Researchers Create First Practical Malware for Intel SGX

Researchers have demonstrated the first practical malware for Intel’s Software Guard eXtensions (SGX). The academics believe that current SGX vulnerabilities can turn Intel’s supposed security feature into something that could ultimately harm users, as SGX enables attackers to deploy “super-malware” with ready-to-hit exploits.

Intel SGX is an "architecture extension designed to increase the security of application code and data," according to Intel. Researchers Michael Schwarz, Samuel Weiser and Daniel Gruss have found a way to hide undetectable malware in Intel’s SGX enclaves. The academics used a technique called return-oriented programming (ROP) to get their own application to carry out malicious operations, such as bypassing operating system-level address space layout randomization (ASLR) and executing arbitrary code that can steal sensitive information.

The researchers showed that enclaves can escape their limited SGX execution environment and bypass any communication interface prescribed by their host. Previously, other researchers thought that enclaves and anything operating within them are limited from accessing parts of the OS that don’t interact with the enclaves, but Schwarz and his colleagues proved that assumption was wrong.

The researchers’ attack involved also using Intel’s Transactional Synchronization eXtensions (TSX) feature, found in newer CPUs, which allows them to probe the system’s memory for a virtual address that is accessible by the current process. This exploration is undetectable because OS-level applications can’t look inside an enclave, by design.

Mitigations

The academics believe that solutions against this type of attack could be developed for future generations of CPUs that better sandbox the SGX enclaves. Some of those mitigations may not require hardware modifications but would trade some performance for security, while others that have no performance impact would need hardware changes.