# The Dark Side of Privilege

Understanding and Mitigating Software-Based Side Channels on Trusted Execution Environments

### Jo Van Bulck

☆ DistriNet, KU Leuven, Belgium 
☐ jo.vanbulck@cs.kuleuven.be 
ⓒ vanbulck.net

MIC-SEC Winter School, Dec 2, 2025



### Trust?



### **Confidential Computing: Reducing Attack Surface**





Traditional layered designs: Large trusted computing base

### **Confidential Computing: Reducing Attack Surface**





Trusted execution: Hardware-level isolation and attestation

### The Rise of Trusted Execution Environments (TEEs)











- 2004: ARM TrustZone
- 2015: Intel Software Guard Extensions (SGX)
- 2016: AMD Secure Encrypted Virtualization (SEV)
- 2018: IBM Protected Execution Facility (PEF)
- 2020: AMD SEV with Secure Nested Paging (SEV-SNP)
- 2022: Intel Trust Domain Extensions (TDX)
- 2023: ARM Confidential Compute Architecture (CCA)
- 2024: NVIDIA Confidential Computing



### **Confidential Computing Isolation Paradigms**



## Confidential Computing Isolation Paradigms (Focus for Today)



## "Confidential Computing Today, Just Computing Tomorrow" \*



# TEE Attack Research Leads the Way . . .



### TEE Attack Research Leads the Way . . .





- Privileged TEE attacker models sets the bar!
- Idealized execution environment for attack research
- Generalizations: e.g., Foreshadow-NG, branch prediction, address translation, etc.



### Motivation: Why Research TEE/SGX Security?





Technologies such as disk- and network-traffic encryption protect data in storage and during transmission, but data can be vulnerable to interception and tampering while in use in memory. "Confidential computing" is a rapidly emerging usage category that protects data while it is in use in a Trusted Execution Environment (TEE). Intel SGX is the most researched, updated and battle-tested TEE for data center confidential computing, with the smallest attack surface within the system. It enables application isolation in private memory regions, called enclaves, to help protect up to 1 terabyte of code and data while in use.

### **Recap: Reducing Attack Surface with Enclaves**





### Not Today: Physical-Access Attacks

(See Ingrid & Jesse, Wed)



### Today: Privileged Software-Based Side-Channel Attacks





**Game changer:** Untrusted OS  $\rightarrow$  New class of powerful side channels!

15 captures 11 Jun 2020 - 15





### Intel® SGX and Side-Channels

By Simon Paul Johns in, Published: 03/17/2017, Last Updated: 02/27/2018

Since launching Intel® Software Guard Extensions (Intel® SGX) on 6th Generation Intel® Core™ processors in 2015, there have been a number of academic articles looking at various usage models and the security of Intel SGX. Some of these papers focus on a class of attack known as a side-channel attack, where the attacker relies on the use of a shared resource to discover information about processing occurring in some other privileged domain that it does not have

direct access to. In general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture. Preventing side channel attacks is a matter for the enclave developer. Intel makes this clear In the security objectives for Intel SGX, which we published as part of our workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found here [slides 109-121], and in the Intel® SGX SDK Developer's Manual.



