{"595152":{"#nid":"595152","#data":{"type":"news","title":"Georgia Tech Researchers Show SGX Isn\u2019t as Secure as It Seems  ","body":[{"value":"\u003Cp\u003EWhen Intel introduced \u003Ca href=\u0022https:\/\/software.intel.com\/en-us\/sgx\u0022\u003ESoftware Guard Extension\u003C\/a\u003E (SGX), cloud developers could breathe easy knowing their code was protected from malicious operating systems (OS) thanks to a hardware-protected enclave. But SGX is more vulnerable to attack than it initially appeared, according to Georgia Institute of Technology researchers, who discovered a new side-channel attack called branch shadowing.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;A lot of people consider SGX the most promising secure cloud environment, but this research demonstrates a pitfall,\u0026rdquo; said Assistant Professor \u003Ca href=\u0022https:\/\/taesoo.gtisc.gatech.edu\/\u0022\u003E\u003Cstrong\u003ETaesoo Kim\u003C\/strong\u003E\u003C\/a\u003E, one of the six researchers. \u0026ldquo;This vulnerability allows an attacker to exploit the behavior of SGX and get confidential information.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EWhat makes SGX so secure is also its biggest vulnerability: the enclave. SGX creates a trusted execution environment for secure data by isolating and encrypting all of its sensitive memory contents in an enclave. What Tech researchers discovered, however, was that SGX does not clear branch history when switching to enclave mode. This leaves fine-grained traces of past data for anyone to observe, creating a branch-prediction side channel that could be exploited by an attacker.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EFor the most part, developers have not worried about this possible exploit because of the relative difficulty of this type of attack. However, using two new techniques, Tech researchers are now able to take advantage of the vulnerability.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe team has developed a history-inferring technique and an advanced programmable interrupt controller to control the execution of the enclave down to the smallest granularity. These two techniques create a new branch-prediction side-channel attack, branch shadowing.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;This new attack can identify each branch instruction\u0026rsquo;s execution history, the most fine-grained attack found so far,\u0026rdquo; lead researcher \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/~slee3036\/\u0022\u003E\u003Cstrong\u003ESangho Lee\u003C\/strong\u003E\u003C\/a\u003E, a Georgia Tech postdoctoral fellow, said. Essentially, any attacker using branch shadowing can find past data because traces remain in the system.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe implications of this could be detrimental for security if the cloud is used to store financial or health data. This is why the Tech researchers also proposed potential software and hardware solutions. One countermeasure against this type of attack is flushing the branches generated in the enclave by modifying the code.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EHowever, changing code can be arduous and time-consuming, so they created a software-based countermeasure called Zigzagger that could be used more easily in the short term. Zigzagger turns a set of branch instructions into one indirect branch, which makes it harder to infer data in this branch.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ELee believes their findings also have larger implications for the security industry. Hardware vendors should provide hardware dedicated to trusted execution environments to avoid any resource overlap, like branches, an attacker could take advantage of. He also recommends that software developers write their code carefully when developing private data software. In the meantime, the researchers also reported their findings to Intel and are working with them to mitigate this vulnerability.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Memory isolation is not enough because trusted and untrusted applications still share many processor-internal hardware components,\u0026rdquo; Lee said.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EA paper titled, \u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/lee-sangho\u0022\u003E\u003Cem\u003EInferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing\u003C\/em\u003E\u003C\/a\u003E, details this research and was presented at \u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity17\u0022\u003EUsenix\u003C\/a\u003E, the annual Advance Computing Systems Association conference, in Vancouver, Canada, earlier this month. It was one of \u003Ca href=\u0022http:\/\/iisp.gatech.edu\/usenix-security-2017\u0022\u003Eseven\u003C\/a\u003E papers from Georgia Tech researchers.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Intel\u0027s promising cloud security platform is vulnerable."}],"uid":"34541","created_gmt":"2017-08-28 19:43:01","changed_gmt":"2017-08-28 20:08:56","author":"Tess Malone","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2017-08-28T00:00:00-04:00","iso_date":"2017-08-28T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"595154":{"id":"595154","type":"image","title":"branchshadowing","body":null,"created":"1503950200","gmt_created":"2017-08-28 19:56:40","changed":"1503950200","gmt_changed":"2017-08-28 19:56:40","alt":"","file":{"fid":"226817","name":"5368231186_cc88296264_b.jpg","image_path":"\/sites\/default\/files\/images\/5368231186_cc88296264_b.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/5368231186_cc88296264_b.jpg","mime":"image\/jpeg","size":713031,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/5368231186_cc88296264_b.jpg?itok=NC2OYAll"}}},"media_ids":["595154"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETess Malone, Communications Officer I\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["tess.malone@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}