowing at-
tacks, even in the presence of single-step enclave execution, us-
ing control flow randomization (Section 5).
• An initial LLVM implementation of our solution (Section 6) and
a quantitative evaluation of its performance and security guar-
antees (Section 7).
2 Background
2.1 Branch Prediction
Intel CPUs use instruction pipelining to load and execute instruc-
tions in batches. This allows optimization such as parallelizing and
reordering of instructions. The CPU also performs speculative exe-
cution, i.e., it uses the BPU to predict which branches will be taken,
and executes them before knowing if they are taken [13]. In mod-
ern microprocessors, the BPU typically consists of two main sub-
systems, a BTB and a directional predictor.
The BTB is used to predict the targets of indirect branches [10].
Whenever a branch is taken, a new record is created in the BTB
associating the branch instruction’s addresses with the target ad-
dress. Upon encountering subsequent branch instructions, the BPU
checks the BTB for the branch instruction address and, if an entry
exists, it predicts that the current branch instruction will behave
in the same way. The exact details of the BTB lookup algorithms,
hashing and size are not public, but the BTB size on Intel Skylake
CPUs has been experimentally determined to be 4096 entries [17].
The directional predictor is used to predict whether or not a condi-
tional branch will be taken. It stores the pattern of the previously
taken branches in a Pattern History Table (PHT), based on which
it predicts whether or not the current branch will be taken [7].
Multiple processes executing on the same core share the same
BPU. On one hand, this is favorable from a complexity and utiliza-
tion point of view, but on the other hand, it allows an attacker to
misuse the BPU across cores and infer the target and direction of
branch instructions [7, 17].
2.2 Intel SGX
Intel SGX is an instruction set extension that provides new instruc-
tions to instantiate Trusted Execution Environments (TEEs), called
enclaves, consisting of code and data. An enclave’s data can only
be accessed by code running within the enclave, thus protecting it
from all other software on the platform, including privileged sys-
tem software such as the OS or hypervisor. Enclave data is auto-
matically encrypted before it leaves the CPU boundary. However,
the OS remains in control of process scheduling and memory map-
ping, and can therefore control themapping of (encrypted) enclave
memory pages and interrupt enclave execution.
2.3 Branch-shadowing Attacks on SGX
Lee et al. [17] presented a branch-shadowing attack against Intel
SGX. It is a type of side-channel attack that leaks the fine-grained
control flow (i.e., at branch level) of code running inside an enclave.
The attack can be used to infer branching decisions, i.e., whether a
(conditional/unconditional/indirect) branch has been taken or not.
If this control flow depends on confidential information held by
the enclave, the attacker would be able to infer this information
from the leaked control flow. Because SGX does not clear the BPU
on enclave exit an attacker outside the enclave could probe the
BPU to infer control flow decisions taken within. The attacker first
statically analyzes the unencrypted enclave code and enumerates
all branches (i.e., conditional, unconditional, and indirect) together
with their target addresses. She then creates shadow code where
the branch-instructions and target addresses are aligned such that
they will use the same BPU history entries. The attacker then al-
lows the enclave to execute briefly before interrupting it. Finally,
she enables the performance counter, in particular the Last Branch
Record (LBR), and executes the shadow code, prompting the CPU
to predict shadow-branch behavior based on prior enclave execu-
tion. The LBR contains information on branch prediction but can-
not record in-enclave branches. However, the in-enclave branches
can be inferred from the LBR entries for the branches executed af-
ter exiting the enclave. Unlike cache-based channels, this does not
require timing because the LBR directly reports prediction status.
2.4 Zigzagger and SGX-Step
Lee et al. [17] also presented Zigzagger, a software-based coun-
termeasure to thwart the attack. Zigzagger removes the branches
from the enclave functions by obfuscating and replacing a set of
branch instructions with a series of indirect jumps. Instead of each
conditional branching instruction, an indirect jump and a condi-
tional move (CMOV) is used. Zigzagger assumes that an attacker
cannot precisely time the enclave interrupts, i.e., a single probewill
cover over 50 instructions. It introduces a trampoline to exercise
all unconditional jumps before finally jumping to the final destina-
tion. The attacker will typically always detect the same set of taken
jumps (i.e., all the unconditional jumps) and cannot distinguish the
final jump from the decoy-jumps.
