DEPARTMENT OF COMPUTER SCIENCESOFTWARE AND SYSTEMS SECURITY RESEARCH GROUP

How infeasible the malware deployment in SGX is in real-life?12 myths in 15 minutesCan Malware benefit from SGX?

Kubilay Ahmet KüçükDphil candidate, 5th year, Supervisor: Prof. Andrew Martin.Systems Security Group.

kucuk@cs.ox.ac.uk

Questions or Contact :kucuk@cs.ox.ac.ukCopyright ikarus security

Questions or Contact :kucuk@cs.ox.ac.uk

The scope of malware in this talk?

§ Virus§ Worm§ Trojan§ Zombie/Botnet§ Phishing/Spam

§ Spyware§ Keylogger§ Sniffer§ Ransomware§ …..

• Windows PC, only• What do they

target?• Relatively bad behavior is not malware• Forced-malware vs. Free-malware• Out of malware definition; advanced persistent

threat (APT).• Grayware is not malware.

Questions or Contact :kucuk@cs.ox.ac.uk

Good to have Characteristics of Malware

§ Persistence across boot cycles/Load at startup

§ Communication on Demand

§ Full Un-Detection (FUD)

§ Access to System Calls/APIs

§ As High as possible Privileges

§ Unrestricted resources

§ Infect more audience

§ Maximize Revenue/profit

§ …..

Questions or Contact :kucuk@cs.ox.ac.uk

Existing difficulties in Malware detection

§ RunPE Method (process/portable executable) and any others– Inject Malicious payload to legit processes at runtime.– Enjoy high complexity.– Malware injection from enclave is nothing new, as easy as DLL injection to detect.

Ref images: https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Questions or Contact :kucuk@cs.ox.ac.uk

Malware Infection w/o SGX

§ Drive-by infection (Flash, Java, Browsers, other bridge apps, client)1. Embed custom video-player e.g. in Facebook2. Get it shared to millions, distribute legit content, legit video player.3. Equip the video player with malware, trigger any local exploits.

Malware Business• What malware maintainers want, malware market,

• Requires fast reselling of victims. • Can one transfer malware on demand?

Questions or Contact :kucuk@cs.ox.ac.uk

What is SGX ecosystem/attack surface? Ambiguity on malware.

§ 18 instructions (13+5)§ Hardware, Mechanisms in Micro-code

(ring -3), Firmware,§ Intel’s SGX SDK, § Trusted Libraries,§ Other third-party SDKs§ Privileged Enclaves (LE, QE, AE, PSE)§ Provisioning/Manufacturing/Attestation§ Crypto and Protocols.

-----------

§ Custom Enclave Code

• Is persistent-malware taking advantage of any of these?

• Does malware gains superior features or becomes weaker?

• Where is malware placed • (in microcode, or

• in developer-defined enclave-code) ?

Questions or Contact :kucuk@cs.ox.ac.uk

Claims in literature

§ Can SGX help to deliver malware payloads?

§ Can it help to ransomware (keys, data copy/encryption/deletes, persistence,

communication)?

§ What secret operations can enclave do inside?

– Isn’t it similar to any remote operation?

§ More discussion in Refs:

§ http://theinvisiblethings.blogspot.com/2013/08/thoughts-on-intels-upcoming-software.html

§ http://theinvisiblethings.blogspot.com/2013/09/thoughts-on-intels-upcoming-software.html

§ https://www.zdnet.com/article/researchers-hide-malware-in-intel-sgx-enclaves/

§ https://arxiv.org/abs/1902.03256

§ Memory Exploit Mitigation (MEM) from Symantec

§ DEP, ASLR, SEHOP, ROP protections.

§ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sgx-malware-explainer

§ https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection-cloud/1-0/POLICIES_6/types-of-

memory-exploit-mitigation-techniques-v123982080-d2040e17501.html

Questions or Contact :kucuk@cs.ox.ac.uk

Myth 1. Enclaves are hidden!

§ Enclaves are hidden, or Enclaves are the most-visible part of the system?

§ Network traffic§ Disk operations§ I/O on main memory§ Interface with untrusted part§ Usage patterns§ CPU utilization

Questions or Contact :kucuk@cs.ox.ac.uk

Myth 2. Payload-bound Key generation!

§ EGETKEY is NOT based on fetched payload.§ Enclave is once measured at creation.§ The measurement is not changing if enclave loads additional data,

additional executable code segments.§ Enclave ID, therefore, enclave-based derived keys are based on initial

binary (that is inspectable)§ Generating independent keys in enclave is similar to generating at a

remote location.

