# Lessons from Capsizing SGX Enclave Programs

Jo Van Bulck

BINSEC Webinar (online), February 10, 2022

A imec-DistriNet, KU Leuven ☑ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck





# **Enclaved execution: Reducing attack surface**



Traditional layered designs: large trusted computing base

# Enclaved execution: Reducing attack surface



Intel SGX promise: hardware-level isolation and attestation

# Enclaved execution: Privileged side-channel attacks



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!

## Enclaved execution: Privileged side-channel attacks



Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", S&P 2015

# Enclaved execution: Privileged side-channel attacks



Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018



#### Privileged adversary model

Lessons for compiling "secure" enclave programs?

- 1. Interface sanitization (ABI/API)
- 2. Side-channel hardening
- 3. Transient-execution semantics



# 

# Challenge 1: ABI sanitization

# Enclave shielding responsibilities



# Tier1: Establishing a trustworthy enclave ABI



- → Attacker controls CPU register contents on enclave entry/exit
- ↔ Compiler expects well-behaved calling convention (e.g., stack)



# Tier1: Establishing a trustworthy enclave ABI



- → Attacker controls CPU register contents on enclave entry/exit
- ↔ Compiler expects well-behaved calling convention (e.g., stack)



 $\Rightarrow$  Need to initialize CPU registers on entry and scrub before exit!

# Summary: ABI-level attack surface



Relatively understood, but special care for stack pointer + status register + FPU

Van Bulck et al. "A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes", CCS 2019.

Alder et al. "Faulty Point Unit: ABI Poisoning Attacks on Intel SGX", ACSAC 2020.

# Summary: ABI-level attack surface



 $\triangle$ 

Attack surface complex x86 ABI (Intel SGX) >> simpler RISC designs

# x86 string instructions: Direction Flag (DF) operation



| <br>~ |
|-------|

| L | ica | rur, | bui    |    |
|---|-----|------|--------|----|
| 2 | mov | al,  | 0×0    |    |
| 3 | mov | ecx, | 100    |    |
| 1 | rep | stos | [rdi], | al |
|   |     |      |        |    |

# x86 string instructions: Direction Flag (DF) operation



• Default operate left-to-right

$$\rightarrow$$

| 1 | lea | rdi, | buf    |    |
|---|-----|------|--------|----|
| 2 | mov | al,  | 0×0    |    |
| 3 | mov | ecx, | 100    |    |
| 4 | rep | stos | [rdi], | al |

# x86 string instructions: Direction Flag (DF) operation

- x86 rep string instructions to speed up streamed memory operations
- Default operate left-to-right, unless software sets RFLAGS.DF=1

| 1 | lea | rdi, buf+100         |
|---|-----|----------------------|
| 2 | mov | al, 0×0              |
| 3 | mov | ecx, 100             |
| 4 | std | ; set direction flag |
| 5 | rep | stos [rdi], al       |



# WHAT COULD POSSIBLY

# GO WRONG?

imgflip.com

# SGX-DF: Inverting enclaved string memory operations

#### x86 System-V ABI

 $\bigcirc$ 

<sup>8</sup> The direction flag DF in the %rFLAGS register must be clear (set to "forward" direction) on function entry and return. Other user flags have no specified role in the standard calling sequence and are *not* preserved across calls.

# SGX-DF: Inverting enclaved string memory operations



# Guardian: symbolic validation of orderliness in SGX enclaves

Pedro Antonino<sup>1</sup>, Wojciech Aleksander Wołoszyn<sup>1,2</sup>, and A. W. Roscoe<sup>1,3,4</sup>

<sup>1</sup> The Blockhouse Technology Limited, Oxford, UK

<sup>2</sup> Mathematical Institute, University of Oxford, Oxford, UK

- <sup>3</sup> University College Oxford Blockchain Research Centre, Oxford, UK
- <sup>4</sup> Department of Computer Science, University of Oxford, Oxford, UK {pedro, wojciech}@tbtl.com, awroscoe@gmail.com



# Challenge 2: Constant-time code































Overall execution time reveals correctness of individual password bytes!

# Building the side-channel oracle with execution timing?



# Building the side-channel oracle with execution timing?

**Too noisy:** modern x86 processors are lightning fast...



# Analogy: Studying galloping horse dynamics



https://en.wikipedia.org/wiki/Sallie\_Gardner\_at\_a\_Gallop


Copyright, 1878, by MUYBRIDGE.

MORSE'S Gallery, 417 Montgomery St., San Francisco.

THE HORSE IN MOTION.

Illustrated by MUYBRIDGE.

AUTOMATIC ELECTRO-PHOTOGRAPH.

