

# On the Interplay between Attacks and New Defenses

The Story of SGX-Step and Transferable Insights for Other Architectures

Jo Van Bulck

Huawei - KU Leuven research collaboration workshop, Leuven, March 6, 2024

☆ DistriNet, KU Leuven, Belgium ☑ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck



- Trusted computing across the system stack: hardware, compiler, OS, apps
- Integrated attack-defense perspective and open-source prototypes





Transient-execution attacks

Side-channel attacks

Sancus TEE processor



https://informationisbeautiful.net/visualizations/million-lines-of-code/

## The big picture: Reducing attack surface with enclaves





Traditional layered designs: Large trusted computing base

## The big picture: Reducing attack surface with enclaves



**Intel SGX** promise: Hardware-level **isolation and attestation** 

## The rise of trusted execution environments

(intel)



|     | ١. |    |
|-----|----|----|
| - N |    |    |
|     |    |    |
| _   |    | 1  |
|     |    |    |
|     | -  |    |
| _   | -  |    |
|     |    |    |
| Ξ   | E  | EN |

- 2004: ARM TrustZone
- 2015: Intel Software Guard Extensions (SGX)
- 2016: AMD Secure Encrypted Virtualization (SEV)
- 2017: AMD SEV with Encrypted State (SEV-ES)
- 2018: IBM Protected Execution Facility (PEF)
- 2020: AMD SEV with Secure Nested Paging (SEV-SNP)
- 2022: Intel Trust Domain Extensions (TDX)





## Trusted execution environment types





## **Highlight #1: Impact on Attacks**

## Vulnerable platforms: Intel Software Guard Extensions (SGX)



## Software interface attacks (part 1)



SGX not immune to interface sanitization oversights in enclave software

## Privileged side-channel attacks (part 2)



Privileged side channels to spy on enclave-CPU interaction metadata

## Transient-execution attacks (part 3)



Transient-execution data extraction from CPU to break enclave confidentiality



## Research agenda: Understanding privileged attack surface



- 1. Which novel privileged attacks exist?
  - $\rightarrow$  Uncover previously unknown attack avenues
- 2. How well can they be exploited in practice?
  - $\rightarrow\,$  Develop new techniques and practical attack frameworks
- 3. What can be leaked?
  - $\rightarrow$  Leak metadata and data

## TEE attack research leads the way ...



## TEE attack research leads the way ...



- Idealized execution environment for attack research
- **Generalizations:** e.g., Foreshadow-NG, branch prediction, address translation, etc.

## Challenge: Side-channel Sampling Rate



Slow shutter speed Medium shutter speed Fast shutter speed

CC-BY-SA Nevit Dilmen

### SGX-Step: Executing enclaves one instruction at a time



## SGX-Step: Executing Enclaves one Instruction at a Time



D Van Bulck et al., "SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control", SysTEX 2017.

## SGX-Step: Executing Enclaves one Instruction at a Time



D Van Bulck et al., "SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control", SysTEX 2017.

## A Retrospective of 5 Years of SGX-Step Development



#### https://github.com/jovanbulck/sgx-step

⊙ Unwatch 27 - 양 Fork 82 - ☆ Star 402 -

- Became **de-facto standard** for interrupt-driven attacks
- Actively maintained & supported
- Widely recognized:
  - > 400 GitHub stars
  - > 215 academic citations
- Marked influence on both attacks
   & defenses on SGX and beyond

