In yet another study, scholars from Georgia Tech and Purdue University demonstrated that security assurance provided by Intel’s Software Guard Extension (SGX) can be bypassed with DDR4 systems to passively decrypt sensitive data.
SGX is designed as a hardware feature of Intel server processors to enable applications to run in a trusted execution environment (TEE). It essentially separates trustworthy code and resources within what is called an enclave, preventing attackers from seeing their memory or CPU state.
In doing so, the mechanism ensures that data remains confidential, even if the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limits of SGX.
“We show how to build a device that can be cheaply and easily physically inspected all memory traffic in a computer in an environment with only basic electrical tools and equipment that can be easily purchased on the Internet,” the researchers said. “You can use an interposer device against the SGX proof mechanism to extract the SGX secret proof key from the machine with a fully reliable status and violate the SGX security.”
Like the abuse RAM attacks recently disclosed by Ku Leuven and researchers at the University of Birmingham, Codenayed Wiretap – a newly devised method, relies on interposers located between the CPU and memory modules to observe the data flowing between them. Interposers can be installed by threat actors through supply chain attacks or physical compromises.
The physical attack leverages the use of Intel’s deterministic encryption to perform a step-by-step full key recovery for Intel SGX Quotation Enclaves (QEs) allowing you to extract the ECDSA Signature Key that can be used to sign any SGX Enclave report.
Put another way, attackers can weaponize the deterministic nature of memory encryption and construct some sort of oracle to break the security of the filming code for a certain period of time.
“We successfully extracted the proof key, the main mechanism used to determine whether the code is running under SGX,” the researchers said. “This allows hackers to pose as real SGX hardware, actually execute code and peer into data in an exposed way.”
“Like two aspects of the same coin, eavesdropping and gunfire rams see complementary properties of deterministic encryption. Wiresdropping mainly focuses on violations of confidentiality, while Battingrams focus primarily on integrity.
However, bombarding RAM is a low-cost attack that can be pulled apart using equipment under $50, while a eavesdropping setup with Logic Analyzer costs around $1,000.
Hypothetical attack scenarios targeting the deployment of SGX-backed blockchains such as Phala Network, Secret Network, Crust Network, and Integritee have been found to use eavesdropping to undermine confidentiality and integrity guarantees, allowing attackers to disclose confidential transactions and illegally obtain rewards for transactions.
In response to the findings, Intel stated that the exploit is out of scope of the threat model as it assumes physical enemies with direct access to hardware with memory bus interposers. Without “patches”, it is recommended that the server be used with a cloud provider that runs in a secure physical environment and provides independent physical security.
“An attack like this is outside the scope of the protection perimeter provided by the advanced encryption standard XEX-based fine-tuning codebook mode with Ciphertext Stailing (AES-XTS)-based memory encryption,” Chipmaker said. “Intel has no plans to issue CVEs as confidentiality protection is limited and integrity or replay prevention against physically capable attackers is not provided.”
