Cybersecurity researchers have discovered two different attacks that could be exploited against modern Intel processors to lose sensitive information from the CPU's trusted execution environments (TEE).
The first bug, called SGAxe, is a further development of the previously discovered CacheOut attack (CVE-2020-0549) earlier this year, with which an attacker could retrieve the content from the CPU's L1 cache.
"By using the advanced attack against SGX architecture enclaves provided and signed by Intel, we are retrieving the secret verification key that is used to cryptographically authenticate enclaves over the network so that counterfeit enclaves can be classified as genuine," such a group of scientists from the University of Michigan said.
The second line of attack, which VU University Amsterdam researchers call CrossTalk, allows attacker-controlled code that runs on a CPU core to target SGX enclaves that run on a completely different core and the private keys of the To determine enclave.
Like Intel's Software Guard Extensions (SGX), a TEE refers to a secure enclave, an area within a processor that ensures the confidentiality and integrity of code and data. It provides safeguards against malicious software and data changes by malicious actors who may have broken into the (virtual) target machine.
SGAxe attack: Extract sensitive data from SGX enclaves
SGAxe builds on the speculative CacheOut execution attack to steal SGX data. According to Intel, the measures have proven ineffective, although Intel has taken steps to combat side-channel attacks against SGX through multiple microcode updates and new architectures.
This exploit leads to a temporary execution attack that can be used to restore SGX cryptographic keys from a fully updated Intel computer trusted by the Intel attestation server.
Attestation is a mechanism offered by SGX that enables enclaves to prove to third parties that they have been correctly initialized on a real Intel processor. The idea is to ensure that the software running in the CPU is not manipulated and to increase confidence that the software will run in the enclave.
"In short, we use CacheOut to restore the seal keys from Intel's enclave address space for production quotes," the researchers said. "Finally, we use the restored seal keys to decrypt the offer enclave's long-term storage and to get the machines' EPID confirmation keys."
By breaking this trust, SGAxe makes it easier for an attacker to create a fraudulent enclave that is built by Intel's attestation mechanism, resulting in the loss of security guarantees.
"When the machine's production certificate keys are compromised, all of the secrets provided by the server can be immediately read by the client's untrusted host application, while all issues that are allegedly generated by client enclaves cannot be entrusted to the correctness," said the explorers. "This effectively renders SGX-based DRM applications unusable because any secret provided can be easily restored."
Although Intel released corrections for CacheOut in January via a microcode update for OEM suppliers and then via BIOS updates for end users, the main cause of CacheOut (also known as L1D Eviction Sampling) needs to be fixed for the damage limitation for SGAxe.
"It is important to note that SGAxe relies on CVE-2020-0549, which has been reduced in microcode (confirmed by the researchers in their updated CacheOut paper) and distributed to the ecosystem," said Intel in a security advisory.
The chipmaker also performs a Trusted Compute Base (TCB) recovery to invalidate any previously signed verification keys.
"This process ensures that your system is in a safe state so that your system can use the remote certificate again," said the researchers.
CrossTalk attack: loss of information across CPU cores
CrossTalk (CVE-2020-0543), the second SGX exploit, is described by the VU University as an MDS attack (Microarchitectural Data Sampling). It uses a "staging" buffer that is readable across all CPU cores to perform temporary execution attacks across the cores and to extract the entire private ECDSA key from a secure enclave that runs on a separate CPU core.
"The staging buffer retains the results of previously executed off-core instructions across all CPU cores," the researchers said. "For example, it contains the random numbers returned by the DRNG off-core hardware, bootguard status hashes, and other sensitive data."
In other words, CrossTalk reads the staging buffer during temporary execution to lose sensitive data accessed by the victim's previously executed instructions.
The fact that the buffer retains the output of RDRAND and RDSEED instructions allows an unauthorized person to keep track of the generated random numbers, thereby compromising the cryptographic operations underlying the SGX enclave, including the remote attestation process mentioned above .
With Intel CPUs released from 2015 to 2019 and Xeon E3 and E-CPUs that are susceptible to attack, researchers at VU University Intel announced a proof of concept that included the loss of staging buffer demonstrated in September 2018, followed by a PoC implementation of a cross-core RDRAND / RDSEED leak in July 2019.
"Limits to damage against existing temporary execution attacks are largely ineffective," the team summarized. "Most of the current mitigations are due to spatial isolation at boundaries that are no longer applicable due to the core competence of these attacks. New microcode updates that block the entire memory bus for these instructions can mitigate these attacks – but only if they do . " no similar problems yet to be found. "
In response to the results, Intel fixed the bug in a microcode update that was distributed to software vendors yesterday after a long 21-month disclosure period because it was difficult to implement a fix.
The company has advised users of affected processors to update to the latest version of firmware provided by system manufacturers to resolve the issue.