On the recent side-channel attacks on Intel SGX
by Jethro Beekman – Mar 1, 2017 . Filed under: English, Technology, Security, SGX, Side-channel Attacks.
Side-channel attacks are my favorite attack in computer security because they poke giant holes in the abstraction and security models that system designers are using. When I hear of a new attack avenue in this space, my first reaction often is “wow, that is so cool” and “I didn’t even think about that.”
In the past week, two papers have been published on arXiv detailing side-channel attacks on Intel SGX. While the existence of such attacks should be taken seriously by people designing systems using Intel SGX (which includes yours truly), these particular attacks are not very interesting.
First of all, these attacks really shouldn’t come as a surprise to anyone following this space. Cache-based side-channel attacks are a well-known attack vector. Many papers detailing new techniques have been published over the last couple of years. There’s Evict+Time and Prime+Probe, Flush+Reload, Flush+Flush, etc. Ge et. al. present a good overview of the current state of the art. Intel explicitly states in their Enclave Writer’s Guide that they don’t protect against attacks at cache line or higher granularity.
Second of all, both attacks are exploiting well-known flaws in modular exponentiation implementations. We know how to do constant-time RSA. On top of that, both papers are at best slightly misleading in describing their attack targets.
From the first paper:
As our victim enclave we chose an RSA implementation from the Intel IIP crypto library in the Intel SGX SDK. The attacked decryption variant is a fixed-size sliding window exponentiation, the code is available online at [32]. The Intel IIP library includes also a variant of RSA that is hardened against cache attacks [33].
If you look at how these two variants are used, you can see that only computations with the public exponent are done with the “vulnerable” variant, whereas computations with the private exponent use the “hardened” variant. So, unless you are somehow swapping your public and private exponents, using this crypto library as documented will prevent this attack for you.
From the second paper’s abstract:
We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive.
Even though the library they use might have a multiplication primitive that is constant-time, as the authors explain further on in the paper, the modular exponentiation primitive is not. In fact, the modular exponentiation algorithm is the textbook example of an algorithm with a secret-dependent branch:
int modexp(int base, int exponent, int modulus) { int result = 1; for (int i = 0; i < exponent.bits(); i++) { result = modsqr(result, modulus); if (exponent & (1<<i)) { // access bit `i` result = modmul(result, base, modulus); } } return result; }
If for each iteration of the loop you can detect whether the multiplication happenned or not, you can reconstruct the individual bits of the exponent. This is a fun attack, but as mentioned, this is basically the most well-known timing attack, first described by Kocher 22 years ago. Oh and the library? It implements the blinding mitigation also mentioned in that seminal paper.
To summarize: Yes, programs running with Intel SGX are vulnerable to side-channel attacks. The same side-channel attacks that have been used for years on modern x86 platforms. This is well-documented. SGX does present a slightly different threat model which makes deployment of side-channel attacks more likely. Hopefully everyone using SGX is implementing countermeasures. They do exist, and are already implemented by most cryptography libraries.
New OPT STEM extension rules
by Jethro Beekman – Mar 9, 2016 . Filed under: English, Policy, Immigration, F-1 Visa, F-1 OPT.
Today, the U.S. Department of Homeland Security announced that the new rules regarding the “Optional Practical Training STEM extension” for international students in the U.S. on F-1 visas will be published in the Federal Register on Friday. The new rules are a result of a lawsuit against DHS that would result in an invalidation of the old rules. The new rules are “better” in some respects and “worse” in others. In this blog post I will review some of the most important changes and how they will affect international students. Continue reading… – Comments
Intel has full control over SGX
by Jethro Beekman – Oct 13, 2015 . Filed under: English, Technology, Security, SGX.
Intel has full control over what software you can run in SGX. This might seem redundant: Intel makes the processor, so of course they have full control. Yet the truth is slightly more inconvenient. When Intel processors don’t run the instructions in your standard software (whether incorrectly or at all), that is a defect at best and a breach of contract at worst. Yet the SGX instruction set includes in its specification that Intel has the authority to make this go/no-go decision. Continue reading… – Comments
SGX Hardware: A first look
by Jethro Beekman – Oct 8, 2015 – Updated: Dec 9, 2015. Filed under: English, Technology, Security, SGX.
Without much fanfare, Intel has released Software Guard Extensions (SGX) in Skylake. When I say “without much fanfare,” I mean practically only the following paragraph hidden on page 3 of a press fact sheet: Continue reading… – Comments
On OpenSSH and Logjam
by Jethro Beekman – May 20, 2015 . Filed under: English, Technology, Security, SSH.
Recent work showing the feasibility of calculating discrete logarithms on large integers has put the Diffie-Hellman key exchange parameters we use every day in the spotlight. I have looked at what this means for SSH key exchange. In short, on your SSH server, do the following: Continue reading… – Comments