Chip giant’s hardware-based memory encryption feature open to abuse

Researchers have discovered a means to abuse Intel's hardware-based memory encryption feature, SGX (Software Guard Extensions), in order to implant “super stealthy malware” on target systems.

The chip giant’s SGX technology is designed to safeguard sensitive data, even if a system gets compromised.

Work by Michael Schwarz, Samuel Weiser and Daniel Gruss – computer scientists from Austria’s Graz University of Technology – demonstrates how this isolation technology might be abused to plant malware in portions of a system anti-malware are not permitted to scan.

Intel’s threat model for SGX assumes fully trusted enclaves, an assumption called into question by the newly published research.

The researchers claim they have developed the “first enclave malware which fully and stealthily impersonates its host application”.

The security weakness – combined with poorly deployed application isolation on personal computers – creates a route for malicious code to steal or encrypt user data on compromised systems, as well as abusing the compromised system to attack other computers.

The SGX-ROP attack circumvents layers of protection, including ASLR, stack canaries, and address sanitizer. (ROP is Return Oriented Programming, an exploit technique.)

Left unresolved, the finding shows that SGX Enclave increases rather than decreases the security threat to its users, the Graz team concludes.

“We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits,” the researchers conclude in a paper, entitled Practical Enclave Malware with Intel SGX (PDF).

“With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defence against enclave malware.”

The researchers published proof-of-concept code to go alongside their research on Tuesday.

Hiding malware in an SGX enclave is more complex than conventional approaches, but it has advantages in giving attackers “plausible deniability and stealthiness until they choose to launch the attack”, according to the team at Graz.

“Possible scenarios range from synchronized large-scale denial-of-service attacks to targeted attacks on individuals,” they warn.


Daniel Gruss – a member of the Graz team that developed the SGX-ROP attack after earlier playing a key role in one of the three team that outed the Meltdown vulnerability early last year – explained how a potential attack abusing Intel's SGX technology might work in a discussion thread on Twitter.

Gruss explained: “Take an exploit, encrypt it, put it in an SGX enclave, decrypt only after remote trigger signal, run exploit via ROP chain on host app, remove traces of ROP immediately + continue regular host execution, repeat on other victims.”

In response to queries from The Daily Swig, Gruss outlined possible mitigation techniques.

“[Intel should] reduce the amount of memory sharing to the minimum that is required,” he said. “There is absolutely no reason to share host vtables with the enclave. Implicit sharing should be replaced by explicit sharing, that would solve the problem.”

In response to queries from The Daily Swig, Intel said the attack scenario outlined by the researchers was out of scope for the type of threat SGX was designed to defend against.

“Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX,” a spokesperson said.

“The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources.

“Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure,” Intel added.

SGX, an instruction-set extension for protecting trusted code, which debuted with the introduction of Intel’s Skylake microarchitecture.