CopyCat: Controlled Instruction-Level Attacks on Enclaves
Abstract
The adversarial model presented by trusted execution environments (TEEs) has prompted researchers to investigate unusual attack vectors. One particularly powerful class of controlled-channel attacks abuses page-table modifications to reliably track enclave memory accesses at a page-level granularity. In contrast to noisy microarchitectural timing leakage, this line of deterministic controlled-channel attacks abuses indispensable architectural interfaces and hence cannot be mitigated by tweaking microarchitectural resources. We propose an innovative controlled-channel attack, named CopyCat, that deterministically counts the number of instructions executed within a single enclave code page. We show that combining the instruction counts harvested by CopyCat with traditional, coarse-grained page-level leakage allows the accurate reconstruction of enclave control flow at a maximal instruction-level granularity. CopyCat can identify intra-page and intra-cache line branch decisions that ultimately may only differ in a single instruction, underscoring that even extremely subtle control flow deviations can be deterministically leaked from secure enclaves. We demonstrate the improved resolution and practicality of CopyCat on Intel SGX in an extensive study of single-trace and deterministic attacks against cryptographic implementations, and give novel algorithmic attacks to perform single-trace key extraction that exploit subtle vulnerabilities in the latest versions of widely-used cryptographic libraries. Our findings highlight the importance of stricter verification of cryptographic implementations, especially in the context of TEEs.
Cite
@article{arxiv.2002.08437,
title = {CopyCat: Controlled Instruction-Level Attacks on Enclaves},
author = {Daniel Moghimi and Jo Van Bulck and Nadia Heninger and Frank Piessens and Berk Sunar},
journal= {arXiv preprint arXiv:2002.08437},
year = {2020}
}
Comments
This paper will be presented at USENIX Security Symposium 2020. Please cite this work as: Daniel Moghimi, Jo Van Bulck, Nadia Heninger, Frank Piessens, Berk Sunar, "CopyCat: Controlled Instruction-Level Attacks on Enclaves" in Proceedings of the 29th USENIX Security Symposium, Boston, MA, August 2020