## SGX-Step: Enabling a New Line of High-Resolution Attacks

|    | Venue   | Paper                                   | Step              | Use Case               | Drv       | Yr  | Venue  | Paper                                   | Step            | Use Case             |
|----|---------|-----------------------------------------|-------------------|------------------------|-----------|-----|--------|-----------------------------------------|-----------------|----------------------|
| 15 | S&P     | Ctrl channel [XCP15]                    | ~ Page            | Probe (page fault)     | / 4       | '20 | CHES   | A to Z [AGB20]                          | ~ Page          | Probe (page fault)   |
| 16 | ESORICS | AsyncShock [WKPK16]                     | ~ Page            | Exploit (mem safety)   | - \Lambda | '20 | CCS    | Déjà Vu NSS [uHGDL <sup>+</sup> 20]     | ~ Page          | Probe (page fault)   |
| 17 | CHES    | CacheZoom [MIE17]                       | <mark>≯</mark> >1 | Probe (L1 cache)       | ∠ ∆       | '20 | MICRO  | PTHammer [ZCL <sup>+</sup> 20]          | _               | Probe (page walk)    |
| 17 | ATC     | Hahnel et al. [HCP17]                   | <b>×</b> 0 - >1   | Probe (L1 cache)       | 1         | '21 | USENIX | Frontal [PSHC21]                        | ✓1              | Probe (IRQ latency)  |
| 17 | USENIX  | BranchShadow [LSG <sup>+</sup> 17]      | 🗡 5 - 50          | Probe (BPU)            | × \Lambda | '21 | S&P    | CrossTalk [RMR <sup>+</sup> 21]         | ✓ 1             | Probe (transient exe |
| 17 | USENIX  | Stealthy PTE [VBWK <sup>+</sup> 17]     | ~ Page            | Probe (page table)     | ∠ ∆       |     | CHES   | Online template [AB21]                  | 1               | Probe (IRQ count)    |
|    | USENIX  | DarkROP [LJJ <sup>+</sup> 17]           | ~ Page            | Exploit (mem safety)   | ✓ ∆       | '21 | NDSS   | SpeechMiner [XZT20]                     | _               | Framework            |
|    | SysTEX  | SGX-Step [VBPS17]                       | ✓ 0 - 1           | Framework              | 1-15      | '21 | S&P    | Platypus [LKO <sup>+</sup> 21]          | <b>√</b> 0 - 1  | Probe (voltage)      |
|    | ESSoS   | Off-limits [GVBPS18]                    | ✓ 0 - 1           | Probe (segmentation)   | 1-1       | '21 | DIMVA  | Aion [HXCL21]                           | ✓ 1             | Probe (cache)        |
|    | AsiaCCS | Single-trace RSA [WSB18]                | ~ Page            | Probe (page fault)     | 1-0       | '21 | CCS    | SmashEx [CYS <sup>+</sup> 21]           | ✓ 1             | Exploit (mem safety  |
|    | USENIX  | Foreshadow [VBMW <sup>+</sup> 18]       | ✓ 0 - 1           | Probe (transient exec) |           |     | CCS    | Util::Lookup [SBWE21]                   | ✓ 1             | Probe (L3 cache)     |
|    | EuroS&P | SgxPectre [CCX <sup>+</sup> 19]         | ~ Page            | Exploit (transient)    | × &       |     | USENIX |                                         |                 | Framework            |
|    | CHES    | CacheQuote [DDME <sup>+</sup> 18]       | <mark>≯</mark> >1 | Probe (L1 cache)       | × &       |     | CT-RSA | 1 1 1 1 1 1 1                           | ✓ 1<br>✓ 1      | Probe (L3 cache)     |
|    | ICCD    | SGXlinger [HZDL18]                      | <b>X</b> >1       | Probe (IRQ latency)    | × &       | 100 | SEED   | Enclyzer [ZXTZ22]                       | -               | Framework            |
|    | CCS     | Nemesis [VBPS18]                        | ✓ 1               | Probe (IRQ latency)    | 1-11      | 100 |        | Self-monitoring [LBA22]                 | ~ Page          | Defense (detect)     |
|    | USENIX  | Spoiler [IMB <sup>+</sup> 19]           | ✓ 1               | Probe (IRQ latency)    | 1-11      |     |        | Robotic vehicles [LS22]                 | ✓ Fage ✓ 1 - >1 | ( /                  |
|    | CCS     | ZombieLoad [SLM <sup>+</sup> 19]        | ✓ 0 - 1           | Probe (transient exec) |           |     | ACSAC  | MoLE [LWM <sup>+</sup> 22]              |                 | Exploit (timestamp)  |
|    | CCS     | Fallout [CGG <sup>+</sup> 19]           | -                 | Probe (transient exec) | 1-1       |     |        |                                         | ✓ 1             | Defense (randomize)  |
|    | CCS     | Tale of 2 worlds [VBOM <sup>+</sup> 19] |                   | Exploit (mem safety)   | 1-#       |     |        | AEPIC [BKS <sup>+</sup> 22]             | ✓ 1             | Probe (I/O device)   |
|    | ISCA    | MicroScope [SYG <sup>+</sup> 19]        |                   |                        | × A       |     | arXiv  | Confidential code [PSL <sup>+</sup> 22] | ✓ 1<br>□        | Probe (IRQ latency)  |
|    | CHES    | Bluethunder [HMW <sup>+</sup> 20]       | ✓1                | Probe (BPU)            | 1-1       |     |        | FaultMorse [HZL <sup>+</sup> 23]        | ~ Page          | Probe (page fault)   |
|    | USENIX  | Big troubles [WSBS19]                   | ~ Page            | Probe (page fault)     | 1-11      |     | CHES   | HQC timing [HSC <sup>+</sup> 23]        | ✓ 1             | Probe (L3 cache)     |
|    | S&P     | Plundervolt [MOG <sup>+</sup> 20]       | -                 | Exploit (undervolt)    | 1-1       | 20  | ISCA   | Belong to us [YJF23]                    | ✓ 1             | Probe (BPU)          |
|    | CHES    | Viral primitive [AB20]                  | ✓ 1               | Probe (IRQ count)      | 1-1       | 20  |        | BunnyHop [ZTO <sup>+</sup> 23]          | ✓ 1             | Probe (BPU)          |
|    | USENIX  | CopyCat [MVBH <sup>+</sup> 20]          | ✓ 1               | Probe (IRQ count)      | 1-0       | 23  |        | DownFall [Mog23]                        | ✓ 0 - 1         | Probe (transient exe |
| 20 | S&P     | LVI [VBMS <sup>+</sup> 20]              | √1                | Exploit (transient)    | 1-5       | '23 | USENIX | AEX-Notify [CVBC <sup>+</sup> 23]       | ✓ 1             | Defense (prefetch)   |

