Practical Enclave Malware with Intel SGX

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware

Graphene deflectometry for sensing molecular processes at the nanoscale

Single-molecule sensing is at the core of modern biophysics and nanoscale science, from revolutionizing healthcare through rapid, low-cost sequencing to understanding various physical, chemical, and biological processes at their most basic level. However, important processes at the molecular scale are often too fast for the detection bandwidth or otherwise outside the detection sensitivity. Moreover, most envisioned biophysical applications are at room temperature, which further limits detection due to significant thermal noise. Here, we theoretically demonstrate reliable transduction of forces into electronic currents via locally suspended graphene nanoribbons subject to ultra-low flexural deflection. The decay of electronic couplings with distance magnifies the effect of the deflection, giving rise to measurable electronic current changes even in aqueous solution. Due to thermal fluctuations, the characteristic charge carrier transmission peak follows a generalized Voigt profile, behavior which is reflected in the optimized sensor. The intrinsic sensitivity is less than 7 fN/$\sqrt{\mathbf{Hz}}$, allowing for the detection of ultra-weak and fast processes at room temperature. Graphene deflectometry thus presents new opportunities in the sensing and detection of molecular-scale processes, from ion dynamics to DNA sequencing and protein folding, in their native environment

Relaxation-limited electronic currents in extended reservoir simulations

Open-system approaches are gaining traction in the simulation of charge transport in nanoscale and molecular electronic devices. In particular, "extended reservoir" simulations, where explicit reservoir degrees of freedom are present, allow for the computation of both real-time and steady-state properties but require relaxation of the extended reservoirs. The strength of this relaxation, $\gamma$, influences the conductance, giving rise to a "turnover" behavior analogous to Kramers' turnover in chemical reaction rates. We derive explicit, general expressions for the weak and strong relaxation limits. For weak relaxation, the conductance increases linearly with $\gamma$ and every electronic state of the total explicit system contributes to the electronic current according to its "reduced" weight in the two extended reservoir regions. Essentially, this represents two conductors in series -- one at each interface with the implicit reservoirs that provide the relaxation. For strong relaxation, a "dual" expression -- one with the same functional form -- results, except now proportional to $1/\gamma$ and dependent on the system of interest's electronic states, reflecting that the strong relaxation is localizing electrons in the extended reservoirs. Higher order behavior (e.g., $\gamma^2$ or $1/\gamma^2$) can occur when there is a gap in the frequency spectrum. Moreover, inhomogeneity in the frequency spacing can give rise to a pseudo-plateau regime. These findings yield a physically motivated approach to diagnosing numerical simulations and understanding the influence of relaxation, and we examine their occurrence in both simple models and a realistic, fluctuating graphene nanoribbon.Comment: 6 pages, 3 figure

Landauer's formula with finite-time relaxation: Kramers' crossover in electronic transport

Landauer's formula is the standard theoretical tool to examine ballistic transport in nano- and meso-scale junctions, but it necessitates that any variation of the junction with time must be slow compared to characteristic times of the system, e.g., the relaxation time of local excitations. Transport through structurally dynamic junctions is, however, increasingly of interest for sensing, harnessing fluctuations, and real-time control. Here, we calculate the steady-state current when relaxation of electrons in the reservoirs is present and demonstrate that it gives rise to three regimes of behavior: weak relaxation gives a contact-limited current; strong relaxation localizes electrons, distorting their natural dynamics and reducing the current; and in an intermediate regime the Landauer view of the system only is recovered. We also demonstrate that a simple equation of motion emerges, which is suitable for efficiently simulating time-dependent transport.Comment: 16 pages, 5 figure

