A group of academic researchers from Georgia Tech and Purdue University has demonstrated that a passive DIMM interposer can be used to break Intel SGX’s DCAP attestation mechanism.
Called WireTap (PDF), the attack requires physical access to a server that uses SGX, and relies on an interposer that can be constructed using readily-available second-hand electronics for less than $1,000.
Intel SGX (Software Guard Extensions) is built into some Intel CPUs and its purpose is to help protect sensitive data and code from being accessed or tampered with, even if the rest of the system is compromised.
Once in place, the interposer allowed the academics to slow down and collect DDR4 bus traffic, and then take control of the SGX enclave by flushing the cache. Next, the academics targeted SGX’s cryptographic security mechanism, and extracted the machine’s attestation key within 45 minutes.
The compromised key, the academics explain, can then be used to break confidentiality guarantees of numerous deployments, such as the Phala and Secret privacy-preserving smart contract networks, and the Crust centralized blockchain storage system.
In their attacks against Phala and Secret, the academics were able to extract keys for contract data encryption by forging quotes in a custom quoting enclave, which allowed them to decrypt the smart contract state across the network.
Against Crust, the researchers demonstrated that an attacker can use the compromised key and a modified enclave to fake proofs of storage, thus breaking the integrity and correctness of a network node’s actions.
“One can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet. Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security,” the researchers say.
The WireTap attack, the academics note, can be mitigated by avoiding the use of deterministic memory encryption, by ensuring sufficient entropy inside each encryption block, encrypting the signature inside the attestation quote, imposing higher bus speeds, and providing a single master key to all SGX enclaves from a single system that has enhanced protections in place.
The researchers reported their findings earlier this year to Intel and to the affected SGX deployments. In a statement this week, Intel acknowledged the attack, but pointed out that the attack assumes that a threat actor has physical access to the hardware with a memory bus interposer, and that it is outside the scope of the products’ threat model.
Related: Battering RAM Attack Breaks Intel and AMD Security Tech With $50 Device
Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats
Related: CISO Conversations: John ‘Four’ Flynn, VP of Security at Google DeepMind
Related: Cisco’s Quantum Bet: Linking Small Machines Into One Giant Quantum Computer
