Researchers found a way to run malicious code on systems with Intel processors so that antivirus software can not be analyzed or identified. , using the processes of the process itself to protect the bad code. As well as making malware in general more, poor actors could use this protection to, for example, write ransomware applications that never enclose their encrypted keys in readable memory, leaving it is harder to recover from attacks.
Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind the last year's Spectrum Assault), features a feature introduced by Intel into their Skylake processors known as SGX ("Software Guard eXtensions"). SGX enables programming programs to be done where the code and data operated by the code are protected to ensure its confidentiality (the spy system can not be added to them) and integrity (any clearance to the code or more data can be detected). The contents of the encrypted encryption are transparent every time they are written to RAM and are decrypted when they are read. The processor controls the enclave memory access: stop any attempt to access the memory of the encoder from the code outside the wrench; the decrypting and encryption are only for the code within the inlet.
SGX was promoted as a solution for a security concern area when a developer wants to protect copy, data or both from print eyes. For example, a SGX implant could be run on a cloud platform to run custom algorithms, so that the cloud provider can not determine what the algorithms do. On client computers, the SGX disclosures could be used in a similar way to enforcing DRM (digital rights management) restrictions; The decryption process and the descriptive keys that could be used to keep the DRM within the wrench, can not be readable to the rest of the system. There are biometric products on the market that use SGX enclaves to process the biometric data and store them securely so that it can not be tackled.
SGX designed for this model is a particular threat: trust is reliable and something is sensitive, but everything else (the application, the operating system, and even the hypervisor) can host. Although this threat model has been attacked (for example, SGX trustees can inappropriately write at risk of timing attacks or Meltdown style attacks), it seems strong enough and following some good practices.
Let us ignore an Intel's threat model
The researchers are using that strength for incompatible purposes and considering the question: what happens if the code is in the malicious moments ? SGX will design that it will be impossible for an antimalware software to explore or analyze the current malware. This would be a place to betray malicious code. However, the code in the wrench is quite limited. In particular, it has no provision to carry out operating system calls; it can not open files, read data from disk, or write to disk. All these things must be done from outside the wrench. Therefore, it was clear that a significant code outside of outside would involve a ransomware based application based on SGX-based: the pieces to ensure all your documents, read and to write without protecting their encrypted versions. The encryption operation would only be within the call.
The encoding code has the ability to read and write anywhere in the uninterrupted processing memory; While anything from outside the inlet can look inside, it can be free inside the outer wrench. The researchers use this ability to scan through the memory of the process and the information needed to build a load-focused program pay (ROP) to run a code. These chains set small pieces of executable code that are part of the host application to do what the host application did not intend to do.
Some pollution needed to do this reading and writing. If the uncontrollable code creates to read or write memory memory that it is not unallocated or read only, the usual behavior is to generate an exception and the processor is removed from the wrench to the to handle exception. This would be impossible to scan the host's memory, as happened when the exception occurred, the malicious plug-in would no longer take place, and that the program would probably be happening. To cope with this, researchers reviewed technique found to be useful in Meltdown assault: they used other Intel processor features, Transacctional Synchronization eXtensions (TSX).
TSX provides a restricted form of transactional memory. The transctional thread allows the modification of a thread to many different memory settings and then publish these modifications in one atomic update, for example, other threads none of all modifications or modifications, not being able to partially write any of the intermediates. If the second thread has changed the same memory and the first thread is making all its modifications, the effort ends with publishing the modifications.
TSX's intention is to make it easier to develop multithreaded data structures, use locks to protect their modifications; These can be done much faster than lock-based structures, especially under heavy load. However, TSX has a side effect that is particularly convenient: it does not generate attempts to generate unreported or unusable memory from within the exclusive transaction transaction. Instead, they simply reduce the transaction. Critically, this transaction does not leave the enclave; instead, it is handled within the intranet.
This gives all the malicious courtesy that he has to do his dirty work. It shows the memory of the host process to find the components from their ROP payload and somewhere to write that payload, then redirects the processor to the burden. Usually, the burden of paying something can be done as part of memory marking as an executable, so the malware can have its own set of support functions ̵
Signed, sealed, and delivery
The processor will not load the load of any age code into an enclave. Developers need to do a "commercial agreement" enclave with Intel to develop applications. Under this agreement, Intel acknowledges a developer's codec sign and adds to advertising. The reliable special development processor (which is usually trusted by the processor) then explores all code pieces as it is loaded to ensure that one of the unemployed certificates has been signed. A malware developer may not want to make such an agreement with Intel, and explicitly prohibit the terms of the agreement with the development of a SGX malware, although one could question the value of this restriction.
write an interview to load a load from disk and then execute it; he would need a slippery signature on the loader, but there would be no burden. However, this approach is useful, because enclave code is encrypted, the enclave libraries that are stored on disk are not encrypted. With a dynamic load, the loadload on the disk could be encrypted and it would only be decrypted when loading into the wrench. The truck itself would not be malicious, giving some predictable denial that anything was planned. In fact, cover may be completely sensitive but there are beneficial flaws that allow disasters to inject their malicious code inside; SGX does not cost against plain-old coding errors.
This feature of the SGX is widely customized, as it offers a type gateway for all SGX applications. Accordingly, second-generation SGX systems (including certain branded processors in the eighth generation or newer), relax this restriction, so that enclaves that are signed by non-subscriber signatories Intel.
The research therefore shows that SGX can be used in a way that is not really feasible: malware can live within a protected wrench so that the unwritten code of the malware is not exposed to the operating system host, including antivirus software. In addition, the malware is not restricted to the malware: the host application can be folded to access the operating system API, opening the door with attacks such as ransomware style encryption on victim files.
About that threat model …
The attack is esoteric, but as the SGX becomes more common, researchers will tackle it more and more and find ways to integrate and integrate. We saw similar things with the introduction of virtual hardware support; to open the door with a new race of a rootkit that could be hidden from the operating system, involving a valuable feature and using it for bad things.
Intel is aware of the research, responding:
Intel is aware of this research based on assumptions that are outside threat to Intel® SGX. Intel SGX value is to execute code in protected enclosures; However, Intel SGX does not guarantee that the code is executed in the wrench from a reliable source. In each case, we recommend using programs, files, apps, and additives from reliable sources. We have a vital priority to protect our customers, and we would like to thank Michael Schwarz, Samuel Weiser and Daniel Gruss for their ongoing research and to work with Intel on a complete exposure to vulnerability.
In other words, as long as Intel is involved, SGX is working as it should protect the contents of the wrench from the rest of the system. If you run something wrong within the interconnection, the company does not make any promise that bad things will not occur on your computer; SGX is not designed to protect against that.
That could be so, but SGX gives powerful capabilities that they did not get before. "How does a bad man proceed with this?" It is a clear question to ask it, because it gives them an advantage, it is satisfied with it.