## A Versatile Open-Source Attack Toolkit



## SGX-Step demo: Building a memcmp() Password Oracle

io@breuer:~/sgx-step-demo\$

```
[idt.c] DTR.base=0xfffffe0000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15; guess='******'
[attacker] found pwd len = 6
[main.c] recovering password bytes
[attacker] steps=35: guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/l/msr' (size=8)
[main.c] all done: counted 2260/2183 IROs (AEP/IDT)
```

## Nemesis: Extracting IRQ latency traces with SGX-Step



🗅 Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018..

## Nemesis microbenchmarks: Measuring x86 operands



## Nemesis microbenchmarks: Measuring x86 cache misses



## Nemesis microbenchmarks: Measuring x86 data dependencies





## De-anonymizing enclave lookups with interrupt latency





## Highlight #2: Impact on Defenses

## Hardening Enclaves against Single-Stepping

## SGX-Step sets the bar for adequate side-channel defenses!

 $\rightarrow$  (e.g., LVI, compiler, static analysis, constant-time, etc.)

"ineffective if the attacker can single-step through the enclave using the recent SGX-Step framework. Taking into account these stronger attacker capabilities, we propose a new defense..." [HLLP18]

- SGX-Step inspired several dedicated hardware-software mitigations
  - → Collaboration with Intel on AEX-Notify: Innovative hardware-software co-design included in recent processors
  - → Probabilistic: SGX-Step remains relevant!

## **Root-causing SGX-Step: Aiming the timer interrupt**



## Root-causing SGX-Step: Microcode assists to the rescue!



## Root-causing SGX-Step: Microcode assists to the rescue!



## Ideas that were rejected (2)





Highly complex



# Ideas that were rejected (3)



# **AEX-Notify solution overview**



# **AEX-Notify solution overview**



#### TECHNQUES AND TECHNOLOGIES TO ADDRESS MALICIOUS SINGLE-STEPPING AND ZERO-STEPPING OF TRUSTED EXECUTION ENVIRONMENTS

#### TECHNICAL FIELD

[0001] The disclosure relates generally to electronics, and, more specifically, an embodiment of the disclosure relates to techniques and technologies to address malicious singlestepping and zero-stepping of trusted execution environments (TEEs).

#### BACKGROUND

[0002] Trusted Execution Environments (TEEs), such as Intel® Software Guard Extensions (Intel® SGX), are susceptible to methods that induce interrupts or exceptions to maliciously single-step (e.g. SGX-Step) or zero-step instruction processing in the TEE (e.g. Microscope replay attack, PLATYPUS power side-channel attack). During singlestepping or zero-stepping, a malicious hypervisor or operating system (OS) may be able to increase the granularity of side channel information which can be collected during the TEE processing. Analyzing side channel information is a method that can be used to infer information, such as instruction flows and data, about the TEE. Thus, there is value in techniques that can mitigate these attack techniques, specifically single-stepping and zero-stepping of TEEs. side-channel attack) and then resumes execution of the code from the enclave according to embodiments of the disclosure.

[0011] FIG. 8 illustrates a method of handling an asynchronous exit of the execution of code from an enclave that utilizes an enclave enter instruction, an enclave exit instruction, and an enclave resume instruction that invokes a handler to handle an operating system signal caused by the asynchronous exit and then resumes execution of the code from the enclave according to embodiments of the disclosure.

**[0012]** FIG. 9 illustrates a method of handling an exception with an enclave that comprises a field to indicate a set of one or more exceptions to suppress, and when execution of the code in the enclave encounters the exception, a handler is invoked without delivering the exception to an operating system according to embodiments of the disclosure.

[0013] FIG. 10 illustrates a hardware processor coupled to storage that includes one or more enclave instructions (e.g., an enclave resume (ERESUME) instruction) according to embodiments of the disclosure.

**[0014]** FIG. **11** is a flow diagram illustrating operations of a method for processing an "ERESUME" instruction according to embodiments of the disclosure.

[0015] FIG. 12 is a flow diagram illustrating operations of another method for processing an "ERESUME" instruction according to embodiments of the disclosure.

[0016] FIG. 13A is a block diagram illustrating a generic

ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION



#### CHAPTER 8 ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION

#### 8.1 INTRODUCTION

Asynchronous Enclave Exit Notify (AEX-Notify) is an extension to Intel<sup>®</sup> SGX that allows Intel SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. EDECCSSA is a new Intel SGX user leaf function (ENCLU[EDECCSSA]) that can facilitate AEX notification handling, a well as software exception handling. This chapter provides information about changes to the Intel SGX architecter that support AEX-Notify and ENCLU[EDECCSSA].

The following list summarizes the add details are provided in Section 8.3):

- SECS.ATTRIBUTES.AEXNOTIFY: TI
- TCS.FLAGS.AEXNOTIFY: This enclave mean may receive AcA nouncations.
- SSA.GPRSGX.AEXNOTIFY: Enclave-writable byte that allows enclave software to dynamically enable/disable AEX notifications.

An AEX notification is delivered by ENCLU[ERESUME] when the following conditions are met:

ፖ

#### SGX-Step led to new x86 processor instructions!

→ shipped in millions of devices  $\geq$  4th Gen Xeon [CVBC<sup>+</sup>23]

#### phoronix

#### Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security

Written by Michael Larabel in Intel on 6 November 2022 at 06:01 AM EST. 5 Comments



Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors.

Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.

|        | 5                                                            | Q 🖻 🥨          |
|--------|--------------------------------------------------------------|----------------|
| Code 1 | v in Intel/Ilnux-sgx X                                       | <b>Filter</b>  |
| ~ hu   | sdk/trts/linux/trts_mitigation.S                             |                |
| 48     | * Description:                                               |                |
| 49     | * The file provides mitigations for SGX-Step                 | p              |
| 50     | */                                                           |                |
| 71     | * Function:                                                  |                |
|        | constant_time_apply_sgxstep_mitigation_and_contin            | nue_execution  |
| 72     | <ul> <li>Mitigate SGX-Step and return to the poin</li> </ul> | t at which the |
|        | most recent                                                  |                |
| 73     | interrupt/exception occurred.                                |                |





## Beyond SGX-Step: Derived Frameworks for Emerging TEEs

SGX-Step has inspired similar single-stepping frameworks for alternative TEEs

 $\rightarrow$  e.g., AMD, SEV, intel TDX, arm TrustZone

#### Independent testimonies on SGX-Step's impact

- "In the hope that the framework inspires a similar community as SGX-Step, we dubbed it SEV-Step." [WWRE23]
- "Leveraging SGX-Step type attack to compromise Intel TDX, which is coined as TDX-Step [...] Working exploit well within the timeline but also collaborated closely with the Intel TDX architecture team to review and refine the mitigation for the vulnerability." [Int23]

# "Embedded-systems security is, for lack of a better word, a mess."

- John Viega & Hugh Thompson (S&P'12)

# Sancus: Lightweight trusted computing for the IoT



OpenMSP430 CPU extensions for isolation + attestation LLVM compiler pass

Support software "operating system"

| Unprotected<br>memory | $SPM_A$ Code | Unprotected<br>memory | $SPM_A$ Data | Unprotected<br>memory |  |
|-----------------------|--------------|-----------------------|--------------|-----------------------|--|
| 0x0000 0xFFF          |              |                       |              |                       |  |





# The bigger picture: The rise of trusted execution



23

# Sancus: Lightweight and Open-Source Trusted Computing for the IoT



ownership over memory-mapped I/O

peripheral devices, and can implement

software-defined access control policies.

expected: critical components can be

migrated gradually into Sancus-protected

modules

integrity, and freshness of all traffic between a protected module and its remote provider.

## Sancus: A Low-Cost Security Architecture for IoT devices

#### Extends openMSP430 with strong security primitives

- Software Component Isolation
- Cryptography & Attestation
- Secure I/O through isolation of MMIO ranges
- Efficient, Modular,  $\leq 2 \text{ kLUTs}$
- Cryptographic key hierarchy for software attestation
- Isolated components are typically very small (< 1kLOC)</li>



Noorman et al. Sancus 2.0: A Low-Cost Security Architecture for IoT devices. TOPS, 2017

Sancus is open source: https://distrinet.cs.kuleuven.be/software/sancus/



# Sancus is dead, long live Sancus!



## Aion: Strong Availability Guarantees for Enclaves

#### Sancus as a Starting Point

#### Trusted Software

• Protected Scheduler controls interrupts and scheduling decisions

#### Hardware Extensions

• Exception Engine facilitates interruption of (protected) threads





# Sancus attack research: The gift that keeps giving



### PSIRT Notification MSP430FR5xxx and MSP430FR6xxx IP Encapsulation Write Vulnerability

🤴 Texas Instruments

#### Summary

The IP Encapsulation feature of the Memory Protection Unit may not properly prevent writes to an IPE protected region under certain conditions. This vulnerability assumes an attacker has control of the device outside of the IPE protected region (access to non-protect memory, RAM, and CPU registers).

#### Vulnerability

#### Nemesis on embedded microprocessors (openMSP430+Sancus)



### Nemesis hardware defense: Padding interrupt latency



• D Busi et al. "Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors", CSF 2020.

## Nemesis hardware defense: Studying limitations of formal systems



- D Busi et al. "Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors", CSF 2020.
- D Bognar et al. "Mind the Gap: Studying the Insecurity of Provably Secure Embedded Trusted Execution Architectures", S&P 2022.

### Nemesis software defenses: Balancing vulnerable branches



- D Winderix et al. "Compiler-Assisted Hardening of Embedded Software Against Interrupt Latency Side-Channel Attacks", EuroS&P 2021.
- 🗅 Pouyanrad et al. "SCFMSP: Static Detection of Side Channels in MSP430 Programs", ARES 2020.
- 🗅 Salehi et al. "NemesisGuard: Mitigating Interrupt Latency Side Channel Attacks with Static Binary Rewriting", Computer Networks 2022.

## Nemesis software defenses: Principled ISA augmentation



- D Winderix et al. "Compiler-Assisted Hardening of Embedded Software Against Interrupt Latency Side-Channel Attacks", EuroS&P 2021.
- D Pouyanrad et al. "SCFMSP: Static Detection of Side Channels in MSP430 Programs", ARES 2020.
- 🗅 Salehi et al. "NemesisGuard: Mitigating Interrupt Latency Side Channel Attacks with Static Binary Rewriting", Computer Networks 2022.
- 🗅 Bognar et al. "MicroProfiler: Principled Side-Channel Mitigation through Microarchitectural Profiling", EuroS&P 2023.

## **Outlook: Future and ongoing research directions**

- 1. Universal attack primitives: Intel TDX, AMD SEV, ARM?
  - $\rightarrow$  Adversary capabilities, hardware vs. software monitor, automation, etc.
- 2. Hardware extensions for next-gen TEEs: MSP430-Sancus, RISC-V
  - $\rightarrow$  Provable security & limitations, availability, SMAP-like restrictions, etc.
- 3. Transparent shielding: Enclave runtime, compiler
  - $\rightarrow\,$  Fuzzing, formal verification of the enclave interface
  - $\rightarrow$  Compile-time hardening for *incremental* side-channel resistance
- 4. Towards transient safety: Redefining the hardware-software contract
  - → Efficient containment of Spectre (long term) vs. LVI (short term)