However, Van Bulck et al. [21] presented SGX-Step, a framework
consisting of a Linux kernel driver and runtime library that ma-
nipulates the processor’s Advanced Programmable Interrupt Con-
troller (APIC) timer in order to interrupt an enclave after a single
instruction i.e., to single-step the enclave’s execution. They show
that this makes the Zigzagger defense ineffective because the at-
tacker can distinguish meaningful jumps from decoys.
3 Spectre Mitigation Techniques
The recent Spectre [16] and SGXPectre [6] attacks are similar to
branch-shadowing in that they abuse the BPU to exploit specula-
tive execution. But whereas branch-shadowing aims to infer prior
branching behavior, these attacks instead manipulate upcoming
branch prediction, e.g., cause speculative execution to touch other-
wise inaccessible memory. Although not designed to do so, we sus-
pected the new Spectre mitigation techniques could also affect the
branch-shadowing attacks. However, our testing indicates that nei-
ther the recent firmware patches from Intel [15], nor the compiler-
based Retpoline [14] affect the ability to performbranch-shadowing
attacks against SGX.
In particular,we confirmed that Indirect Branch Restricted Spec-
ulation (IBRS) — designed to prevent unprivileged code from affect-
ing speculation in privileged execution, e.g., within the enclave —
2
has no effect on branch-shadowing. In our tests we saw no dif-
ference between an updated i7-7500U CPU and non-updated ma-
chines. We speculate that this is because IBRS is specifically de-
signed low-privilege code from affecting high-privilege code, not
the branch-shadowing scenario. The Retpoline defense replaces
branch instructions with return instructions but our tests indicate
that return statements affect the BTB, not only the dedicated Re-
turn Stack Buffer (RSB). SGXPectre further demonstrated that Spec-
tre attacks can be performed against Retpoline.
4 Attacker Model and Requirements
We assume that the attacker has fine-grained control of enclave
execution, i.e., can interrupt the enclave with instruction-level ac-
curacy. The attacker can thus perform a branch-shadowing attack
against every branch instruction. Specifically, the attacker can de-
terminewhether or not a branch instruction has been executed and
taken (i.e., whether a conditional jump fell through or not). If the
branching decisions depend on sensitive enclave data, the attacker
can infer this data through the branch-shadowing attack.
This is a significantly stronger attacker capability than that as-
sumed by previous work [17] because Van Bulck et al. [21] showed
that single-step execution of SGX enclaves is both feasible to imple-
ment and sufficient to break existing defenses like Zigzagger [17].
We focus on branch-shadowing attacks and do not consider other
side-channels, such as cache or page-fault attacks.
Given these attacker capabilities, we require a defence mecha-
nism that prevents fine-grained branch-shadowing from revealing
secret-dependent control flow. Specifically, we require that branch
instructions in the instrumented code are:
R.1 Any branch that can be directly observed through branch-
shadowing reveals no secret-dependent control flow informa-
tion.
R.2 For any secret-dependent branches, the attacker’s probability
of success is bounded based on a security parameter k.
5 Proposed Approach
Ourmitigation scheme uses compile-time obfuscation and run-time
randomization to hide the control flow of an enclave application.
While our proposed method is inspired by and uses a similar ap-
proach to Zigzagger, we assume a stronger attacker model. Specif-
ically, our approach can defend against branch-shadowing even in
the presence of an attacker with single-step capabilities.
Figure 1 illustrates the high-level view of our approach. The
system consists of two main components: an obfuscating compiler
and a run-time randomization library. The compiler generates the
obfuscated code and trampolines, and the randomization library
randomizes the trampolines at each enclave entry. This random-
ization only affects the trampolines allowing most code to remain
securely in execute-only memory.
The obfuscating compiler modifies the code by converting all
branching instructions to indirect branches. The indirect branch
targets are then explicitly set by the instrumentation depending on
the converted branch type. We use conditional moves as replace-
ments for conditional branches, allowing us to replicate the func-
tionality of any conditional branchwithout involving the BPU. The
observable control flow transitions, i.e., non trampoline branches,
are further organized so that they are always unconditionally exe-
cuted in the same order.
