Side-channel attacks and countermeasures on intel SGX

Abstract

The introduction of Intel Software Guard Extension (SGX) for the trusted execution environment prompted security researchers to verify its effectiveness. Since Intel SGX is designed to provide confidentiality and integrity to an application even if the underlying system is compromised, various side-channel attacks by privileged attackers have been studied. One of the frequently discussed attacks against SGX is the side-channel attack by gathering page faults (controlled-channel attack). Owing to SGX’s hardware features, the faulting address of the enclave (a secure region) memory is page-masked. Therefore, both the controlled-channel attack and the defenses of SGX are built under the assumption that an attacker observes the memory access attempts of the target enclave code with page-granularity. Van Bulck et al. recently demonstrated a controlled-channel attack technique which negates the prior assumption of page-granularity by using high-frequency interrupts. However, side-channel attacks still require a static analysis of the target enclave code. In this dissertation, I explain various side-channel attacks on SGX and introduce a novel class of attack that stems from the reduced controlled-channel granularity, i.e., Version IDentification attack (VID). The goal of the VID attack is identifying the detailed code information inside SGX enclave by analyzing the fine-grained SGX controlled-channel without the target enclave code. According to experiments, the VID attack can be used to identify information such as version, algorithm, and library type of cryptographic functions in the target enclave without its static analysis. Therefore, attackers can use the acquired information to prepare for next-stage attacks.

To protect enclave memory from side-channel attacks, I design and implement SGX-LEGO, an automated system that adopts execution polymorphism to the SGX enclave code. Previous defense approaches against controlled-channel attacks can be broadly categorized into two types: (i) disclosing the fault information and (ii) making the monitored fault information useless. SGX-LEGO uses the latter approach by permuting the memory access sequence at the instruction level. In SGX-LEGO design, I leverage the concept of code-reuse programming to overcome the implementation challenges regarding SGX page management. In the evaluation, I demonstrate the efficacy of SGX-LEGO in security perspective and explain its performance. The results show that it causes a relatively small overhead compared to the previous related works. Because it is compatible with the standard Intel SGX SDK, it can be utilized to protect SGX enclaves against various side-channel attacks without any additional H/W or S/W support.