Master Equations for Electron Transport: The Limits of the Markovian Limit

Master equations are increasingly popular for the simulation of time-dependent electronic transport in nanoscale devices. Several recent Markovian approaches use "extended reservoirs" - explicit degrees of freedom associated with the electrodes - distinguishing them from many previous classes of master equations. Starting from a Lindblad equation, we develop a common foundation for these approaches. Due to the incorporation of explicit electrode states, these methods do not require a large bias or even "true Markovianity" of the reservoirs. Nonetheless, their predictions are only physically relevant when the Markovian relaxation is weaker than the thermal broadening and when the extended reservoirs are "sufficiently large," in a sense that we quantify. These considerations hold despite complete positivity and respect for Pauli exclusion at any relaxation strength.Comment: Accepted version. To appear in The Journal of Chemical Physic

Software-based Microarchitectural Attacks

Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Software-based microarchitectural attacks exploit effects of these optimizations. Microarchitectural side-channel attacks leak secrets from cryptographic computations, from general purpose computations, or from the kernel. This leakage even persists across all common isolation boundaries, such as processes, containers, and virtual machines. Microarchitectural fault attacks exploit the physical imperfections of modern computer systems. Shrinking process technology introduces effects between isolated hardware elements that can be exploited by attackers to take control of the entire system. These attacks are especially interesting in scenarios where the attacker is unprivileged or even sandboxed. In this thesis, we focus on microarchitectural attacks and defenses on commodity systems. We investigate known and new side channels and show that microarchitectural attacks can be fully automated. Furthermore, we show that these attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites. We show that microarchitectural attacks exist on any modern computer system, including mobile devices (e.g., smartphones), personal computers, and commercial cloud systems. This thesis consists of two parts. In the first part, we provide background on modern processor architectures and discuss state-of-the-art attacks and defenses in the area of microarchitectural side-channel attacks and microarchitectural fault attacks. In the second part, a selection of our papers are provided without modification from their original publications. I have co-authored these papers, which have subsequently been anonymously peer-reviewed, accepted, and presented at renowned international conferences.Comment: PhD Thesis. Graz University of Technology. June, 201

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Updated and Extended Version)

Meltdown and Spectre exploit microarchitectural changes the CPU makes during transient out-of-order execution. Using side-channel techniques, these attacks enable leaking arbitrary data from memory. As state-of-the-art software mitigations for Meltdown may incur significant performance overheads, they are only seen as a temporary solution. Thus, software mitigations are disabled on more recent processors, which are not susceptible to Meltdown anymore. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to the original Meltdown attack. We show that the store buffer - a microarchitectural optimization to reduce the latency for data stores - in combination with the TLB enables powerful attacks. We present several ASLRrelated attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript. We can also mount side-channel attacks, breaking the atomicity of TSX, and monitoring control flow of the kernel. Furthermore, when combined with a simple Spectre gadget, we can leak arbitrary data from memory. Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space. This updated extended version of the original paper includes new results and explanations on the root cause of the vulnerability and shows how it is different to MDS attacks like Fallout

ARMageddon: Cache Attacks on Mobile Devices

In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more multi-core ARM CPUs that have a different cache organization and instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have been demonstrated on non-rooted Android smartphones. In this work, we demonstrate how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on non-rooted ARM-based devices without any privileges. Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java. Our attacks work across CPUs and can even monitor cache activity in the ARM TrustZone from the normal world. The techniques we present can be used to attack hundreds of millions of Android devices.Comment: Original publication in the Proceedings of the 25th Annual USENIX Security Symposium (USENIX Security 2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lip

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings. We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2 Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.Comment: Original publication in the Proceedings of the 25th Annual USENIX Security Symposium (USENIX Security 2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/pess

ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and kernel space, Meltdown inspired an entirely new class of fault-driven transient execution attacks. Particularly, over the past year, Meltdown-type attacks have been extended to not only leak data from the L1 cache but also from various other microarchitectural structures, including the FPU register file and store buffer. In this paper, we present the ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously unexplored fill-buffer logic. Our analysis shows that faulting load instructions (i.e., loads that have to be re-issued for either architectural or microarchitectural reasons) may transiently dereference unauthorized destinations previously brought into the fill buffer by the current or a sibling logical CPU. Hence, we report data leakage of recently loaded stale values across logical cores. We demonstrate ZombieLoad's effectiveness in a multitude of practical attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors