IT-Security

Ramming Enclave Gates: A Systematic Vulnerability Assessment of TEE Shielding Runtimes

This talk presents an extensive security analysis of trusted-execution environment shielding runtimes, covering over two years of continuing research and leading to 7 CVE designations in industry-grade Intel SGX enclave SDKs.
For the first time, we develop a systematic way of reasoning about enclave shielding responsibilities categorized across 11 distinct classes across the ABI and API tiers. Our analysis revealed over 40 new interface sanitization vulnerabilities, and we developed innovative techniques to aid practically exploitation through among others CPU register poisoning, timer-based single-stepping, rogue CPU exception handlers, and side-channel-based cryptanalysis. We finally analyze tendencies across the landscape and find that developers continue to make the same mistakes, calling for improved vulnerability detection and mitigation techniques. This talk overviews the security and state of practice of today's Trusted Execution Environment (TEE) shielding runtimes from both industry and research. Our systematic analysis uncovered over 40 re-occurring enclave interface sanitization vulnerabilities in 8 major open-source shielding frameworks for Intel SGX, RISC-V, and Sancus TEEs. The resulting vulnerability landscape enables attackers to poison victim programs through both low-level CPU state, including previously overlooked attack vectors through the x86 status flags and floating-point co-processor, as well as through higher-level programming constructs such as untrusted pointer arguments passed into the shared address space. We develop new and improved technique to practically exploit these vulnerabilities in several attack scenarios that leak full cryptographic keys from the enclave or enable arbitrary remote code reuse. Following extended responsible disclosure embargoes, our findings were assigned 7 designated CVE records and led to numerous security patches in the vulnerable open-source projects, including the Intel SGX-SDK, Microsoft's Open Enclave, Google's Asylo, and the Rust compiler. Our findings highlight that emerging TEE technologies, such as Intel SGX, are _not_ a silver-bullet solution and continue to be misunderstood in both industry and academia. While promising, we explain that TEEs require extra scrutiny from the enclave developer and we set out to identify common pitfalls and constructive recommendations for best practices for enclave interface sanitization. Throughout the talk, we overview shielding responsibilities and argue that proper enclave hygiene will be instrumental to the success of the emerging Intel SGX ecosystem. Additionally, we point to several subtle properties of the Intel x86 complex instruction set considerably increase the attack surface for enclave attackers and require the end developer to be aware of their respective shielding runtime or apply additional sanitizations at the application level itself.

Additional information

Type Talk
Language English

More sessions

12/27/20
IT-Security
Max Aliapoulios
rC2
Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a cryptocurrency such as Bitcoin. In this talk, we present a measurement framework that we used to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims and operators.
12/27/20
IT-Security
Thomas Roth
rC2
On November 13., Nintendo launched its newest retro console, the Nintendo Game and Watch - but by then it was already hacked! In contrast to the other Nintendo classic consoles (NES & SNES), Nintendo upped their game this time: A locked processor, AES-CTR encrypted flash & co. made it significantly harder to hack it, but in the end it was still hacked - one day before release. This talk walks through the whole process of opening it up, exploiting the firmware up to bringing homebrew to a new ...
12/27/20
IT-Security
Florian Schweitzer
chaosstudio-hamburg
Ein Klick auf einen "Unsubscribe"-Link in einem Newsletter reicht oft aus, damit ein Angreifer eine Rufumleitung bei einer Zielperson einrichten kann. Damit lassen sich etwa die Passwörter von mit der Rufnummer verknüpften Google- oder Microsoft-Accounts zurücksetzen.
12/27/20
IT-Security
chaosstudio-hamburg
Load Value Injection (LVI) is a new class of transient-execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from Intel SGX, a secure vault in Intel processors for your personal data.
12/27/20
IT-Security
rC1
After the first unsuccessful deployment of voting machines in Germany about ten years ago, elements of electronic voting have reached elections again. Although there is now still a paper-trail, more and more essential steps, such as counting the votes, are moved into electronic systems. This change in the ballot-counting procedure took place mostly unnoticed by the public. We are two very concerned election workers who present our first-hand experience in this talk. We show that the current ...
12/28/20
IT-Security
jiska
rC2
How secure is the interface between baseband chips and iOS? While this interface should protect against escalations from the baseband into operating system components, its implementation is full of bugs. Fuzzing this interface is not only relevant to security, but also results in various funny effects, since the iPhone looses information about its identity and location, and eventually ends up in a state with a few thousand unread SMS that can no longer be deleted.
12/28/20
IT-Security
Alisa Esage
rC2
State-of-the-art report on Qualcomm DIAG diagnostic protocol research, its modern implementation as it appears in Hexagon basebands, advanced harnessing and reverse-engineering on modern off-the-shelf smartphones.