Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

doi:10.1145/3133956.3134038

. 2017 Oct-Nov:2017:2421-2434.

doi: 10.1145/3133956.3134038.

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Wenhao Wang¹, Guoxing Chen², Xiaorui Pan¹, Yinqian Zhang², XiaoFeng Wang¹, Vincent Bindschaedler², Haixu Tang¹, Carl A Gunter³

Affiliations

¹ Indiana University, Bloomington, ww31@indiana.edu, xiaopan@indiana.edu, xw7@indiana.edu, hatang@indiana.edu.
² The Ohio State University, chenguo@cse.ohio-state.edu, yinqian@cse.ohio-state.edu.
³ University of Illinois at Urbana-Champaign, bindsch2@illinois.edu, cgunter@illinois.edu.

PMID: 30853868
PMCID: PMC6405214
DOI: 10.1145/3133956.3134038

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Wenhao Wang et al. Conf Comput Commun Secur. 2017 Oct-Nov.

. 2017 Oct-Nov:2017:2421-2434.

doi: 10.1145/3133956.3134038.

Authors

Wenhao Wang¹, Guoxing Chen², Xiaorui Pan¹, Yinqian Zhang², XiaoFeng Wang¹, Vincent Bindschaedler², Haixu Tang¹, Carl A Gunter³

Affiliations

¹ Indiana University, Bloomington, ww31@indiana.edu, xiaopan@indiana.edu, xw7@indiana.edu, hatang@indiana.edu.
² The Ohio State University, chenguo@cse.ohio-state.edu, yinqian@cse.ohio-state.edu.
³ University of Illinois at Urbana-Champaign, bindsch2@illinois.edu, cgunter@illinois.edu.

PMID: 30853868
PMCID: PMC6405214
DOI: 10.1145/3133956.3134038

Abstract

Side-channel risks of Intel's SGX have recently attracted great attention. Under the spotlight is the newly discovered page-fault attack, in which an OS-level adversary induces page faults to observe the page-level access patterns of a protected process running in an SGX enclave. With almost all proposed defense focusing on this attack, little is known about whether such efforts indeed raises the bar for the adversary, whether a simple variation of the attack renders all protection ineffective, not to mention an in-depth understanding of other attack surfaces in the SGX system. In the paper, we report the first step toward systematic analyses of side-channel threats that SGX faces, focusing on the risks associated with its memory management. Our research identifies 8 potential attack vectors, ranging from TLB to DRAM modules. More importantly, we highlight the common misunderstandings about SGX memory side channels, demonstrating that high frequent AEXs can be avoided when recovering EdDSA secret key through a new page channel and fine-grained monitoring of enclave programs (at the level of 64B) can be done through combining both cache and cross-enclave DRAM channels. Our findings reveal the gap between the ongoing security research on SGX and its side-channel weaknesses, redefine the side-channel threat model for secure enclaves, and can provoke a discussion on when to use such a system and how to use it securely.