# Game Changer: Privileged "Bottom-Up" Adversary Model



## Game Changer: Privileged "Bottom-Up" Adversary Model



### Privileged x86 Interface and Complexity Growth...





### Systematizing the SGX Attack Landscape

|                         | Properties Attack                                                                                                                                                                   |       | x86 Interface |           |               |         |             | Constraints |              |             |                                                  |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|---------------|-----------|---------------|---------|-------------|-------------|--------------|-------------|--------------------------------------------------|
|                         |                                                                                                                                                                                     |       | EGDT          | IRO       | MSP           | CRI     | PMC         | SMI         | REF          | SAL         | Grændar                                          |
| μ-arch contention       | Cache priming [181, 92, 29, 225, 79] Branch prediction [156, 59, 105] DRAM row buffer conflicts [263] False dependencies [180] Interrupt latency [256, 95, 208] Port contention [7] | 0 0 0 | 0 0 0 0       | 0 0       | 0 0 0         | 0 0 0   |             | 0 0         | •            | 000000      | 64 B<br>Inst<br>1-8 KiB<br>4 B<br>Inst           |
| Control channel $ \mu $ | Page faults [277] Page table A/D [258, 263] Page table flushing [258] Interrupt counting [182] IA32 segmentation faults [91] Alignment faults [254]                                 | •     | 0 0 0 0 0     | 0 0 0 0 0 | 0 0 0 0 0 0 0 | 0 0 0 0 | 0 0 0 0 0 0 |             | 0 0 0 0 0    | 0 0 0 0 0   | μ-op  4 KiB  4 KiB  32 KiB  Inst  1 B-4 KiB  1 B |
| Transient               | Foreshadow L1D extraction [249] Data sampling [223, 216, 211] Spectre [39, 148] Load value injection [251]                                                                          | 0     | 0 0 0         | 0         | 0 0 0         | 0 0 0   | 0 0         | 0 0         | 0<br>0<br>0  | 0<br>0<br>0 | -<br>-<br>-                                      |
| Interface               | Memory safety [254, 154, 24, 266]<br>Undervolting [188, 137, 210]<br>Off-chip memory address bus [152]                                                                              | 0     | 0             | 0         | •             | 0       | 0 0         | 0           | <b>0</b> • • | 0           | -<br>-<br>64 B                                   |



Possibly every privileged CPU feature can be abused!



# Idea #1: Deterministic Spatial Resolution with Page Tables

### **Background: The Virtual Memory Abstraction**



### Idea: Page Faults as a Side Channel



SGX machinery protects against direct address remapping attacks

### Idea: Page Faults as a Side Channel



Xu et al. "Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems", IEEE S&P 2015.

### **Intel SGX: Page Faults as a Side Channel**



D Xu et al.: "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", Oakland 2015.

- ⇒ Page fault traces leak private control data/flow
- Xu et al. "Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems", IEEE S&P 2015.

### **Spatial Resolution: Page-Granular Memory Access Traces**





Detailed trace of (coarse-grained) code and data accesses over time...

### **Spatial Resolution: Page-Granular Memory Access Traces**



### **Spatial Resolution: Page-Granular Memory Access Traces**



🗅 Xu et al.: "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", Oakland 2015.

... but many faults and a coarse-grained 4 KiB granularity

### **Naive Solutions: Hiding Enclave Page Faults**



- ☐ Shih et al. "T-SGX: Eradicating controlled-channel attacks against enclave programs", NDSS 2017.
  - ☐ Shinde et al. "Preventing page faults from telling your secrets", AsiaCCS 2016.

### **Naive Solutions: Hiding Enclave Page Faults**



... But stealthy attacker can learn page visits without triggering faults!

### **Documented Side-Effects of Address Translation**

#### 4.8 ACCESSED AND DIRTY FLAGS

For any paging-structure entry that is used during linear-address translation, bit 5 is the **accessed** flag.<sup>2</sup> For paging-structure entries that map a page (as opposed to referencing another paging structure), bit 6 is the **dirty** flag. These flags are provided for use by memory-management software to manage the transfer of pages and paging structures into and out of physical memory.

Whenever the processor uses a paging-structure entry as part of linear-address translation, it sets the accessed flag in that entry (if it is not already set).

Whenever there is a write to a linear address, the processor sets the dirty flag (if it is not already set) in the paging-structure entry that identifies the final physical address for the linear address (either a PTE or a paging-structure entry in which the PS flag is 1).



### **Telling your Secrets without Page Faults**

### 1. Attack vector: PTE status flags:

- A(ccessed) bit
- D(irty) bit
- → Also updated in enclave mode!



D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

### **Telling your Secrets without Page Faults**

- 1. Attack vector: PTE status flags:
  - A(ccessed) bit
  - D(irty) bit
  - → Also updated in enclave mode!
- Attack vector: Unprotected page table memory:
  - Cached as regular data
  - Accessed during address translation
  - → Flush+Reload cache timing attack!



D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

### **Attacking Libgcrypt EdDSA (Simplified)**



D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

### **Attacking Libgcrypt EdDSA (Simplified)**

```
if (mpi_is_secure (scalar)) {
                                                                                                  Memory layout
        /* If SCALAR is in secure memory we assume that it is the
           secret key we use constant time operation. */
                                                                              Monitor
        point_init (&tmppnt);
                                                                                                                    0x0F000
                                                                           trigger page
                                                                                                      gcry free
        for (j=nbits-1; j >= 0; j--)
 6
                                                                                                          ...
            _gcry_mpi_ec_dup_point (result, result, ctx);
             _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx);
                                                                                                                    0xC0000
                                                                                                      mpi add
             point_swap_cond (result, &tmppnt, mpi_test_bit (scalar, j), ctx);
 9
                                                                                                                    0xC1000
                                                                                                     mpi test bit
10
        point_free (&tmppnt):
11
      else -
12
                                                                                                          ...
                                                                                  ACCESSED?
        for (j=nbits-1; j >= 0; j--) {
13
                                                                                                                    0xC9000
                                                                                                    mpi ec add p
             _gcry_mpi_ec_dup_point (result, result, ctx);
14
            if (mpi_test_bit (scalar, j))
                                                                                                                    0xCA000
15
                                                                                                    mpi ec mul p
                 _gcry_mpi_ec_add_points (result, result, point, ctx);
16
17
                                                                                                          ...
18
```

D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

### **Attacking Libgcrypt EdDSA (Simplified)**

```
if (mpi_is_secure (scalar)) {
                                                                                                   Memory layout
        /* If SCALAR is in secure memory we assume that it is the
            secret key we use constant time operation. */
        point_init (&tmppnt);
                                                                                                                     0x0F000
                                                                                                       gcry free
        for (i=nbits-1: i >= 0: i--) {
 6
                                                                                                          ...
            _gcry_mpi_ec_dup_point (result, result, ctx);
             _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx);
                                                                                                                     0xC0000
                                                                                                       mpi add
             point_swap_cond (result, &tmppnt, mpi_test_bit (scalar, j), ctx);
                                                                                                                     0xC1000
                                                                                                     mpi test bit
10
        point_free (&tmppnt):
11
                                                               INTERRUPT
      else -
12
                                                                                                          ...
        for (j=nbits-1; j >= 0; j--) {
13
                                                                                                                     0xC9000
                                                                                                    mpi ec add p
             _gcry_mpi_ec_dup_point (result, result, ctx);
14
            if (mpi_test_bit (scalar, j))
                                                                                                                     0xCA000
15
                                                                                                    mpi ec mul p
                 _gcry_mpi_ec_add_points (result, result, point, ctx);
16
17
                                                                                                          ...
18
```

D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

#### **Attacking Libgcrypt EdDSA (Simplified)**



D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

#### **Attacking Libgcrypt EdDSA (Simplified)**

```
if (mpi_is_secure (scalar)) {
                                                                                                  Memory layout
        /* If SCALAR is in secure memory we assume that it is the
           secret key we use constant time operation. */
        point_init (&tmppnt);
                                                                                                                    0x0F000
                                                                                                      gcry free
        for (i=nbits-1: i >= 0: i--)
 6
                                                                                                          ...
            _gcry_mpi_ec_dup_point (result, result, ctx);
             _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx);
                                                                                                                    0xC0000
                                                                                                       mpi add
             point_swap_cond (result, &tmppnt, mpi_test_bit (scalar, j), ctx);
                                                                                                                    0xC1000
                                                                                                     mpi test bit
10
        point_free (&tmppnt):
11
      else -
12
                                                                                                          ...
                                                                          RESUME
        for (j=nbits-1; j >= 0; j--) {
13
                                                                                                                    0xC9000
                                                                                                    mpi ec add p
             _gcry_mpi_ec_dup_point (result, result, ctx);
14
            if (mpi_test_bit (scalar, j))
                                                                                                                    0xCA000
15
                                                                                                    mpi ec mul p
                 _gcry_mpi_ec_add_points (result, result, point, ctx);
16
17
                                                                                                          ...
                                                     Full 512-bit key recovery, single run
18
```

D Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017.

#### **Side-channel Analysis: From Metadata Patterns to Secrets**



### Scientific Understanding Driven by Attacker-Defender Race...



### Scientific Understanding Driven by Attacker-Defender Race...





# Idea #2: Improved Temporal Resolution with Timer Interrupts



#### **Protection from Side-Channel Attacks**

Intel® SGX does not provide explicit protection from side-channel attacks. It is the enclave developer's responsibility to address side-channel attack concerns.

In general, enclave operations that require an OCall, such as thread synchronization, I/O, etc., are exposed to the untrusted domain. If using an OCall would allow an attacker to gain insight into enclave secrets, then there would be a security concern. This scenario would be classified as a side-channel attack, and it would be up to the ISV to design the enclave in a way that prevents the leaking of side-channel information.

An attacker with access to the platform can see what pages are being executed or accessed. This side-channel vulnerability can be mitigated by aligning specific code and data blocks to exist entirely within a single page.

More important, the application enclave should use an appropriate crypto implementation that is side channel attack resistant inside the enclave if side-channel attacks are a concern.

#### Temporal Resolution Limitations for the Page-Fault Oracle

⇒ tight loop: 4 instructions, single memory operand, single code + data page

#### Counting strlen loop iterations?



Note: Page-fault attacks cannot make progress for 1 code + data page

#### **Temporal Resolution Limitations for the Page-Fault Oracle**







**Progress** requires both pages present (non-faulting) ↔ page fault oracle

#### **Building the Side-Channel Oracle with Execution Timing?**



**Too noisy:** modern x86 processors are lightning fast...



#### **Challenge: Side-Channel Sampling Rate**



#### **SGX-Step: Executing Enclaves one Instruction at a Time**



#### **SGX-Step: Executing Enclaves one Instruction at a Time**



↑ https://github.com/jovanbulck/sgx-step



#### SGX-Step: Executing Enclaves one Instruction at a Time



#### **SGX-Step Demo: Single-Stepping Password Comparison**

```
jo@breuer:~/sgx-step-demo$ sudo ./app
```

#### SGX-Step: Enabling a New Line of High-Resolution Attacks

| Yr  | Venue          | Paper            | Step            | Use Case               | Drv        |
|-----|----------------|------------------|-----------------|------------------------|------------|
| '15 | S&P            | Ctrl channel     | ~ Page          | Probe (page fault)     | <b>✓</b> ■ |
| '16 | <b>ESORICS</b> | AsyncShock       | ~ Page          | Exploit (mem safety)   | - ∆        |
| '17 | CHES           | CacheZoom        | <b>X</b> >1     | Probe (L1 cache)       | 10         |
| '17 | ATC            | Hahnel et al.    | <b>X</b> 0 - >1 | Probe (L1 cache)       | /          |
| '17 | <b>USENIX</b>  | BranchShadow     | × 5 - 50        | Probe (BPU)            | X A        |
| '17 | <b>USENIX</b>  | Stealthy PTE     | ~ Page          | Probe (page table)     | 10         |
| '17 | <b>USENIX</b>  | DarkROP          | ~ Page          | Exploit (mem safety)   | 10         |
| 17  | SysTEX         | SGX-Step         | <b>√</b> 0 - 1  | Framework              | 1-1        |
| '18 | ESSoS          | Off-limits       | <b>√</b> 0 - 1  | Probe (segmentation)   | 1-         |
| '18 | AsiaCCS        | Single-trace RSA | ~ Page          | Probe (page fault)     | 1-         |
| '18 | USENIX         | Foreshadow       | <b>√</b> 0 - 1  | Probe (transient exec) | 1-1        |
| '18 | EuroS&P        | SgxPectre        | ~ Page          | Exploit (transient)    | 10         |
| '18 | CHES           | CacheQuote       | X >1            | Probe (L1 cache)       | 10         |
| '18 | ICCD           | SGXlinger        | X >1            | Probe (IRQ latency)    | X A        |
| '18 | CCS            | Nemesis          | ✓ 1             | Probe (IRQ latency)    | 1-1        |
| '19 | USENIX         | Spoiler          | ✓ 1             | Probe (IRQ latency)    | 1-         |
| '19 | CCS            | ZombieLoad       | <b>√</b> 0 - 1  | Probe (transient exec) | 1-#        |
| '19 | CCS            | Fallout          | a <b>—</b>      | Probe (transient exec) | 1-1        |
| '19 | CCS            | Tale of 2 worlds | ✓ 1             | Exploit (mem safety)   | 1-         |
| '19 | ISCA           | MicroScope       | ~ 0 - Page      | Framework              | X A        |
| '20 | CHES           | Bluethunder      | ✓ 1             | Probe (BPU)            | 1-1        |
| '20 | USENIX         | Big troubles     | ~ Page          | Probe (page fault)     | 1-         |
| '20 | S&P            | Plundervolt      | _               | Exploit (undervolt)    | 1-         |
| '20 | CHES           | Viral primitive  | <b>√</b> 1      | Probe (IRQ count)      | 1-1        |
| '20 | USENIX         | CopyCat          | <b>√</b> 1      | Probe (IRQ count)      | 1          |
| '20 | S&P            | LVI              | <b>√</b> 1      | Exploit (transient)    | 1-1        |

