What is Software Guard Extension?
Intel (INTC) is currently fighting the design security flaws Spectre and meltdown that give applications access to kernel memory where confidential data like passwords are stored. Further research into these flaws is bringing new findings.
SGX (Software Guard eXtensions) is a set of CPU (central processing unit) chip instructions that developers use to create or run sensitive application code and data in an enclave, which is a secure execution environment that is isolated even from the operating systems. Developers use this hardware extension to run sensitive computational code on an untrusted remote machine or run anti-piracy code while keeping the decryption keys hidden from everyone.
SGX is a new concept and is being rapidly adopted especially by public clouds. Hence, the revelation of design flaws brought the security of SGX enclaves under question. It was found that Spectre can exploit the enclave’s secure environment.
How can Spectre exploit SGX security?
A GitHub article reported that researchers at Ohio State University published a paper detailing how Spectre can attack SGX enclave. They called this technique SgxSpectre. The paper stated that SgxSpectre exploits the “race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”
SgxSpectre exploits the vulnerable code patterns in most SGX SDKs (software development kits), including Intel SGX Software Development Kit, Rust-SGX, and Graphene-SGX. Attackers can use these SDKs to make their own SGK enclaves that create repetitive code executions to confuse a CPU and leak data.
SGX also speculatively executes instructions which it believes would be next. This creates caches that are not properly rolled back after the speculative instruction is discarded. SgxSpectre exploits this cache to leak information from inside the enclave. An attacker needs access to the local machine or must run malware on the local machine to attack an SGX enclave.
Intel’s fix to SgxSpectre
Intel stated that by mid-March 2018, it would release an SGX SDK update with IBRS (indirect branch restricted speculation) that flushes the branch prediction history at the enclave boundary. Developers have to rebuild and redeploy their enclave code using the updated SDK to protect against malicious system administrators.
However, the GitHub article noted that Intel’s fix has a flaw. Attackers can revert SGX updates, and the developer won’t even know as there is no way to detect if IBRS is enabled. Similar is the problem with STIBP (single-thread indirect branch predictors) and IBPB (indirect branch predictor barrier), which are used to mitigate speculative execution. Attackers can remove these barriers from the machine, and then there’s no way to detect if these barriers are present or not.
Researchers also stated that Google’s (GOOG) Reptoline software-only mitigations are not adequate to protect SGX against SgxPectre. Given the dynamic and evolving nature of these security flaws, Intel has updated its risk factors statement.
Next, we’ll look at the other indirect repercussions of these security flaws.