Practical Enclave Malware with Intel SGX
Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. However, Intel’s threat model for SGX assumes fully trusted enclaves and there doubt about how realistic this is. In particular, it is unclear to what extent enclave malware could harm a sys...
Saved in:
| Published in | Detection of Intrusions and Malware, and Vulnerability Assessment Vol. 11543; pp. 177 - 196 |
|---|---|
| Main Authors | , , |
| Format | Book Chapter |
| Language | English |
| Published |
Switzerland
Springer International Publishing AG
2019
Springer International Publishing |
| Series | Lecture Notes in Computer Science |
| Subjects | |
| Online Access | Get full text |
| ISBN | 3030220370 9783030220372 |
| ISSN | 0302-9743 1611-3349 |
| DOI | 10.1007/978-3-030-22038-9_9 |
Cover
Loading…
| Abstract | Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. However, Intel’s threat model for SGX assumes fully trusted enclaves and there doubt about how realistic this is. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion but also act on the user’s behalf, e.g., send phishing emails or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and lay ground for future research on defenses against enclave malware. |
|---|---|
| AbstractList | Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. However, Intel’s threat model for SGX assumes fully trusted enclaves and there doubt about how realistic this is. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion but also act on the user’s behalf, e.g., send phishing emails or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and lay ground for future research on defenses against enclave malware. |
| Author | Weiser, Samuel Schwarz, Michael Gruss, Daniel |
| Author_xml | – sequence: 1 givenname: Michael surname: Schwarz fullname: Schwarz, Michael email: michael.schwarz@iaik.tugraz.at organization: Graz University of Technology, Graz, Austria – sequence: 2 givenname: Samuel surname: Weiser fullname: Weiser, Samuel organization: Graz University of Technology, Graz, Austria – sequence: 3 givenname: Daniel surname: Gruss fullname: Gruss, Daniel organization: Graz University of Technology, Graz, Austria |
| BookMark | eNpFkE1PwzAMhgMMxDb2C7j0yCXgfLRxjmgaY9IQSIDELUobdxtU7Wg79vdpNyQOlv3afi35GbFBWZXE2LWAWwFg7qxBrjgo4FKCQm6dPWEj1TUO2p6yoUiE4Eppe_Y_MDBgw77m1mh1wUZCgJEqTkBfsknTfAL0e2hRD9nNS-2zdpP5IpqVWeF_KHryxd7XFO037TpalC0V0ev844qd575oaPKXx-z9YfY2feTL5_lier_kK4mi5VYHnVEOaSwRU0tJCFoZ9EkwIREBUzAUQqxIm2BTG1KUGtM4Rp-LADmpMRPHu8223pQrql1aVV-NE-B6KK6D4pTr3nMHCK6D0nn00bOtq-8dNa2j3pRR2da-yNZ-21LduNhKgVY6gXEXqH4BropgnQ |
| ContentType | Book Chapter |
| Copyright | Springer Nature Switzerland AG 2019 |
| Copyright_xml | – notice: Springer Nature Switzerland AG 2019 |
| DBID | FFUUA |
| DEWEY | 353.00722000000002 |
| DOI | 10.1007/978-3-030-22038-9_9 |
| DatabaseName | ProQuest Ebook Central - Book Chapters - Demo use only |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Government Computer Science |
| EISBN | 3030220389 9783030220389 |
| EISSN | 1611-3349 |