Figure 1. System design
Listing 1. Example code before instrumentation
i f ( a ! = 0 ) {
/ ∗ Block1 ∗ /
} e l se {
/ ∗ Block2 ∗ /
}
/ ∗ Block3 ∗ /
The key insight of our approach is that, unlike Zigzagger, the
trampolines are randomized inside the enclave at run-time. This
prevents the attacker from reliably tracking their execution. Taken
together, these two properties fulfill requirements R.1 and R.2, as
we show in our security evaluation in Section 7.
Block 0
Block 1 Block 2
Block 3
a = 0a! = 
0
Figure 2. Original control flow graph
Listing 1 and Figure 2 show a single if-statement and corre-
sponding Control FlowGraph. The corresponding obfuscated CFG
is show in Figure 3. Figure 4 shows the same obfuscated code with
the branch instruction converted. The static code is produced at
compile time and its layout is assumed to be known to the attacker.
The trampoline is similarly produced at compile time but is then
randomized at run-time within the enclave. We assume that the
attacker can observe and shadow the static code whereas the tram-
poline is unknown.
Specifically, our approach works as follows:
1) All branching instructions are converted to indirect uncondi-
tional branches. A register (r15) is reserved and populated with
the original branch targets. The target addresses are taken from
a jump-table that is updated during randomization. Conditional
3
Block 0
B0J
tb1 tb1S
B1J
tb2S
Block 1
tb2
B2J
Block 2
Block 3
a != 0
a = 0a != 0
a = 0
Figure 3. Modified control flow graph
branches are converted to conditional moves (cmov) (e.g., Block0
in Figure 4).
2) Each block is followed by a jump-block that jumps to a trampo-
line indicated by r15. Execution flows that do not include a spe-
cific block still go through any intermediate jump-blocks to en-
sure that all indirect jumps outside the trampolines are executed.
For instance, when taking the if-clause (Block1), the else-block
(Block2) must not be executed but the corresponding jump-block
(B2J) must be (e.g., the blue line in Figure 4). This ensures that an
attacker always sees the same sequence of jumps jumps (i.e., B0J,
B1J, and B2J), regardless of actual executed code.
3) The corresponding trampolines are created, corresponding to
either the branching target or the fall-through block (i.e., the next
block that will be executedwhen a conditional branch is not taken).
In Figure 3, after execution of the if-block (Block1) the control flow
is transferred to tb2S that will jump to the following jump-block
B2J without executing the corresponding Block2 itself.
4) When skipping a block — e.g., the else block after taking the
if block — we must nonetheless execute the corresponding jump-
block to prevent its omission from leaking information. The jump-
block target is prepared in the prior trampoline block by setting
r15. For instance, after executing the if-block the corresponding
trampoline (tb2S) not only jumps to the correct jump-block, but
also sets the next target, tb3, into r15. To prevent timing attacks
that measure the number of instructions between jump-blocks the
skipping trampolines are populatedwith dummy-instructions, which
ensure that the timing between each jump-block is constant re-
gardless of control flow. Nested blocks, although not shown in our
example code, are treated similarly to ensure that they execute all
intermediary jumps.
5)Although the trampolines are prepared during compilation, they
are randomized at run-time inside the enclave. The randomization
control flow is that it does not reveal the randomization pattern.
Randomizing the trampolines forces the attacker to shadow all pos-
sible locations in the enclave and thus, prevents the attacker from
Listing 2. Randomization algorithm
for ( en t r y = 0 : j ump _ t a b l e _ e n t r i e s ) {
l o c a t i o n = rand ( ) % t r amp o l i n e _ s i z e ;
i f ( f i t s ( ent ry , l o c a t i o n ) ) {
mark_reserved ( l o c a t i o n , en t r y ) ;
} e l se {
l = ( l +1 ) % t r amp o l i n e _ s i z e ;
}
move_entry ( ent ry , l o c a t i o n ) ;
}
shadowing the trampoline branches and reliably tracking the pro-
gram’s execution.
a! = 0
a = 0Block0: lea tb1, r15
cmp 0, a
lea tb1S, r14
B2J: jmp r15
B1J: jmp r15
B0J: jmp r15
Block1: <code1>
Block2: <code2>
Block3: <code3>
tb1: lea tb2S, r15
jmp Block1
tb3: jmp Block3
tb2S: lea tb3, r15
jmp B2J
tb1S: lea tb2, r15
jmp B1J
tb2: lea tb3, r15
jmp Block2
Static code Trampolines
cmov r14, r15
Figure 4. Modified code protected by our approach
6) An attacker could repeatedly call same enclave functionality to
gradually determine the randomization pattern. To prevent this we
perform re-randomization of trampolines. This is done on all en-
clave entries, but is currently not integrated to our system. For
future work we envision supporting re-randomization using pro-
grammer annotations and compiler-based analysis (e.g., to locate
repetitive secret dependent branches).