§ Note: might be more discussions with SGX KSS (key sharing and separation)

Questions or Contact :kucuk@cs.ox.ac.uk

Myth 3. Enclaves will deliver malware secretly!

§ Do enclaves receive the payload out of nowhere?§ Enclave can fetch secret code at runtime, measured or not attested.§ Benign Enclave can fetch potentially malicious code, extract for

future attacks.§ Is this a feasible method to deliver malware?

– Enclave unavailability, Enclave responsiveness§ Can we cure the enclave by injecting healing code?

– Does malware utilize PKI here or SGX features directly?

Questions or Contact :kucuk@cs.ox.ac.uk

Myth 4. Ransomware key management will be super-easy to scale!

§ Will ransomware key management become easier or more difficult with SGX?

§ Key for every victim,§ Or derive from enclave.

§ Isn’t extra step to manage the payload key and ransomware key?

Questions or Contact :kucuk@cs.ox.ac.uk

Other Myths

§ Myth 5. SGX-malware will cause persistent threat!

– Enclaves are not persistent.

§ Myth 6. SGX-malware will communicate independently!

– Enclaves depend on untrusted channels.

§ Myth 7. SGX-malware will be fully-undetected!– Same malware detection mechanisms apply outside memory.

§ Myth 8. SGX-malware will access to System Calls!

– Anything done untrusted is similar to RunPE or other existing mechanisms.

§ Myth 9. SGX-malware will have high privileges!

– Enclave privileges are limited by design.

§ Myth 10. SGX-malware will have unlimited resources, access all memory!– Any non-SGX malware has full access to memory, not enclaves.

§ Myth 11. SGX-malware can target more audience, infect more victims!

– SGX enabled devices are less than normal amount of victims, disabled/destroyed at many.

§ Myth 12. SGX-malware will be easier to maintain, make more profit!

– Difficulties in malware sustainability due to ecosystem dependencies.

Questions or Contact :kucuk@cs.ox.ac.uk

Can SGX boost any characteristics of malware?

Characteristics Malware in Enclave Non-SGX Malware in System

Persistence Needs to trigger Registry, Services, Drivers

Communication Needs untrusted channels In high noise

Detection Visible resources and I/O Existing methods apply

System Calls Needs untrusted assistance Direct access

Privileges Not privileged/Ring 3 Can escalate/Ring 0

Resources Limited Unlimited

Audience CPU dependencies Independence

Key management Extra steps to manage payload Existing PKI

Availability Low availability Always On

Access to User Assets Indirectly Direct Access

Maintenance Specific dependencies Easy-to-resell

Why SGX weakens the malware in real-life? + 10 disadvantagesThe reasons why malware hates enclaves:

Questions or Contact :kucuk@cs.ox.ac.uk

SGX zero-days in Malware-as-a-Service (MaaS)

§ Likely possible to see SGX-relevant zero—day exploits in dark markets to be part of premium malware services

§ TCB update.– Document Number: 604224. Performance Monitoring Impact of Intel®

Transactional Synchronization Extension Memory

Questions or Contact :kucuk@cs.ox.ac.uk

What can qualify to be SGX-malware?

§ SGX malware, not in enclave, but in microcode(ring-3).. Can you do that like attacks in SMM(ring -2)?

§ Can you infect/exploit the architectural enclaves while no one noticing?

§ Eventually every software brings attack vector.

– Refs:– https://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf– https://media.blackhat.com/bh-us-12/Briefings/Wojtczuk/BH_US_12_Wojtczuk_A_Stitch_In_Time_WP.pdf– https://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf– https://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf– https://invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf– https://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf– https://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf– https://invisiblethingslab.com/resources/bh08/part2-full.pdf

Questions or Contact :kucuk@cs.ox.ac.uk

With/out SGX – Similar possibilities

§ Cloud providers watch the network traffic (or based on complaints)– Hacker/server tenant is free to run anything.– Using SGX or not does not make any difference.

§ Hiding algorithms requires persistent communication/needs active connection.

– Domain name generation, etc.– Criminal activities/plans

Questions or Contact :kucuk@cs.ox.ac.uk

Thanks!

§ Thanks for discussions and inputs.– Michał Kowalczyk (ITL) – I. Melih Tas.

– Work-in-progress, open for collaboration, please e-mail to share your notes.

– E-mail: kucuk@cs.ox.ac.uk