A team of researchers has demonstrated that Intel’s SGX technology can be abused to hide an advanced and stealthy piece of malware that could allow attackers to steal data and conduct activities on the victim’s behalf. Intel says its technology works as intended and it’s not designed to block these types of attacks.
Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria have conducted an analysis of Intel SGX and the practicality of enclave malware. It’s worth noting that Schwarz and Gruss were also involved in the discovery of the notorious Meltdown and Spectre vulnerabilities.
Intel Software Guard Extension (SGX) is an isolated execution technology present in Intel processors. It’s designed to protect code and data against disclosure and changes – even if the system has been compromised – by allowing developers to partition their applications into hardware-protected memory regions called enclaves. The technology is advertised for cloud environments, digital rights management (DRM), secure browsing, and other applications.
While the technology can be highly useful, it can also be leveraged for malicious purposes. SGX enclaves can be ideal for hiding a piece of malware as they prevent antiviruses from inspecting code running in them, and cybercriminals could develop ransomware that stores encryption keys inside an enclave to make file recovery impossible.
Researchers demonstrated in the past that enclave malware can use side channels to steal sensitive information, but it has been assumed that there are serious limitations to what enclave malware can do. Some previously developed enclave malware relied on an application running on the host to perform malicious activities.
However, researchers from the Graz University of Technology have now shown that enclave malware can be practical and it does not necessarily need support from a malicious host application. They demonstrated how a piece of malware can bypass SGX restrictions and stealthily exploit a benign host application.
In the attack scenario described by the experts, the victim uses a trusted and secure system. The attacker delivers a benign application that uses a malicious enclave when executed. The host application communicates with the enclave through an interface that should not allow the enclave to attack the app.
However, despite serious restrictions, the researchers have demonstrated that it is possible to escape the enclave and achieve arbitrary code execution with host privileges even without exploiting any hardware flaws in SGX. The attack can even bypass exploit protections such as ASLR, stack canaries, and Address Sanitizer.
Theoretical attack scenarios described by the experts involve criminal threat actors delivering the malware as computer games requiring the execution of a DRM enclave, a messaging app that runs an enclave for security reasons, and a special decoder that allegedly needs an enclave to provide an interesting feature. In attack scenarios involving a state surveillance agency, the enclave malware is delivered via state-endorsed applications, such as digital signature tools.
Hackers could steal or encrypt files for ransom attacks, or they could perform actions on the victim’s behalf, including to send out phishing emails or launch denial-of-service (DoS) attacks, experts said.
Sophisticated threat actors may find this method useful as it can help them ensure that the zero-day vulnerabilities exploited in their attacks are not exposed if their malware is discovered. The method allows an attacker to trigger the exploit at a specified moment to prevent discovery before execution, which can be useful for large-scale synchronized threats such as botnets and ransomware.
“[Hiding] malware in an SGX enclave give attackers plausible deniability and stealthiness until they choose to launch the attack. This is particularly relevant for trigger-based malware that embeds a zero-day exploit, but also to provide plausible deniability for legal or political reasons, e.g., for a state actor. Possible scenarios range from synchronized large-scale denial-of-service attacks to targeted attacks on individuals,” the researchers explained.
“We conclude that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. Our results lay ground for future research on more realistic trust relationships between enclave and non-enclave software, as well as the mitigation of enclave malware,” they noted.
Contacted by SecurityWeek, Intel has thanked the researchers for their work and for coordinating disclosure of the method. However, the tech giant says the research is “based upon assumptions that are outside the threat model for Intel SGX.”
“The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources,” Intel said.