Georgia Tech Researchers Show SGX Isn’t as Secure as It Seems

When Intel introduced Software Guard Extension (SGX), cloud developers could breathe easy knowing their code was protected from malicious operating systems (OS) thanks to a hardware-protected enclave. But SGX is more vulnerable to attack than it initially appeared, according to Georgia Institute of Technology researchers, who discovered a new side-channel attack called branch shadowing.

“A lot of people consider SGX the most promising secure cloud environment, but this research demonstrates a pitfall,” said Assistant Professor Taesoo Kim, one of the six researchers. “This vulnerability allows an attacker to exploit the behavior of SGX and get confidential information.”

What makes SGX so secure is also its biggest vulnerability: the enclave. SGX creates a trusted execution environment for secure data by isolating and encrypting all of its sensitive memory contents in an enclave. What Tech researchers discovered, however, was that SGX does not clear branch history when switching to enclave mode. This leaves fine-grained traces of past data for anyone to observe, creating a branch-prediction side channel that could be exploited by an attacker.

For the most part, developers have not worried about this possible exploit because of the relative difficulty of this type of attack. However, using two new techniques, Tech researchers are now able to take advantage of the vulnerability.

The team has developed a history-inferring technique and an advanced programmable interrupt controller to control the execution of the enclave down to the smallest granularity. These two techniques create a new branch-prediction side-channel attack, branch shadowing.

“This new attack can identify each branch instruction’s execution history, the most fine-grained attack found so far,” lead researcher Sangho Lee, a Georgia Tech postdoctoral fellow, said. Essentially, any attacker using branch shadowing can find past data because traces remain in the system.

The implications of this could be detrimental for security if the cloud is used to store financial or health data. This is why the Tech researchers also proposed potential software and hardware solutions. One countermeasure against this type of attack is flushing the branches generated in the enclave by modifying the code.

However, changing code can be arduous and time-consuming, so they created a software-based countermeasure called Zigzagger that could be used more easily in the short term. Zigzagger turns a set of branch instructions into one indirect branch, which makes it harder to infer data in this branch.

Lee believes their findings also have larger implications for the security industry. Hardware vendors should provide hardware dedicated to trusted execution environments to avoid any resource overlap, like branches, an attacker could take advantage of. He also recommends that software developers write their code carefully when developing private data software. In the meantime, the researchers also reported their findings to Intel and are working with them to mitigate this vulnerability.

“Memory isolation is not enough because trusted and untrusted applications still share many processor-internal hardware components,” Lee said.

A paper titled, Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing, details this research and was presented at Usenix, the annual Advance Computing Systems Association conference, in Vancouver, Canada, earlier this month. It was one of seven papers from Georgia Tech researchers.


Tess Malone, Communications Officer I