| Yr  | Venue   | Paper             | Step           | Use Case               | Drv |
|-----|---------|-------------------|----------------|------------------------|-----|
| '20 | CHES    | A to Z            | ~ Page         | Probe (page fault)     | 1-1 |
| '20 | CCS     | Déjà Vu NSS       | ~ Page         | Probe (page fault)     | 1-4 |
| '20 | MICRO   | PTHammer          | _              | Probe (page walk)      | 1-4 |
| '21 | USENIX  | Frontal           | <b>√</b> 1     | Probe (IRQ latency)    | 1-4 |
| '21 | S&P     | CrossTalk         | <b>√</b> 1     | Probe (transient exec) | 1-4 |
| '21 | CHES    | Online template   | ✓ 1            | Probe (IRQ count)      | 1-4 |
| '21 | NDSS    | SpeechMiner       | _              | Framework              | 1-4 |
| '21 | S&P     | Platypus          | <b>√</b> 0 - 1 | Probe (voltage)        | 1-4 |
| '21 | DIMVA   | Aion              | <b>√</b> 1     | Probe (cache)          | 1-4 |
| '21 | CCS     | SmashEx           | ✓ 1            | Exploit (mem safety)   | 1-4 |
| '21 | CCS     | Util::Lookup      | <b>√</b> 1     | Probe (L3 cache)       | 1-4 |
| '22 | USENIX  | Rapid prototyping | ✓ 1            | Framework              | 1-4 |
| '22 | CT-RSA  | Kalyna expansion  | <b>√</b> 1     | Probe (L3 cache)       | 1-4 |
| '22 | SEED    | Enclyzer          | -              | Framework              | 1-4 |
| '22 | NordSec | Self-monitoring   | ~ Page         | Defense (detect)       | 1-4 |
| '22 | AutoSec | Robotic vehicles  | ✓ 1 - >1       | Exploit (timestamp)    | 1-4 |
| '22 | ACSAC   | MoLE              | ✓ 1            | Defense (randomize)    | 1-4 |
| '22 | USENIX  | AEPIC             | <b>√</b> 1     | Probe (I/O device)     | 1-4 |
| '22 | arXiv   | Confidential code | ✓ 1            | Probe (IRQ latency)    | 1-4 |
| '23 | ComSec  | FaultMorse        | ~ Page         | Probe (page fault)     | 1-4 |
| '23 | CHES    | HQC timing        | ✓ 1            | Probe (L3 cache)       | 1-4 |
| '23 | ISCA    | Belong to us      | ✓ 1            | Probe (BPU)            | 1-4 |
| '23 | USENIX  | BunnyHop          | <b>√</b> 1     | Probe (BPU)            | 1-4 |
| '23 | USENIX  | DownFall          | <b>√</b> 0 - 1 | Probe (transient exec) | 1-4 |
| '23 | USENIX  | AEX-Notify        | <b>√</b> 1     | Defense (prefetch)     | 1-4 |

#### **SGX-Step: A Versatile Open-Source Attack Framework**



#### **Example: Deterministic Instruction Counting Attacks**



#### We can count instructions!

Inputs to expf() from  $10^{-2}$  to  $10^2$  fall into into **11 different count classes** (8 unique).

Spielman et al., "Activation Functions Considered Harmful: Recovering Neural Network Weights through Controlled Channels", RAID 2025.

#### **Example: Augmented Instruction-Level Page-Access Traces**



Spielman et al., "Activation Functions Considered Harmful: Recovering Neural Network Weights through Controlled Channels", RAID 2025.

#### **Nemesis: Extracting IRQ Latency Traces with SGX-Step**



**Enclave x-ray:** IRQ latency leaks instruction-level  $\mu$ -arch timing!



D Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018...

#### **Nemesis: Extracting IRQ Latency Traces with SGX-Step**



**Enclave x-ray:** Spotting high-latency instructions



D Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018...

#### **Nemesis: Extracting IRQ Latency Traces with SGX-Step**



Enclave x-ray: Zooming in on bsearch function



D Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018...

**Binary search:** Find 40 in {20, 30, 40, 50, 80, 90, 100}



Adversary: Infer secret lookup in known array



**Goal:** Infer lookup → reconstruct bsearch control flow



**Goal:** Infer lookup → reconstruct bsearch control flow



⇒ Sample instruction latencies in secret-dependent path



#### **Interrupt-Latency Attacks Beyond Intel SGX**











## Single-Stepping Beyond Intel SGX



Based on slide from Luka Wilke.

# THE CODE DOESN'T WORK... WHY?



THE CODE WORKS...
WHY?

#### **Root-Causing SGX-Step: Aiming the Timer Interrupt**



#### **Root-Causing SGX-Step: Microcode Assists to the Rescue!**

|                    | PTE A-bit | Mean (cycles) | Stddev (cycles) | • • •               |          |
|--------------------|-----------|---------------|-----------------|---------------------|----------|
|                    | A=1       | 27            | 30              |                     | <b>F</b> |
|                    | A=0       | 666           | 55              |                     |          |
|                    |           |               | ~               | 3. Assisted PT walk |          |
|                    |           | •             | ^               |                     |          |
|                    |           | 1             |                 |                     |          |
| ( ) ; ( ) ( )      |           |               |                 | 222 Wall (CDID)     | ) ava    |
|                    |           | IV            |                 | page walk (\$RIP)   | exe      |
| 1. Clear PTE A-bit |           | 2. TLB flush  | ***             | ***.                |          |
|                    |           |               |                 | ****                | , a      |
| Arm timer          |           | ERESUME       |                 | NOP <sub>1</sub>    |          |
|                    |           |               |                 |                     |          |
|                    |           | נט            |                 |                     |          |
|                    |           | <b>→</b>  '   |                 |                     |          |
|                    |           |               |                 |                     | 12       |



#### **Root-Causing SGX-Step: Microcode Assists to the Rescue!**



Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.

#### **AEX-Notify: Hardware-Software Co-Design Solution**



Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.

#### **AEX-Notify: Hardware-Software Co-Design Solution**





# CHAPTER 8 ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION

#### 8.1 INTRODUCTION

Asynchronous Enclave Exit Notify (AEX-Notify) is an extension to Intel® SGX that allows Intel SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. EDECCSSA is a new Intel SGX user leaf function (ENCLUTEDECCSSA) that can facilitate AEX notification handless well as some analysis of the Intel SGX.

The following list summarizes the a details are provided in Section 8.3)

- SECS.ATTRIBUTES.AEXNOTIFY
- TCS.FLAGS.AEXNOTIFY: This e



→ shipped in millions of devices ≥ 4th Gen Xeon CPU

 SSA.GPRSGX.AEXNOTIFY: Enclave-writable byte that allows enclave software to dynamically enable/disable AEX notifications.

An AEX notification is delivered by ENCLU[ERESUME] when the following conditions are met:

**ARTICLES & REVIEWS** 

**NEWS ARCHIVE** 

FORUMS

PREMIUM

CONTACT

**CATEGORIES** 



Written by Michael Larabel in Intel on 6 November 2022 at 06:01 AM EST. 5 Comments



Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors.

Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.







most recent

73

SGX-Step led to changes in major OSs and enclave SDKs

interrupt/exception occurred.