PubMed Disclaimer

Figures

**Fig. 3.**
An example of secret-dependent branch leaking timing information.

**Fig. 4.**
Scalar point multiplication for ECC.

**Fig. 5.**
Illustration of cache-DRAM attack.

**Fig. 6.**
Distribution of access latency for probing the same row and a different row.

**Fig. 7.**
An input-dependent branch in Gap 4.8.6.

See this image and copyright information in PMC

Cited by

Practical and Efficient in-Enclave Verification of Privacy Compliance.
Liu W, Wang W, Chen H, Wang X, Lu Y, Chen K, Wang X, Shen Q, Chen Y, Tang H. Liu W, et al. Proc (Int Conf Dependable Syst Netw). 2021 Jun;2021:413-425. doi: 10.1109/dsn48987.2021.00052. Epub 2021 Aug 6. Proc (Int Conf Dependable Syst Netw). 2021. PMID: 35919377 Free PMC article.
Secure and Efficient Regression Analysis Using a Hybrid Cryptographic Framework: Development and Evaluation.
Sadat MN, Jiang X, Aziz MMA, Wang S, Mohammed N. Sadat MN, et al. JMIR Med Inform. 2018 Mar 5;6(1):e14. doi: 10.2196/medinform.8286. JMIR Med Inform. 2018. PMID: 29506966 Free PMC article.
HySec-Flow: Privacy-Preserving Genomic Computing with SGX-based Big-Data Analytics Framework.
Widanage C, Liu W, Li J, Chen H, Wang X, Tang H, Fox J. Widanage C, et al. IEEE Int Conf Cloud Comput. 2021 Sep;2021:733-743. doi: 10.1109/CLOUD53861.2021.00098. Epub 2021 Nov 13. IEEE Int Conf Cloud Comput. 2021. PMID: 35662807 Free PMC article.
Trust Beyond Border: Lightweight, Verifiable User Isolation for Protecting In-Enclave Services.
Wang W, Liu W, Chen H, Wang X, Tian H, Lin D. Wang W, et al. IEEE Trans Dependable Secure Comput. 2023 Jan-Feb;20(1):522-538. doi: 10.1109/tdsc.2021.3138427. Epub 2021 Dec 28. IEEE Trans Dependable Secure Comput. 2023. PMID: 38152698 Free PMC article.
Privacy-preserving genotype imputation in a trusted execution environment.
Dokmai N, Kockan C, Zhu K, Wang X, Sahinalp SC, Cho H. Dokmai N, et al. Cell Syst. 2021 Oct 20;12(10):983-993.e7. doi: 10.1016/j.cels.2021.08.001. Epub 2021 Aug 26. Cell Syst. 2021. PMID: 34450045 Free PMC article.

See all "Cited by" articles

References

1. Intel software guard extensions programming reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002...., 2014. Order Number: 329298-002, October 2014.
1. Intel software guard extensions (intel sgx. https://software.intel.com/sites/default/files/332680-001.pdf, 2015 June 2015.
1. Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D. https://software.intel.com/sites/default/files/managed/3 9/c5/325 4 62-s..., 2016. Order Number: 325462-061US, December 2016.
1. Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D, 2016. Order Number: 325462-058US April 2016.
1. Graphene / graphene-sgx library os - a library os for linux multi-process applications, with intel sgx support. https://github.com/oscarlab/graphene/, 2017. Accessed May 16, 2017.

Grants and funding

U01 EB023685/EB/NIBIB NIH HHS/United States

LinkOut - more resources

Full Text Sources
- Europe PubMed Central
- PubMed Central
Other Literature Sources
- The Lens - Patent Citations Database
Miscellaneous
- NCI CPTAC Assay Portal

[1] Intel software guard extensions programming reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002...., 2014. Order Number: 329298-002, October 2014.

[2] Intel software guard extensions programming reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002...., 2014. Order Number: 329298-002, October 2014.

[3] Intel software guard extensions (intel sgx. https://software.intel.com/sites/default/files/332680-001.pdf, 2015 June 2015.

[4] Intel software guard extensions (intel sgx. https://software.intel.com/sites/default/files/332680-001.pdf, 2015 June 2015.

[5] Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D. https://software.intel.com/sites/default/files/managed/3 9/c5/325 4 62-s..., 2016. Order Number: 325462-061US, December 2016.

[6] Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D. https://software.intel.com/sites/default/files/managed/3 9/c5/325 4 62-s..., 2016. Order Number: 325462-061US, December 2016.

[7] Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D, 2016. Order Number: 325462-058US April 2016.

[8] Intel 64 and IA-32 architectures software developer’s manual, combined volumes:1,2A,2B,2C,3A,3B,3C and 3D, 2016. Order Number: 325462-058US April 2016.

[9] Graphene / graphene-sgx library os - a library os for linux multi-process applications, with intel sgx support. https://github.com/oscarlab/graphene/, 2017. Accessed May 16, 2017.

[10] Graphene / graphene-sgx library os - a library os for linux multi-process applications, with intel sgx support. https://github.com/oscarlab/graphene/, 2017. Accessed May 16, 2017.

Save citation to file

Email citation

Add to Collections

Add to My Bibliography

Your saved search

Create a file for external citation management software

Your RSS Feed

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Affiliations

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Authors

Affiliations

Abstract

Figures

Similar articles

Cited by

References

Grants and funding

LinkOut - more resources

Full Text Sources

Other Literature Sources

Miscellaneous

Abstract

Figures

Similar articles

Cited by

References

Related information

Grants and funding

LinkOut - more resources

Full Text Sources

Other Literature Sources

Miscellaneous