6 Implementation details
We have implemented an open-source prototype of our approach,
based on LLVM 6.0 and implemented in the X86 target backend.
The instrumentation is applied by systematically traversing all func-
tions and modifying their branching instructions, as explained in
Section 5. Since the run-time randomization library itself cannot
be randomized, it must be resistant to branch-shadowing attacks.
While implemented, we have not yet integrated the randomizer to
our instrumentation. For efficient and fine-grained randomization
we do not preform in-place randomization, instead, we move tram-
poline entries between two trampoline areas. Listing 2 shows an
overview of our randomization algorithm.
We have also implemented an application for shadowing in-enclave
execution in a controlled manner. Our setup is similar to [17] i.e.,
our application 1) retrieves branch instruction addresses and sets
up a corresponding shadow-jump, 2) executes the attacked enclave
4
function and returns, 3) enables performance counters and exe-
cutes the shadow-code, and 4) reads performance counters to infer
in-enclave execution. Our setup is such that it could be integrated
into the SGXStep-framework. We have replicated the shadowing
techniques shown by [17] and also performed shadowing on return
statements.
We minimize performance overhead by performing costly oper-
ation onlywhen needed. In particular,we: a) provide code-annotation
for limiting the obfuscation to only developer-determined sensi-
tive parts, and b) randomize the trampoline code only when de-
tecting multiple enclave (re)entries (i.e., after a given number of
potential shadowing attempts).
7 Evaluation
7.1 Security Analysis
As specified in Requirements (Section 4), we must prevent an at-
tacker from inferring the secret-dependent control flow by R.1)
ensuring that observable branches do not leak information, and
R.2) preventing the attacker from probing other branches with a
probability based on the security parameter k.
To hide any data-dependant branches (R.1), we replace all con-
ditional branches with unconditional branches. We further setup
the control flow so that each block in the static code section is ex-
ecuted in the same order and on each function call. One limitation
is that we do not conceal the number of loop executions, because
this can be unknown compile time.While unimplemented, in some
cases this could be avoided by unrolling loops.
The remaining branching instructions are exclusively in the tram-
polines, for which the locations are randomized to defend against
shadowing (R.2). Without knowing the exact trampoline layout,
the attacker is forced to guess or exhaustively probe all possible
locations. The probability of attack success (Paack ) is given by
Equation 1, where G is the number of guesses and k the number
of possible trampoline locations.
Paack =
G
k
(1)
The upper limit for G is the number of BTB entries, but in prac-
tice this is lowered by any intermediate code (e.g., system calls and
attack setup) that pollutes the BTB. The security parameter k de-
termines the trampoline randomization space. Because X86 allows
unaligned execution, a single 4KB range gives us up to 4091 poten-
tial trampoline locations (with a trampoline size ranging from 5 to
15 bytes). With a randomization area of 8KB and 4096 BTB entries,
the attacker’s success probability of shadowing a single branch has
an upper bound of 0.5. The probability of following the full control
flow thus drops exponentially as the number of targeted branches
increase.
7.2 Performance Evaluation
We measured the performance overhead of our system in terms of
CPU-utilization, memory use, and code size. Our experiments were
conducted on an SGX-enabled Intel Skylake Core i5-6500CPU, run-
ning at 3.20 GHz, with 7,6 GiB of RAM. The machine was run-
ning Ubuntu 16.04 with 64-bit Linux 4.4.0-96-generic kernel and
the SGX SDK version 2.0.
In order to evaluate the performance of our approach, we used
SGX-Nbench [1] which is adapted from Nbench-byte-2.2.3, to mea-
sure the performance of 10 different benchmarks executed within
an enclave. In Table 1, we present the performance overhead in-
troduced by our approach. All benchmarks were conducted with
full instrumentation, but do not include randomization or dummy-
instructions, both of which we still to be implemented. Although
the randomization will introduce overhead, it need not be con-
stantly repeated. Instead it can be performed once on enclave cre-
ation and then later after a specified number of enclave re-entries.
Table 1. CPU overhead introduced by our approach. Numbers
are reported as iterations/second before and after instrumentation.
The overhead introduced by randomization and dummy instruc-
tions are not included in this experiment.
Benchmark Before
(std. dev.)
After
(std. dev.)
Performance
loss
Numeric sort 828.8 (0.79) 578.8 (0.21) 30%
String sort 86.59 (0.09) 67.72 (0.21) 21%
Bitfield 1.839e8
(1.34e5)
1.370e8
(3.27e5)
25%
Fp emulation 87.70 (0.11) 42.73 (0.02) 51%
Fourier 1.789e5
(1.19e2)
1.500e5
(1.50e2)
16%
Assignment 21.64 (0.03) 7.769 (0.01) 64%
Idea 2667 (1.26) 2665 (1.84) 0.1%
Huffman 2354 (4.07) 860.5 (0.71) 63%
Neural net 35.16 (0.03) 25.57 (0.22) 27%
Lu decomposition 973.1 (1.45) 785.0 (1.41) 19%
Average 17.17%
CPU overhead: The increase in execution time is caused by the
added trampoline jumps and the need to exhaustively execute all
jump-blocks. Table 1 presents the execution time of various bench-
marks in the enclave, before and after obfuscating them. The de-
crease in the number of iterations per second clearly shows a non-
negligible performance degradation. However, since we have ob-
fuscated the entire program in these benchmarks, these represent
the worst case performance overheads. In real deployments, we
would obfuscate only the parts of the code that depend on secret
enclave data. The performance loss range can be grouped as very
low (3-16%), middle (25-32%), and high (60% and above). This vari-
ation depends on how complicated the function is in terms of size
and number of branches. The Idea benchmark, for instance, has
functions with many nested conditional branches all of which re-
quire corresponding jump-blocks to be added and executed.
Memory overhead: As expected, our instrumentation does not
increase heap or stack use, but does increase the code size that
must be loaded within the enclave. For measuring the code size,
we compared the size of the enclave object files before and after
instrumentation. The code size of SGX-Nbench increased 1.6 times
(from 39.6 kB to 64.6 kB) after instrumentation.
8 Related work
There is a growing body of research on side channel attacks target-
ing Intel SGX and corresponding countermeasures. In addition to
the branch-shadowing attacks [7, 17] that we discussed in detail,
there other side channel attack targeting SGX enclaves [3, 4, 9, 22].
In order to mitigate these side channel attacks, there have been
various approaches proposed. In the following, we discuss these
countermeasures and how they differ from our work.
5
Several research works have been presented to thwart controlled-
channel (page-fault) attacks. SGX-Shield [18] randomizes themem-
ory layout, similar toAddress Space Layout Randomization (ASLR),
in order to prevent control flow hijacking and hide the enclave
memory layout. This approach impedes run-time attacks that ex-
ploit memory errors or attacks that rely on a known memory lay-
out (e.g., controlled-channel attacks). SGX-shield uses on-load ran-
domization, allowing repeated branch-shadowing attacks to grad-
ually reveal the randomization pattern. Our approach solves this
through run-time re-randomization. We further minimize the ad-
ditional attack-surface by limiting the randomization to the tram-
polines, not the whole code section.
Shinde et al. [20] propose an approach that masks page-fault
patterns by making the program’s memory access pattern deter-
ministic. More precisely, they alter the program such that it ac-
cesses all its data and code pages in the same sequence, regardless
of the input. This makes the enclave application demonstrate the
same page-fault pattern for any secret input variables. T-SGX [19]
is another solution proposed for mitigating page-fault attacks. It
leverages Intel Transactional Synchronization Extensions (TSX) to
suppress encountered page-faults without invoking the underly-
ing OS. T-SGX does notmitigate the branch-shadowing attack [17],
but it could be combinedwith our approach to address both branch-
shadowing and page-fault attacks.
