Researchers use Intel’s Software Guard Extensions to conceal malware
Why it matters to you
This kind of discovery demonstrates why ongoing security research is so important, as even a major company like Intel can be subject to unseen vulnerabilities.
Intended to help users keep their systems safe and secure, Intel Software Guard Extensions is a set of CPU instructions that can make particular portions of code and data private. However, a new paper suggests that SGX could in fact be used to facilitate a malicious attack.
Samuel Weiser and four collaborators from the Graz University of Technology in Austria have published research that demonstrates how SGX can be used to conceal a piece of malware. Within minutes, this technique was used to gain access to RSA keys hidden in SGX enclaves, according to a report from The Register.
More: Password manager Dashlane now integrates with Intel SGX for hardware security
The researchers developed a method of monitoring vulnerable cache sets that allowed them to spot the telltale signature of an RSA key calculation. “Key recovery comes in three steps,” reads the paper. “First, traces are preprocessed. Second, a partial key is extracted from each trace. Third, the partial keys are merged to recover the private key.”
Tests were run on an SGX-capable Lenovo ThinkPad T460S, which was running Ubuntu version 16.10. The team found that a single cache trace offered access to 96 percent of a 4,096-bit RSA key, and it only took eleven traces for the complete key to be assembled. The process took less than five minutes.
The authors of the paper said it’s possible to block the type of attack that they’ve demonstrated. However, the responsibility of addressing the vulnerability falls to Intel, as changes made to operating systems could end up causing further damage to the SGX model.
This isn’t the first time that Weiser has gone public with evidence that SGX is vulnerable. In January 2017, he was part of a group of researchers that published a paper that demonstrated how its input-output protections could be abused to gain access to private user data.