Go to listing page

Researchers inject powerful malware into the Intel SGX secure enclaves

Researchers inject powerful malware into the Intel SGX secure enclaves
  • The malicious code developed by the researchers bypasses anti-virus or any protective software mechanisms in systems with the latest Intel processors.
  • Intel SGX would fail to distinguish the program as malicious and hide them in ‘enclaves’.

Software Guard Extensions (SGX), an Intel offering that protects important software code from being manipulated by other applications in the processor architecture, can also be used to shelter malware, as found in a new research study.

Researchers from the Graz University of Technology have devised a return-oriented programming (ROP) attack that abuses SGX’s protected areas known as ‘enclaves’. By doing this, attackers could place malware inside enclaves, thus making it undetectable via protective mechanisms such as antivirus or similar programs.

'Super malware' threat

In their paper, researchers Michael Schwarz, Samuel Weiser & Daniel Gruss, who developed the ROP attack suggest that SGX’s enclave model is not completely foolproof in terms of its isolation guarantees.

“With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits,” read the paper abstract. Schwarz and team validated the threat model by designing their own ROP attack.

Theoretically, SGX enclaves is meant to be used for sensitive computations like computing financial transactions or for securing copyrighted media, which needs to be isolated from other entities such as applications and the OS.

However, there has been speculation regarding the security of the SGX enclaves. This is the reason why the researchers intended to study this model and the extent to which an SGX-based malware could impact the system.

For their attack, the researchers relied on Intel’s other feature known as Transactional Synchronization eXtensions (TSX). Using a TSX-based memory-disclosure primitive and a write-anything-anywhere primitive, the researchers created a code-reuse attack within the enclave such that the host application would execute it inadvertently. SGX ROP would make exploits on Intel processors a cakewalk for attackers, as per the researchers.

Meanwhile, Intel has acknowledged the research findings and is planning to bring major changes in the software.

Cyware Publisher

Publisher

Cyware