A group of experts published their research on this attack
Network security and ethical hacking
specialists from the International Institute of Cyber Security report the
emergence of the first functional malware
for Intel Software Guard Extensions
(Intel SGX). The research expert group believes that the vulnerabilities
present in SGX, a feature designed to reinforce Intel’s security, could
generate countless damage, as this allows hackers to deploy very advanced
malware variants.
According to its official website, Intel SGX is
“an extension of architecture developed to improve the security of the data and
the application code”. Michael Schwarz, Daniel Gruss and Samuel Weiser,
specialists in network
security, discovered a way to hide malware in the SGX enclaves of
Intel.
The experts used a technique known as
return-oriented programming (ROP) to design their own application and perform
various malicious activities, such as randomization of the address space design
at operating system level or executing arbitrary code to extract confidential
information.
Researchers have shown that enclaves can escape
their SGX execution environment and omit any communication interface prescribed
by their host. Previously it was thought that enclaves, and anything operating
within them, were limited to access to parts of the operating system that did not
interact with the enclaves; this team of experts has shown that the hypothesis
was wrong.
To perform the attack, experts resorted to the
use of the Transactional Synchronization Extensions (TSX) function, available
on the most recent devices, so they managed to analyze the system memory in
search of a virtual address to which could access the current process.
According to specialists in network security, this intrusion is not detectable,
because applications at the operating system level cannot take a look at the
enclave.
Research managers consider this information to
be useful in developing solutions for the next generation of computer
equipment. In addition, some security measures against these attack vectors may
not necessarily require software modifications, although their implementation
may have some impact on equipment performance.
