Researchers hide malware in Intel SGX enclaves

A team of academics has found a way to abuse Intel SGX enclaves to hide malicious code from security software and to allow the creation of what researchers are calling “super-malware.”

Intel Software Guard eXtensions (SGX) is a feature found in all modern Intel CPUs that allow developers to isolate applications in secure “enclaves.”

The enclaves work in a hardware-isolated section of the CPU’s processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more.

Until today, the only known vulnerabilities impacting SGX enclaves had been side-channel attacks that leaked the data being processed inside an enclave, revealing an app’s secrets.

But in a research paper published today, security researchers showed that SGX enclaves could be used as a place to hide undetectable malware.

This never-before-seen concept relies on attackers being able to install or trick a user into installing an app that sets up a malicious enclave.

Creating and loading a malicious enclave isn’t as easy as it sounds because Intel’s SGX technology only accepts and launches enclaves that have been signed with a signature key found on an internal whitelist of approved keys. These keys are usually handed out to approved developers.

But the research team says there are at least four methods in which a threat actor could get his hands on a signature key, and sign a malicious enclave.

“In fact, we have a report from a student who independently of us found that it is easy to go through Intel’s process to obtain such signing keys,” researchers said. [We will not list all four methods, but they can be found on page two of the researchers’ paper.]

However, even if attackers manage to sign, implant, and then run a malicious enclave, that still doesn’t mean the system has been infected because SGX enclaves also don’t have full access to the same type of operations that the local OS has, being restricted to a few commands.

But in their research paper, the academics went around this limitation by using an exploitation technique known as return-oriented programming (ROP) to piggy-back on Intel Transactional Synchronization eXtensions (TSX) to allow the malicious enclave access to a wider set of commands that it is normally entitled to.

“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application,” said the research team.

“With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer,” they added. “We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

The research team has published proof-of-concept code showing that attacks using enclave malware are now possible at a practical level.

Since SGX enclaves are meant to work separately and be out of reach of the main operating system, any malicious enclave is theoretically impossible to detect by security products, and is the equivalent of a rootkit on steroids.

“Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source,” an Intel spokesperson told us via email. “In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Grus for their ongoing research and for working with Intel on coordinated vulnerability disclosure.”

More details are available in the research paper titled “Practical Enclave Malware with Intel SGX,” available as a PDF download from here.

This research is also not the first of its kind. A week before the publication of this paper, Intel security researcher Marion Marschalek also showed how malicious code could abuse SGX enclaves to infect systems. Video below.

Article updated with Intel statement and video of second research on SGX enclave malware.

Related security coverage: