Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies.

Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

The technique created by the experts allows them to deploy a malicious code in a memory area that is protected by design making it hard the detection.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.



The team of researchers composed of Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria, includes those that discovered the Spectre-Meltdown CPU vulnerabilities. They devised a method to bypass security protection and implant malware in the enclaves leveraging a benign application that uses a malicious enclave when executed.

Experts pointed out that the host application communicates with the enclave through an interface that should not allow the enclave to attack the app.

The researchers used Transactional Synchronization eXtensions (TSX), in modern Intel CPUs along with a fault-resistant read primitive technique called TSX-based Address Probing (TAP).

“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer .” states the research paper published by the experts.

“We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

The experts developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW) to determine whether it is possible to write in a memory page.

The primitive encapsulates the write instruction for the specific memory page within a TSX transaction and aborts the transaction just after the write operation.

The experts determine the possibility to write in a target memory page analyzing the return value of the transaction.

A malware injected in the enclaves could be transparent to security solutions, including Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer.

“The strong confidentiality and integrity guarantees of SGX fundamentally prohibit malware inspection and analysis, when running such malware within an enclave.” continues the analysis.

“Moreover, there’s a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain.

The experts published a proof-of-concept exploit that bypassed ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds. Hardware and software mitigations against this new attack will be implemented by Inter in future generations of CPUs.

“With SGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer , to run ROP gadgets in the host context enabling practical enclave malware.” conclude the researchers.

“We conclude that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

Pierluigi Paganini

(SecurityAffairs – SGX enclaves, hacking)