DR.SGX [2] is presented to defend against cache side-channel at-
tacks. It permutes data locations, and continuously re-randomizes
enclave data in order to hamper correlation of memory accesses.
This approach prevents leakages resulting from secret-dependant
data accesses. Chandra et. al [5] propose a defense against side-
channel attacks on SGX and for protecting data privacy. To do
this, dummy data instances are injected into the user-given data
instances in order to add noise to memory access traces. More-
over, they randomize/shuffle the dummy data with the user data
to reduce the chance of extracting sensitive information from side-
channels. Both approaches are similar to our approach in that they
employ randomization; however, the target of randomization is
data and they do not defend against the branch-shadowing attack.
CCFIR (Compact Control Flow Integrity and Randomization) [23]
is a newmethod proposed to impede control-flow hijacking attacks
(e.g., returninto-libc and ROP). CCFIR controls the indirect control
transfers and limits the possible jump location to a whitelist in
a Springboard. Randomizing the order of the stubs in the Spring-
board adds an extra layer of protection and frustrates guessing of
the function pointers and return addresses. The environment for
which CCFIR is proposed differs from ours.
Obfuscation techniques were previously used to thwart leak-
age via side-channel attacks. Oblivious RAM (ORAM) [8] contin-
uously shuffles and re-encrypts the data when accessed in mem-
ory, disk or from server, in order to conceal the program’s mem-
ory access patterns. It requires that the state is stored and updated
client-side. This makes it difficult to use ORAM for cache protec-
tion purposes, as it is challenging to store the internal state of
ORAM securely without hardware support, given the small size
of cache lines. Moreover, this approach suffers from considerable
performance overhead.
None of the above countermeasures focus onmitigating branch-
shadowing attacks, and additionally, Lee et. al [17] have demon-
strated that their designed branch-shadowing attack is capable of
breaking the security constructs of SGX-Shield, T-SGX, and ORAM.
9 Conclusion and Future work
We propose a software-based mitigation scheme to defend against
branch-shadowing attacks, even in the presence of attackers with
the ability to single-step through SGX enclaves. Our approach com-
bines compile-time control flow obfuscation with run-time code
randomization to prevent the enclave program from leaking secret-
dependant control flow. To evaluate the performance of our ap-
proach, we measured the run-time overhead of ten benchmark pro-
grams of SGX-Nbench. Although we evaluated the worst-case sce-
nario (whole program instrumentation), our results show that, on
average, our approach results in a 1.6 times code size increase and
less than 18% performance loss.
As the future work, we will implement the randomizing compo-
nent, and optimize our obfuscator to reduce overhead. In addition,
we will improve our approach by integrating existing defences, in
order to address other side-channel attacks.
References
[1] 2017. Benchmark for Intel SGX. https://github.com/utds3lab/sgx-nbench. (2017).
Accessed: 2018-07-11.
[2] F. Brasser, S. Capkun, A. Dmitrienko, T. Frassetto, K. Kostiainen, U. Müller,
and A.-R. Sadeghi. 2017. DR.SGX: Hardening SGX Enclaves against Cache
Attacks with Data Location Randomization. CoRR abs/1709.09917 (2017).
arXiv:1709.09917 hp://arxiv.org/abs/1709.09917
[3] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Cap-
kun, and A.-R. Sadeghi. 2017. Software Grand Exposure: SGX
Cache Attacks Are Practical. In 11th USENIX Workshop on Offen-
sive Technologies (WOOT 17). USENIX Association, Vancouver, BC.
hps://www.usenix.org/conference/woot17/workshop-program/presentation/brasser
[4] J. Van Bulck, N.Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. 2017. Telling
Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on En-
claved Execution. In 26th USENIX Security Symposium (USENIX Security 17).
USENIX Association, Vancouver, BC, 1041–1056.
