In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel’s Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data.
SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what’s called enclaves, preventing attackers from viewing their memory or CPU state.
In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limitations of SGX.
“We show how one can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet,” the researchers said. “Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.”
Like the Battering RAM attack recently disclosed by KU Leuven and the University of Birmingham researchers, the newly devised method – codenamed WireTap – relies on an interposer that sits between the CPU and the memory module to observe the data that flows between them. The interposer can be installed by a threat actor either through a supply chain attack or physical compromise.
At its core, the physical attack exploits Intel’s use of deterministic encryption to stage a full key recovery against Intel SGX’s Quoting Enclave (QE), effectively making it possible to extract an ECDSA signing key that can be used to sign arbitrary SGX enclave reports.
Put differently, an attacker can weaponize the deterministic nature of memory encryption to build an oracle of sorts to break the security of constant-time cryptographic code.
“We have successfully extracted attestation keys, which are the primary mechanism used to determine whether code is running under SGX,” the researchers said. “This allows any hacker to masquerade as genuine SGX hardware, while in fact running code in an exposed manner and peeking into your data.”
“Like two sides of the same coin, WireTap and Battering RAM look at complementary properties of deterministic encryption. While WireTap focuses mainly on breaching confidentiality, BatteringRAM focuses mostly on integrity. The bottom line is the same; however, both SGX and SEV are easy to break using memory interposition.”
However, while Battering RAM is a low-cost attack that can be pulled off using equipment costing less than $50, the WireTap setup costs about $1,000, including the logic analyzer.
In a hypothetical attack scenario targeting SGX-backed blockchain deployments such as Phala Network, Secret Network, Crust Network, and IntegriTEE, the study found that WireTap can be leveraged to undermine confidentiality and integrity guarantees and allow attackers to disclose confidential transactions or illegitimately obtain transaction rewards.
In response to the findings, Intel said the exploit is outside the scope of its threat model since it assumes a physical adversary that has direct access to the hardware with a memory bus interposer. In the absence of a “patch,” it’s recommended that the servers be run in secure physical environments and use cloud providers that provide independent physical security.
“Such attacks are outside the scope of the boundary of protection offered by Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) based memory encryption,” the chipmaker said. “As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.”