"SALLE GARDNER," owned by LELAND STANFORD; running at a 1.40 gait over the Palo Alto track, 19th June, 1878.



https://github.com/jovanbulck/sgx-step

⊙ Unwatch → 27 ☆ Star 312 양 Fork 63













#### Demo: Building a deterministic password oracle with SGX-Step

```
[idt.c] DTR.base=0xfffffe000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15: guess='******
[attacker] found pwd len = 6
[main.c] recovering password bytes
                          [attacker] steps=35; guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/1/msr' (size=8)
```

[main.c] all done; counted 2260/2183 IRQs (AEP/IDT)
jo@breuer:~/sgx-step-demo\$

# **ALL YOUR PASSWORDS**

# ARE BELONG TO US

makeameme.org

|     |                     |                     | APIC |            | PTE        |            |     | Desc       |            |    |   |
|-----|---------------------|---------------------|------|------------|------------|------------|-----|------------|------------|----|---|
| Yr  | Attack              | Temporal resolution | IRO  | ·181       | #PF        | A/D        | PPN | GDT        | ID1        | Dr | v |
| '15 | Ctrl channel        | ~ Page              | 0    | 0          | ٠          | $^{\circ}$ | 0   | 0          | ٠          | 1  |   |
| '16 | AsyncShock          | ~ Page              | 0    | $^{\circ}$ | ٠          | 0          | 0   | $^{\circ}$ | 0          | -  | ۵ |
| '17 | CacheZoom           | <mark>≯</mark> > 1  | ٠    | 0          | 0          | $^{\circ}$ | 0   | 0          | 0          | 1  | ۵ |
| '17 | Hahnel et al.       | <b>×</b> 0 − > 1    | ٠    | $^{\circ}$ | $^{\circ}$ | $^{\circ}$ | 0   | 0          | ٠          | 1  |   |
| '17 | BranchShadow        | 🗡 5 - 50            | ٠    | $^{\circ}$ | $^{\circ}$ | $^{\circ}$ | 0   | 0          | $^{\circ}$ | X  | ۵ |
| '17 | Stealthy PTE        | ~ Page              | 0    | ٠          | $^{\circ}$ | ٠          | 0   | $^{\circ}$ | ٠          | 1  | ۵ |
| '17 | DarkROP             | ~ Page              | 0    | $^{\circ}$ | •          | $^{\circ}$ | 0   | 0          | $^{\circ}$ | 1  | ۵ |
| '17 | SGX-Step            | ✓ 0 - 1             | ٠    | 0          | ٠          | ٠          | 0   | 0          | 0          | 1. |   |
| '18 | Off-limits          | ✓ 0 - 1             | ۲    | $^{\circ}$ | ٠          | 0          | 0   | ٠          | 0          | 1  | đ |
| '18 | $Single-trace\;RSA$ | ~ Page              | 0    | 0          | ٠          | 0          | 0   | 0          | 0          | 1  |   |
| '18 | Foreshadow          | ✓ 0 - 1             | ٠    | 0          | ٠          | 0          | •   | 0          | 0          | 1. | đ |
| '18 | SgxPectre           | ~ Page              | 0    | 0          | ٠          | 0          | 0   | 0          | 0          | 1  | ۵ |
| '18 | CacheQuote          | <b>X</b> > 1        | ٠    | 0          | $^{\circ}$ | 0          | 0   | 0          | 0          | 1  | ۵ |
| '18 | SGXlinger           | <mark>≯</mark> > 1  | ٠    | 0          | 0          | $^{\circ}$ | 0   | 0          | $^{\circ}$ | X  | ۵ |
| '18 | Nemesis             | ✓ 1                 | ٠    | 0          | ٠          | ٠          | 0   | 0          | ٠          | 1. | đ |