[5] Swarup Chandra, Vishal Karande, Zhiqiang Lin, Latifur Khan, Murat Kantar-
cioglu, and Bhavani Thuraisingham. 2017. Securing Data Analytics on SGX
with Randomization. Springer International Publishing, Cham, 352–369. DOI:
hp://dx.doi.org/10.1007/978-3-319-66402-6_21
[6] G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T.H. Lai. 2018. SgxPectre Attacks:
Leaking Enclave Secrets via Speculative Execution. (2018). arXiv:1802.09085
hp://arxiv.org/abs/1802.09085
[7] D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. 2018. Branch-
Scope: A New Side-Channel Attack on Directional Branch Predictor. In Pro-
ceedings of the 23rd International Conference on Architectural Support for Pro-
gramming Languages and Operating Systems (ASPLOS ’18). ACM, 693–707. DOI:
hp://dx.doi.org/10.1145/3173162.3173204
[8] O. Goldreich and R. Ostrovsky. 1996. Software Protection and Simula-
tion on Oblivious RAMs. J. ACM 43, 3 (May 1996), 431–473. DOI:
hp://dx.doi.org/10.1145/233551.233553
[9] J. Götzfried, M. Eckert, S. Schinzel, and T. Müller. 2017. Cache At-
tacks on Intel SGX. In Proceedings of the 10th European Workshop
on Systems Security (EuroSec’17). ACM, Article 2, 6 pages. DOI:
hp://dx.doi.org/10.1145/3065913.3065915
[10] Intel. 2017. Intel 64 and IA-32Architectures Software DeveloperManuals. (2017).
hps://soware.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf
[11] Intel. 2017. Intel SGX and Side-Channels. https://software.intel.com/en-
us/articles/intel-sgx-and-side-channels. (2017). Accessed: 2018-07-03.
[12] Intel. 2017. Intel Software Guard Extensions (Intel SGX).
https://software.intel.com/en-us/sgx. (2017). Accessed: 2017-12-11.
[13] Intel. 2018. Intel 64 and IA-32 Architectures Optimization Reference Manual.
https://software.intel.com/en-us/download/intel-64-and-ia-32-architectures-
optimization-reference-manual. (2018). Accessed: 2018-07-03.
[14] Intel. 2018. Retpoline : A Branch Target Injection Mitigation.
https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-
Branch-Target-Injection-Mitigation.pdf. (2018). Accessed: 2018-07-10.
[15] Intel. 2018. Speculative Execution Side Channel Mitigations.
https://software.intel.com/sites/default/files/managed/c5/63/336996-
Speculative-Execution-Side-Channel-Mitigations.pdf. (2018). Accessed:
2018-07-10.
[16] P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Man-
gard, T. Prescher, M. Schwarz, and Y. Yarom. 2018. Spectre Attacks: Ex-
ploiting Speculative Execution *. arXiv preprint (2018). arXiv:1801.01203
hps://spectreaack.com/spectre.pdf
[17] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. 2017. Inferring
Fine-grainedControl Flow Inside SGX Enclaves with Branch Shadowing. In 26th
6
USENIX Security Symposium, USENIX Security. 16–18.
[18] J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. 2017. SGX-Shield:
Enabling address space layout randomization for SGX programs. In Proceedings
of the 2017 Annual Network and Distributed System Security Symposium (NDSS).
[19] M.-W. Shih, S. Lee, T. Kim, andM. Peinado. 2017. T-SGX: Eradicating controlled-
channel attacks against enclave programs. In Proceedings of the 2017 Annual
Network and Distributed System Security Symposium (NDSS).
[20] S. Shinde, Z. L. Chua, V. Narayanan, and P. Saxena. 2015. Preventing Your
Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks. CoRR
abs/1506.04832 (2015). arXiv:1506.04832 hp://arxiv.org/abs/1506.04832
[21] J. Van Bulck, F. Piessens, and R. Strackx. 2017. SGX-Step: A Practical Attack
Framework for Precise Enclave Execution Control. In Proceedings of the 2Nd
Workshop on System Software for Trusted Execution (SysTEX’17). ACM, Article 4,
6 pages. DOI:hp://dx.doi.org/10.1145/3152701.3152706
[22] Y. Xu, W. Cui, andM. Peinado. 2015. Controlled-Channel Attacks: Deterministic
Side Channels for Untrusted Operating Systems. In 2015 IEEE Symposium on
Security and Privacy. IEEE, 640–656. DOI:hp://dx.doi.org/10.1109/SP.2015.45
[23] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and
W. Zou. 2013. Practical Control Flow Integrity and Randomization for Binary
Executables. In 2013 IEEE Symposium on Security and Privacy. 559–573. DOI:
hp://dx.doi.org/10.1109/SP.2013.44
7
