SmashEx attack compromises Intel SGX enclaves

SmashEx and Intel SGX attack
Written by Emma Davis

Scientists from universities in China, Singapore and Switzerland talked about a new SmashEx attack that helps to compromise Intel SGX enclaves and steal sensitive data from the most secure area of the Intel processor.

Let me remind you that with the release of the Skylake architecture, Intel introduced a technology called SGX (Software Guard Extensions). SGX is a set of CPU instructions through which applications can create protected zones (enclaves) in the application’s address space, inside which, under reliable protection, various confidential data can be stored. SGX enclaves are usually isolated at the hardware level (SGX memory is separated from the rest of the CPU memory) and at the software level (SGX data is encrypted). The developers themselves describe this technology as a kind of “inverse sandbox”.

The SmashEx attack allows malware running on the same OS to abuse a feature that allows the CPU to suspend SGX operations to enter the enclave and retrieve data. Here’s how the researchers describe it themselves:

For the sake of normal operation, the SGX design allows the OS to interrupt the enclave at any time using configurable hardware exceptions. This feature allows enclave runtimes (such as Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exceptions and signal handling, but also opens enclaves for bugs like re-entrancy.

SmashEx is an attack that uses enclave SDKs that do not handle re-entrancy in their exclusive security, which is difficult for SGX. Proof-of-concept SmashEx exploits allow code reuse (for example, ROP) and achieve disclosure of confidential data in enclaves built using vulnerable runtime.

Experts conducted tests successfully to extract the RSA encryption key from the Intel SGX enclave used by the server to encrypt HTTPS traffic. They were also able to extract content processed by the Microsoft Open Enclave cURL application used by Azure servers.

RSA from Intel SGX SSL

The details of the SmashEx attack were released just this week after Intel and Microsoft released fixes to address this issue in their SDKs, namely the Intel SGX SDK (CVE-2021-0186) and the Open Enclave SDK (CVE-2021-33767). At the same time, the research group states that there are many other SDKs for which the SmashEx attack is also dangerous, and their developers must now also release their own patches. This applies to SGX SDKs from Google, Apache and Arm.

Vulnerable SGX generations

Let me remind you that we also talked about the fact that Pay2Key ransomware attacked Intel-owned Habana Labs company.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply