英特尔CPU软件防护扩展中的新缺陷

两个独立的学术研究团队在周三发表了描述英特尔软件卫士扩展（SGX）中缺陷的论文。 SGX是一组指令，它通过允许开发人员将敏感信息划分为安全区域（内存中的执行区域，借助硬件辅助的增强安全保护）来增强应用程序的安全性。 目的是保护应用程序代码和数据不被泄露或修改。 证明服务使用户可以在启动应用程序之前验证应用程序隔离区的身份。 研究团队表明，最近发现的缺陷可能会阻止新交所实现其目标。 SGAxe：SGX在实践中如何失败描述了长期存储的折衷方案。 CrossTalk：跨核心的推测性数据泄漏是真实的，它描述了跨内核攻击，该攻击可能使攻击者能够控制数据泄漏。密歇根大学的研究人员Stephan van Schaik、Andrew Kwong和Daniel Genkin以及阿德莱德大学的研究员Yuval Yarom写道：“SGAxe有效地打破了SGX最吸引人的特性，即在飞地上通过网络证明其可信赖性。”。研究人员攻击了由Intel提供并签名的SGX体系结构飞地，并检索了用于通过网络加密证明这些飞地是真实的秘密证明密钥，这使他们能够将假飞地冒充为真实飞地。串扰研究人员发现，一些指令从所有CPU核心共享的暂存缓冲区读取数据。他们提出了第一次使用瞬时执行的跨核攻击，并表明它可以用来攻击运行在完全不同的核心上的SGX飞地，让攻击者通过实际的性能下降攻击和发现enclave私钥来控制泄漏。“我们已经证明这是一次现实的攻击，”荷兰阿姆斯特丹维利大学的哈尼·拉加布、艾莉莎·米尔伯恩、赫伯特·博斯和克里斯蒂亚诺·朱夫里达（Cristiano Giuffrida）以及瑞士苏黎世以太银行的卡维·拉扎维（Kaveh Razavi）写道。他们补充道：“我们还发现，再次应用这些攻击来破坏在英特尔安全的SGX飞地中运行的代码几乎是微不足道的。”研究人员使用性能计数器构建了一个称为“串扰”的探查器，用于检查执行非核心请求的复杂微代码指令的数量和性质。当与瞬时执行漏洞（如微体系结构数据采样（MDS））结合时，这些操作可以揭示CPU的内部状态。研究人员写道：“即使是最近的英特尔CPU——包括公共云提供商用来支持SGX飞地的CPU——也容易受到这些攻击。”。

原文：Two separate teams of academic researchers on Wednesday published papers describing flaws in Intel's Software Guard Extensions (SGX).

SGX, a set of instructions, enhances application security by letting developers partition sensitive information into enclaves -- areas of execution in memory with hardware-assisted enhanced security protection. The aim is to protect application code and data from disclosure or modification.

Attestation services let users verify the identity of an application enclave before launching the application.

The recently uncovered flaws can prevent SGX from achieving its goal, the research teams showed. SGAxe: How SGX Fails in Practice describes compromises to long-term storage. CrossTalk: Speculative Data Leaks Across Cores Are Real describes cross-core attacks that could allow attackers to control data leakage

"SGAxe effectively breaks the most appealing feature of SGX, which is the ability on an enclave to prove its trustworthiness over the network," wrote researchers Stephan van Schaik, Andrew Kwong and Daniel Genkin, all of the University of Michigan, and researcher Yuval Yarom of the University of Adelaide.

The researchers attacked SGX architectural enclaves that were provided and signed by Intel, and retrieved the secret attestation key used for cryptographically proving the enclaves are genuine over a network, which let them pass off fake enclaves as genuine.

The CrossTalk researchers found that some instructions read data from a staging buffer shared among all CPU cores involved. They presented the first cross-core attack using transient execution and showed it could be used to attack SGX enclaves running on a completely different core, letting an attacker control leakage using practical performance degradation attacks and discovering enclave private keys.

"We have demonstrated that this is a realistic attack," wrote Hany Ragab, Alyssa Milburn, Herbert Bos and Cristiano Giuffrida of Vrije Universiteit Amsterdam in The Netherlands and Kaveh Razavi of ETH Zurich in Switzerland.

"We have also seen that, yet again, it is almost trivial to apply these attacks to break code running in Intel's secure SGX enclaves," they added.

The researchers built a profiler, dubbed "CrossTalk," using performance counters, to examine the number and nature of complex microcoded instructions that perform offcore requests. When combined with transient execution vulnerabilities such as Microarchitectural Data Sampling (MDS), these operations can reveal the internal state of a CPU.

"Even recent Intel CPUs -- including those used by public cloud providers to support SGX enclaves -- are vulnerable to these attacks," the researchers wrote.