Widely used Intel processors are found vulnerable to 2 new attacks that can be exploited to steal private and protected information from Intel CPU’s TEE (Trusted Execution Environment). These attacks have been dubbed as SGAxe and CrossTalk, and have been designed to breach Intel SGX (Software Guard eXtensions) enclave.
Intel SGX is a security feature present in modern-day Intel CPUs. It’s primary role is to provide OS and user space to run apps in secure software containers called ‘enclaves’.
TEE, similar to SGX, is a secure space inside the central processing unit, that is responsible for safeguarding the code, softwares and data, and protects the machine from potential threat actors.
SGAxe is an evolved attack method of CacheOut attack (CVE-2020-0549) that was discovered a few months back in January 2020. Also known as L1D Eviction Sampling, the CacheOut attack allows an authenticated cyberattacker to access information from CPU's L1 Cache, owing to the cleanup errors in data cache evictions.
On the other hand, CrossTalk is a separate attack method that allows the attacker to execute code on one CPU core, while targeting and leaking data from SGX enclaves of a different CPU core.
What is SGAxe Attack? SGX Enclaves Vulnerability
A group of academic researchers from Universities of Michigan and Adelaide are responsible for CacheOut and SGAxe attack discovery. As mentioned above, SGAxe takes a step further from its predecessor and builds over it’s speculative execution technique to carry out the SGX data stealing.
Although Intel tried to resolve these SGX side channel attacks with new architecture and microcode updates, these mitigations proved to be insufficient. In other words, a malicious actor can still bypass Intel’s countermeasures and breach SGX enclaves’ confidentiality. They do so with the help of Attestation Keys, which as the name suggests are sort of virtual signatures used to authenticate a piece of software within the Intel ecosystem. The attacker behind SGAxe attacks leverages this in following process:
- First by extracting the SGX private attestation keys from within Intel SGX’s quoting enclave
- These keys are compiled and signed by Intel itself
- Next step includes signing arbitrary SGX attestation quotes and faking them to look like they been initiated from trusted and updated SGX enclaves
- This allows the network attacker to masquerade as authentic SGX intel machines
As further explained by the researchers,
“With the machine's production attestation keys compromised, any secrets provided by [the] server are immediately readable by the client's untrusted host application, while all outputs allegedly produced by enclaves running on the client cannot be trusted for correctness. This effectively renders SGX-based DRM applications useless, as any provisioned secret can be trivially recovered.”
Below is a video demonstration of the researchers signing arbitrary quotes for Remote Attestation:
SGAxe Patch and Mitigation
As Intel’s January 2020 mitigation for the CacheOut vulnerability proved ineffective, they will release patches for CacheOut and SGAxe together as microcode updates, which will be provided to OEM vendors for fixing the root issues. The end users will receive these updates as BOIS.
Additionally, Intel will also perform a TCB (Trusted Compute Base) to invalidate all previously compiled and signed attestation keys.
One thing to note is that these bugs are in the processor’s silicon, so the microcode updates might fix the issue but at the cost of performance. To address this problem in the long run, Intel will probably make silicon adjustments in upcoming processor generations.
What is CrossTalk Attack? Another Intel SGX Vulnerability
Discovered by the VU University Amsterdam researchers, CrossTalk is derived from the Microarchitectural Data Sampling (MDS) attack. Taking advantage of the Transient execution vulnerability (also known as Special Register Buffer Data Sampling - SRBDS), CrossTalk shatters the myth that the attacker and victim need to share the CPU core. Instead, it takes a leap to enable the “attacker-controlled code executing on one CPU core to leak sensitive data from victim software executing on a different core”.
To analyze this in more depth, let’s first understand the idea of a “staging” buffer. A staging buffer is a microarchitectural buffer that’s shared and is readable across all CPU cores. This space retains the previously executed offcore-instructions results (from all cores). CrossTalk attack utilizes the staging buffer to obtain the private ECDSA (Elliptic Curve Digital Signature Algorithm) key of a protected SDX enclave from a different CPU core.
Following this technique, an attacker can launch a transient execution attack to read the staging buffer and subsequently steal sensitive data that was left from previously executed victim instructions. CrossTalk exploit has been tracked as CVE-2020-0543.
“Our attack can leak the output of the RDRAND and RDSEED instructions from the staging buffer, which together represent the only available source of randomness provided by the CPU for any Intel SGX secure enclave.”
CrossTalk Patch and Mitigation
VU University researchers confirm that they have been sharing staging buffer leakage proofs with Intel since September 2018. Fortunately, after a long wait, Intel has recently released the microcode update that will be distributed to software vendors.
The confirmed list of affected CPUs are:
All concerned users are advised to update the latest version as soon as possible.