| Editor | Perdisci, Roberto Almgren, Magnus Giacinto, Giorgio Maurice, Clémentine |
| Editor_xml | – sequence: 1 fullname: Giacinto, Giorgio – sequence: 2 fullname: Perdisci, Roberto – sequence: 3 fullname: Almgren, Magnus – sequence: 4 fullname: Maurice, Clémentine |
| EndPage | 196 |
| ExternalDocumentID | EBC5921892_185_188 |
| GroupedDBID | 38. AABBV AEDXK AEJLV AEKFX AIFIR ALEXF ALMA_UNASSIGNED_HOLDINGS AYMPB BBABE CXBFT CZZ EXGDT FCSXQ FFUUA I4C IEZ MGZZY NSQWD OORQV SBO TPJZQ TSXQS Z7R Z7S Z7U Z7X Z7Y Z7Z Z81 Z83 Z84 Z85 Z88 -DT -GH -~X 1SB 29L 2HA 2HV 5QI 875 AASHB ABMNI ACGFS ADCXD AEFIE EJD F5P FEDTE HVGLF LAS LDH P2P RIG RNI RSU SVGTG VI1 ~02 |
| ID | FETCH-LOGICAL-g281t-94d4cef0b5288b9e6dd4378a6d7d61d8b07edd53e47d9b9db8248b558af1d0fe3 |
| ISBN | 3030220370 9783030220372 |
| ISSN | 0302-9743 |
| IngestDate | Tue Jul 29 20:10:58 EDT 2025 Fri Apr 04 22:39:50 EDT 2025 |
| IsPeerReviewed | true |
| IsScholarly | true |
| LCCallNum | QA76.9.A25 |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-g281t-94d4cef0b5288b9e6dd4378a6d7d61d8b07edd53e47d9b9db8248b558af1d0fe3 |
| OCLC | 1107235604 |
| PQID | EBC5921892_185_188 |
| PageCount | 20 |
| ParticipantIDs | springer_books_10_1007_978_3_030_22038_9_9 proquest_ebookcentralchapters_5921892_185_188 |
| PublicationCentury | 2000 |
| PublicationDate | 2019 |
| PublicationDateYYYYMMDD | 2019-01-01 |
| PublicationDate_xml | – year: 2019 text: 2019 |
| PublicationDecade | 2010 |
| PublicationPlace | Switzerland |
| PublicationPlace_xml | – name: Switzerland – name: Cham |
| PublicationSeriesSubtitle | Security and Cryptology |
| PublicationSeriesTitle | Lecture Notes in Computer Science |
| PublicationSeriesTitleAlternate | Lect.Notes Computer |
| PublicationSubtitle | 16th International Conference, DIMVA 2019, Gothenburg, Sweden, June 19-20, 2019, Proceedings |
| PublicationTitle | Detection of Intrusions and Malware, and Vulnerability Assessment |
| PublicationYear | 2019 |
| Publisher | Springer International Publishing AG Springer International Publishing |
| Publisher_xml | – name: Springer International Publishing AG – name: Springer International Publishing |
| RelatedPersons | Kleinberg, Jon M. Hartmanis, Juris Mattern, Friedemann Goos, Gerhard Steffen, Bernhard Kittler, Josef Naor, Moni Mitchell, John C. Terzopoulos, Demetri Pandu Rangan, C. Kanade, Takeo Hutchison, David Tygar, Doug |
| RelatedPersons_xml | – sequence: 1 givenname: David surname: Hutchison fullname: Hutchison, David organization: Lancaster University, Lancaster, UK – sequence: 2 givenname: Takeo surname: Kanade fullname: Kanade, Takeo organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 3 givenname: Josef surname: Kittler fullname: Kittler, Josef organization: University of Surrey, Guildford, UK – sequence: 4 givenname: Jon M. surname: Kleinberg fullname: Kleinberg, Jon M. organization: Cornell University, Ithaca, USA – sequence: 5 givenname: Friedemann surname: Mattern fullname: Mattern, Friedemann organization: ETH Zurich, Zurich, Switzerland – sequence: 6 