Researchers from the University of Iasi and the University of Switzerland have published a paper describing a white hat malware attack that targets Intel’s Software Guard Extension (SGX). Essentially, software guard extensions are a set of hardware instructions designed to provide a secure execution environment for user-developed applications.
“To our knowledge, there was no serious attempt yet to overcome the SGX protection by leveraging the software supply chain infrastructure, such as weaknesses in the development, build or signing servers,” the researchers explain. “While SGX protection does not specifically take into consideration such threats, we show that a simple malware attack exploiting a separation between the build and signing processes can have a serious damaging impact, practically nullifying the SGX integrity protection measures.”
According to the paper, the white hat malware attack is similar to any infection of executable files where malicious code is hooked on the execution flow and the injection takes place in the free space within the executable section. However, when targeting SGX, the researchers also analyze the ecall table, test whether pointers belong to trusted or untrusted memory areas and synchronize with untrusted code through spin locks.
“We provided a practical use case for our attack methodology, which is able to successfully extract sensitive data from the secure enclave space,” the paper confirms. “[However], this use case is generic enough to be applied to multiple cases of enclaves.”
In real-world terms, this means that a malicious entity with knowledge of a specific enclave functionality can execute more targeted attacks – such as altering the behavior of an enclave code.
“The flexibility of the attack scenario, which requires essentially just a window of opportunity between the building and the signing of an enclave, makes it quite problematic,” the researchers add.
As the paper notes, attacks that compromise legitimate software packages during their development or distribution phases have increased in recent years. In fact, one of the most common attack vectors is the injection of malicious malware code into legitimate software packages during or between development and distribution phases, such as upon building or signing.
“The most prominent example is an infected installation package of the well-known CCleaner application that included a malware deployed in the vendor’s build server,” the researchers add. “The altered binary file was downloaded by 2.27 million customers, with potentially serious effects ranging from keystrokes recording to stealing secret credentials from users.”
From our perspective, the above-mentioned white hat attack highlights the importance of an independent hardware security co-processor. A security co-processor can offer secure execution of user applications, tamper detection and protection, as well as secure storage and handling of keys and security assets. Although located on the same silicon as the main processor, the secure processing core can be physically separated. This layered security approach enforces access to crypto modules, memory ranges, I/O pins and other sensitive resources. As well, it assures that critical keys are only available through hardware – with no access by software.
An independent hardware security co-processor can also offer true multiple root of trust capabilities, with each individual application assigned its own unique keys. Put simply, this means permissions and access levels are set completely independent of others. Moreover, applications are safely siloed from each other.