|     |                  |                     | A          | APIC PTE   |     |            | Desc |         |            |           |
|-----|------------------|---------------------|------------|------------|-----|------------|------|---------|------------|-----------|
| Yr  | Attack           | Temporal resolution | 1RO        | 'P1        | #PF | A/D        | PPN  | GDT     | IDT        | Drv       |
| '19 | Spoiler          | ✓ 1                 | ٠          | 0          | 0   | ٠          | 0    | 0       | ٠          | 1-15      |
| '19 | ZombieLoad       | ✓ 0 - 1             | ٠          | 0          | •   | ٠          | 0    | 0       | ٠          | 1-5       |
| '19 | Tale of 2 worlds | ✓ 1                 | ٠          | 0          | •   | ٠          | 0    | 0       | ٠          | 1-5       |
| '19 | MicroScope       | ~ 0 - Page          | 0          | $^{\circ}$ | ٠   | $^{\circ}$ | 0    | 0       | 0          | × \Lambda |
| '20 | Bluethunder      | ✓ 1                 | ٠          | $\bigcirc$ | 0   | $\bigcirc$ | 0    | 0       | ٠          | 1-5       |
| '20 | Big troubles     | ~ Page              | $^{\circ}$ | 0          | ٠   | $\bigcirc$ | 0    | $\circ$ | $^{\circ}$ | 1-5       |
| '20 | Viral primitive  | ✓ 1                 | ٠          | $\circ$    | ٠   | ٠          | 0    | $\circ$ | ٠          | 1-5       |
| '20 | CopyCat          | ✓ 1                 | ٠          | $\circ$    | ٠   | ٠          | 0    | $\circ$ | ٠          | 1-5       |
| '20 | LVI              | ✓ 1                 | ٠          | 0          | ٠   | ٠          | •    | 0       | ٠          | 1-5       |
| '20 | A to Z           | ~ Page              | 0          | 0          | ٠   | $\bigcirc$ | 0    | 0       | $^{\circ}$ | 1-5       |
| '20 | Frontal          | ✓ 1                 | ٠          | 0          | ٠   | ٠          | 0    | 0       | ٠          | 1-1       |
| '20 | CrossTalk        | ✓ 1                 | ٠          | 0          | ٠   | 0          | 0    | 0       | ٠          | 1-1       |
| '20 | Online template  | ~ Page              | 0          | 0          | ٠   | 0          | 0    | 0       | 0          | 1-1       |
| '20 | Déjà Vu NSS      | ~ Page              | 0          | 0          | ٠   | 0          | 0    | 0       | 0          | 1-1       |

#### Elementary CPU behavior: Stored program computer



#### Back to basics: Fetch-decode-execute

Interrupts: Asynchronous events, handled on instruction retirement



#### Back to basics: Fetch-decode-execute

Timing leak: IRQ response time depends on current instruction(!)



#### Wait a cycle: Interrupt latency as a side channel



# **TIMING LEAKS**

EVERYWHERE

imgflip.com

### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Start-to-end trace enclaved execution

### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Keymap bit traversal (ground truth)

#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Intel SGX microbenchmarks: Measuring x86 cache misses





Instruction (interrupt number)



Instruction (interrupt number)





Instruction (interrupt number)

### De-anonymizing SGX enclave lookups with interrupt latency

Adversary: Infer secret lookup in known sequence (e.g., DNA)



### De-anonymizing SGX enclave lookups with interrupt latency



### De-anonymizing SGX enclave lookups with interrupt latency



#### Nemesis hardware defense: Padding interrupt latency



• Busi et al. "Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors", CSF 2020.

#### Nemesis software defenses: Balancing vulnerable branches



- Busi et al. "Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors", CSF 2020.
- Winderix et al. "Compiler-Assisted Hardening of Embedded Software Against Interrupt Latency Side-Channel Attacks", EuroS&P 2021.
- Pouyanrad et al. "SCFMSP: Static detection of side channels in MSP430 programs", ARES 2020.
- Salehi et al. "NemesisGuard: Mitigating interrupt latency side channel attacks with static binary rewriting", Computer Networks 2022.



## Challenge 3: Fencing transient loads

#### 2018-2019: Leaking microarchitectural data buffers (Meltdown & friends)



Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018.

### 2020: Load Value Injection (LVI): The basic idea



Van Bulck et al. "LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection", S&P 2020.



#### Mitigating LVI: Fencing vulnerable load instructions



### Mitigating LVI: Fencing vulnerable load instructions



## Mitigating LVI: Compiler and assembler support



-mlfence-after-load



-mlvi-hardening



-Qspectre-load

#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

# More Spectre Mitigations in MSVC

March 13th, 2020

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



## 23 fences

October 2019—"surgical precision"
### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



# 23 fences

October 2019—"surgical precision"

March 2020—"big hammer"



### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### The <mark>Brutal Performance Impact</mark> From Mitigating The LVI Vulnerability

Written by Michael Larabel in Software on 12 March 2020. Page 1 of 6. 76 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### Looking At The <mark>LVI Mitigation Impact</mark> On Intel Cascade Lake Refresh

Written by Michael Larabel in Software on 5 April 2020. Page 1 of 5. 10 Comments

### LVI-NULL compiler mitigation



Giner et al. "Repurposing Segmentation as a Practical LVI-NULL Mitigation in SGX", USENIX Security 2022.

## Conclusions and takeaway

- ⇒ **Trusted execution** environments (Intel SGX) ≠ perfect!
- $\Rightarrow$  Need for (compiler) **mitigations:**:
  - 1. ABI/API sanitization
  - 2. Side-channel hardening: constant-time (or balanced?) code
  - 3. Transient-execution semantics