#### There's a Catch...

Finally note that our proposed mitigation does not protect against interrupting enclaves and observing application code and data page accesses at a coarse-grained 4 KiB spatial resolution. In contrast to the fine-grained, instructiongranular interrupt-driven attacks we consider in this work, such controlled-channel attacks have received ample attention [18, 47, 56, 59] from the research community.

## Why Mitigating Single-Stepping is Not Enough













Original (left), Xu et al. (middle), our attack with AEX-Notify single-stepping defense (right)







# Libjpeg: AEX-Notify's Temporal Reduction in Practice



# Libjpeg: AEX-Notify's Temporal Reduction in Practice



# Libjpeg: AEX-Notify's Temporal Reduction in Practice



# Idea: TLB as a "Filter" to Hide Page Accesses



### TLBlur: Self-Monitoring and Restoring Enclave Page Accesses



#### Instrumentation to Self-Monitor Page Accesses at Runtime



#### Leakage Reduction in Practice: Libjpeg Single-Stepping



## Leakage Reduction in Practice: Libjpeg Page Faults



## Leakage Reduction in Practice: Libjpeg TLBlur (N=10)



# Leakage Reduction in Practice: Libjpeg TLBlur (N=20)



# Leakage Reduction in Practice: Libjpeg TLBlur (N=30)



#### **TLBlur: Compiler-Assisted Leakage Reduction in Practice**



















Automated "blurring" of page-access traces in space and time





# Idea #3: Model-Specific Registers and Performance-Monitoring Counters?

# **Software-Based DVFS Attacks**



#### **Software-Based DVFS Attacks**



Lipp et al. "PLATYPUS: Software-based Power Side-Channel Attacks on x86", S&P 21.



**Requirements:** Software-only attacker → *Metadata* + *direct data* leakage(!)

#### **Software-Based DVFS Attacks**



Murdock et al. "Plundervolt: Software-Based Fault Injection Attacks against Intel SGX", S&P 20.



**Requirements:** Software-only attacker → Fault injection (*integrity* breach)



How a little bit of undervolting can cause a lot of problems



## **Intel Power Management**



Fig. 1. Layout of the undocumented undervolting MSR with address 0x150.

#### **Plundervolt: Will it Fault?**

```
uint64_t multiplier = 0x1122334455667788;
uint64_t var = 0xdeadbeef * multiplier;

while (var == 0xdeadbeef * multiplier)
{
   var = 0xdeadbeef;
   var *= multiplier;
}
var ^= 0xdeadbeef * multiplier;
```

#### **Plundervolt: Will it Fault?**



Fig. 3. Base voltage (blue) and voltage for first fault (orange) vs. CPU frequency for the i3-7100U-A

#### Plundervolt: Differential Fault Analysis of AES-NI in SGX

```
[Enclave] plaintext: 5ABB97CCFE5081A4598A90E1CEF1BC39
[Enclave] CT1: DE49E9284A625F72DB87B4A559E814C4 <- faulty
[Enclave] CT2: BDFADCE3333976AD53BB1D718DFC4D5A <- correct
input to round 10:
[Enclave] 1: CD58F457 A9F61565 2880132E 14C32401
[Enclave] 2: AEEBC19C DOAD3CBA AOBCBAFA COD77D9F
input to round 9:
[Enclave] 1: 6F6356F9 26F8071F 9D90C6B2 E6884534
[Enclave] 2: 6F6356C7 26F8D01F 9DF7C6B2 A4884534
input to round 8:
[Enclave] 1: 1C274B5B 2DFD8544 1D8AEAC0 643E70A1
[Enclave] 2: 1C274B5B 2DFD8544 1D8AEAC0 646670A1
```

#### Plundervolt: Beyond Crypto—Inducing Memory-Safety Faults



Figure 4. The address of element a[i] in an array is computed as &a[0] + i \* sizeof (elem\_t).

#### Plundervolt: Beyond Crypto—Inducing Memory-Safety Faults





## **Conclusions and Take-Away**



New era of confidential computing for the cloud and IoT



... but current architectures are **not perfect!** 



Scientific understanding driven by attacker-defender race