givenname: John C. surname: Mitchell fullname: Mitchell, John C. organization: Stanford University, Stanford, USA – sequence: 7 givenname: Moni surname: Naor fullname: Naor, Moni organization: Weizmann Institute of Science, Rehovot, Israel – sequence: 8 givenname: C. surname: Pandu Rangan fullname: Pandu Rangan, C. organization: Indian Institute of Technology Madras, Chennai, India – sequence: 9 givenname: Bernhard surname: Steffen fullname: Steffen, Bernhard organization: TU Dortmund University, Dortmund, Germany – sequence: 10 givenname: Demetri surname: Terzopoulos fullname: Terzopoulos, Demetri organization: University of California, Los Angeles, USA – sequence: 11 givenname: Doug surname: Tygar fullname: Tygar, Doug organization: University of California, Berkeley, USA – sequence: 12 givenname: Gerhard surname: Goos fullname: Goos, Gerhard organization: Karlsruhe, Germany – sequence: 13 givenname: Juris surname: Hartmanis fullname: Hartmanis, Juris organization: Ithaca, USA |
| SSID | ssj0002208984 ssj0002792 |
| Score | 2.3523476 |
| Snippet | Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. However, Intel’s threat model for SGX assumes... |
| SourceID | springer proquest |
| SourceType | Publisher |
| StartPage | 177 |
| SubjectTerms | Intel SGX Malware Trusted execution environments |
| Title | Practical Enclave Malware with Intel SGX |
| URI | http://ebookcentral.proquest.com/lib/SITE_ID/reader.action?docID=5921892&ppg=188 http://link.springer.com/10.1007/978-3-030-22038-9_9 |
| Volume | 11543 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1Lb9QwELa2ywVx4C3KSzlwQKyCko2d2AcOFVpaqtILbbU3K34EDkt62KwQvfDXmfEjyQYu5ZAo67Viez5nPB7Pg5A3lSm0qblJKUjfKTWMpgoEcfiuQDyG5Q9mAW4Uv5yXJ5f0dM3Ws9nvkdXSrlPv9c0__Ur-B1UoA1zRS_YWyPYvhQJ4BnzhDgjDfSL87qtZvS2L7ayO8t7nFp0nnFGbt5zY_Ky9dhl_Xu02GFza2cH-Whz1wTiHU5jvUP1makbvDmwwV7NXHf_YDeXH0Np2cFEfTzwfAQmhX7V645Mbud54na_zW1l8PV57foZxlrcfzsJJxvl15wzEFjHZROQ9Y-UE-kPtKSeicnKi3hw0bHu7WVhN0e-3qMYKTyhKYc_jmaD1TLrE0IuFD3UaGG8eksH4NTz3WXL_Wh7GFiHw5hRbA34vxQE5qDibkztHq9Ozq15JB_9zgY68YWnHaIv-WMp3Cp2FYqdDALFhEH2MKx_GeNLi3o5mcgjvZJuLB-Qe-rsk6IgC1HtIZrZ9RO5HAJIAwGPytgc2CcAmAdgEgU0csAkA-4RcflpdfDxJQ56N9NuS510qqKHaNpliS86VsKUxtKh4XZrKlLnhKqusMaywtDJCCaP4knLFGK-b3GSNLZ6SeXvd2mckEVrRvOGGNULTWmslmqzUpc5qA9w-qw9JGkctnTVAMEHWfoxbyQTInGIpQYyEix-Sd5E0EqtvZQyzDSSVhQSSSkdSCSR9fpvKL8jdYcK-JHP4Su0rkC879TrMgj9GlXHb |
| linkProvider | Library Specific Holdings |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.title=Detection+of+Intrusions+and+Malware%2C+and+Vulnerability+Assessment&rft.au=Schwarz%2C+Michael&rft.au=Weiser%2C+Samuel&rft.au=Gruss%2C+Daniel&rft.atitle=Practical+Enclave+Malware+with+Intel+SGX&rft.series=Lecture+Notes+in+Computer+Science&rft.date=2019-01-01&rft.pub=Springer+International+Publishing&rft.isbn=9783030220372&rft.issn=0302-9743&rft.eissn=1611-3349&rft.spage=177&rft.epage=196&rft_id=info:doi/10.1007%2F978-3-030-22038-9_9 |
| thumbnail_s | http://utb.summon.serialssolutions.com/2.0.0/image/custom?url=https%3A%2F%2Febookcentral.proquest.com%2Fcovers%2F5921892-l.jpg |