1 research outputs found
Practical Enclave Malware with Intel SGX
Modern CPU architectures offer strong isolation guarantees towards user
applications in the form of enclaves. For instance, Intel's threat model for
SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether
this threat model is realistic. In particular, it is unclear to what extent
enclave malware could harm a system. In this work, we practically demonstrate
the first enclave malware which fully and stealthily impersonates its host
application. Together with poorly-deployed application isolation on personal
computers, such malware can not only steal or encrypt documents for extortion,
but also act on the user's behalf, e.g., sending phishing emails or mounting
denial-of-service attacks. Our SGX-ROP attack uses new TSX-based
memory-disclosure primitive and a write-anything-anywhere primitive to
construct a code-reuse attack from within an enclave which is then
inadvertently executed by the host application. With SGX-ROP, we bypass ASLR,
stack canaries, and address sanitizer. We demonstrate that instead of
protecting users from harm, SGX currently poses a security threat, facilitating
so-called super-malware with ready-to-hit exploits. With our results, we seek
to demystify the enclave malware threat and lay solid ground for future
research on and defense against enclave malware