Side-Channel Attacks and Defenses for SGX and SEV
Yinqian ZhangAssociate Professor
Computer Science & EngineeringThe Ohio State University
Open Source Enclave Workshop 2019
Userland TEEs on Commodity Processors
2
Software Guard Extension (2015)
Application
OS
Enclave Enclave
CPU
Secure Encrypted Virtualization (2016-2017)
VMM
VM
CPU
VM
Side-Channel Threats on Intel SGX
3
Application
OS
Enclave
CPU Mem I/O
Privileged Adversary• CPU management
• CPU Scheduling• Interrupt delivery and
handling• Memory management
• Paging• Segmentation
• I/O management• Network• Storage• Display
Side-Channel Threats on AMD SEV
4
Privileged Adversary• CPU management
• CPU Scheduling• Interrupt delivery and
handling• Memory management
• Paging• Segmentation
• I/O management• Network• Storage• Display
VMM
VM VM
CPU Mem I/O
Example: Deterministic Page Fault Side Channels
5
Application
Page 1
ec_mul
Page 2
add_points
Page 3
dup_point
Page Fault
Handler
Page Trace P1P2P1P3P2P1…
Kernel
Physical Page Address 0 DAG UWC R
051 912Page Table Entry
11XD
526263
Global DIR OffsetTableMiddle DIRUpper DIR
+
Page GlobalDirectory
Page UpperDirectory
Page MiddleDirectory
Page Table
cr3 ++
+
P
Example: Fine-Grained CPU Preemption
6
OS (CPU Scheduler)
CPU Page/Cache/BPU
1 instruction
Application
Enclave
More Issues with AMD SEV
7
• Lack of memory integrity• Chosen plaintext attacks• Fault injection attacks• Page table manipulation
• Unencrypted VMCB• Inference by reading
register values at VMExit• ROP attacks by altering
register values• Page fault side channel
• Page offset mask• Unprotected I/O
• IOMMU & ASID• Encryption/decryption
oracles
VMM
VM VM
CPU Mem I/O
SWIOTLB SWIOTLB
Li, Zhang, Lin, Solihin, “Exploiting Unprotected I/O Operations in AMD’s Secure Encrypted Virtualization”, Usenix Security 2019
Side-Channel Attack Surface
8
fetcher
Translation Units
ITLB DTLB
STLB
paging caches
page tables
decoder
issuer
scheduler
port nport 0 port 1 port 2
Execution Units
……port 3
BPU
BTB
RSB store buffer
load buffer
Cache & Memory
L1-I
L2
LLC
DRAM
LFBL1-D
Solutions to SGX/SEV side-channel attacks
Solutions to SGX Side Channels?
17
Hypervisor
VMVM
Cross-VM/Process Attacks
SGX Attacks
EnclaveEnclave
OS
Three Ideas of Mitigating SGX Side Channels
18
Xiao, Li, Zhang, “Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves”, ACM CCS 2017
Chen, Chen, Xiao, Zhang, Lin, Lai, “SGXPECTRE: Stealing Intel Secrets from SGX Enclaves via Speculative Execution”, IEEE EuroS&P 2019
Wang, Zhang, Lin, “Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries”, RAID 2019
Vulnerability Detection
• Analyzing enclave code to eliminate• Secret-dependent
memory access• Spectre gadgets
Three Ideas of Mitigating SGX Side Channels
19
Attack Prevention
• Preventing side-channel attacks by enforcing oblivious execution
Ahmad, Joe, Xiao, Zhang, Shin, Lee, “OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX”, NDSS 2019
Vulnerability Detection
• Analyzing enclave code to eliminate• Secret-dependent
memory access• Spectre gadgets
Three Ideas of Mitigating SGX Side Channels
20
Attack Detection
• Detecting side-channel attacks at runtime via program instrumentation
Chen, Zhang, Reiter, Zhang, “Detecting Privileged Side-Channel Attacks in Shielded Execution with DEJA VU”, ACM AsiaCCS 2017
Chen, Wang, Chen, Chen, Zhang, Wang, Lai, Lin, Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races, IEEE S&P 2018
Attack Prevention
• Preventing side-channel attacks by enforcing oblivious execution
Vulnerability Detection
• Analyzing enclave code to eliminate• Secret-dependent
memory access• Spectre gadgets
Side-Channel Attacks and Defenses for SGX and SEV
Yinqian ZhangAssociate Professor
Computer Science & EngineeringThe Ohio State University
Thank [email protected]