Researchers from the Defense Science and Technology University of the People's Liberation Army of China, the National University of Singapore and ETH Zurich have developed a new attack method against isolated Intel SGX (Software Guard eXtensions) enclaves. The attack was called SmashEx and was caused by reentrancy problems in handling exceptions during the operation of runtime components for Intel SGX. The proposed attack method makes it possible, if there is control over the operating system, to determine confidential data located in the enclave, or organize copying of one's code into the enclave's memory and its execution.
Exploit prototypes have been prepared for runtime enclaves based on Intel SGX SDK (CVE-2021-0186) and Microsoft Open Enclave (CVE-2021-33767). In the first case, the ability to extract the RSA key used on the web server for HTTPS was demonstrated, and in the second, it was possible to determine the content obtained by the cURL utility running inside the enclave. The vulnerability has already been fixed programmatically in the Intel SGX SDK 2.13 and Open Enclave 0.17.1 releases. In addition to the Intel SGX SDK and Microsoft Open Enclave, the vulnerability also appears in the Google Asylo SDK, EdgelessRT, Apache Teaclave, Rust SGX SDK, SGX-LKL, CoSMIX, and Veracruz.
Recall that the SGX (Software Guard Extensions) technology appeared in the sixth generation Intel Core processors (Skylake) and offers a series of instructions that allow user-level applications to allocate closed memory areas - enclaves whose contents cannot be read and changed even by the kernel and code executed by in ring0, SMM and VMM modes. It is impossible to transfer control to the code in the enclave using traditional jump functions and manipulations with registers and the stack - specially created new instructions EENTER, EEXIT and ERESUME are used to transfer control to the enclave, which perform authorization checks. In this case, the code placed in the enclave can use the classic call methods to call functions inside the enclave and a special instruction to call external functions. Enclave memory encryption is used to protect against hardware attacks such as DRAM connection.
The problem is that SGX technology allows the operating system to interrupt the execution of the enclave by throwing a hardware exception, and enclaves do not properly implement primitives for atomically handling such exceptions. Unlike the operating system kernel and normal applications, the code inside enclaves does not have access to primitives for organizing atomic actions during the handling of asynchronously raised exceptions. Without the specified atomic primitives, the enclave can be interrupted and returned to execution at any time, even at times when critical sections are executing in the enclave and it is in an unsafe state (for example, when CPU registers are not saved/restored).
For normal operation, SGX technology allows you to interrupt the execution of the enclave with configurable hardware exceptions. This feature allows enclave runtimes to implement intra-enclave exception handling or signal handling, but it can also introduce reentrancy errors. The SmashEx attack is based on the exploitation of flaws in the SDK due to which the situation of re-call of the exception handler is not properly handled. It is important that in order to exploit the vulnerability, the attacker must be able to interrupt the execution of the enclave, i.e. must control the operation of the system environment.
After throwing an exception, the attacker gets a small time window during which it is possible to intercept the flow of execution through the manipulation of the input parameters. In particular, if you have access to the system (environment outside the enclave), you can create a new exception immediately after executing the instruction to enter the enclave (EENTER), which will return control to the system at the stage when the stack configuration for the enclave has not yet been completed, in which This number stores the state of the CPU registers.
The system can then return control back to the enclave, but since the enclave stack was not set up at the time of the interrupt, the enclave will execute with the stack residing in system memory, which can be used to apply Return-Oriented Programming (ROP) techniques. oriented programming). When using the ROP technique, the attacker does not try to place his code in memory, but operates on the pieces of machine instructions already available in the loaded libraries, ending with a control return instruction (as a rule, these are the endings of library functions). The operation of the exploit comes down to building a chain of calls to similar blocks (βgadgetsβ) to obtain the desired functionality.
Source: opennet.ru