Limitations of traditional side-channel attacks

Instead of compromising software by exploiting its vulnerabilities, one way to infer the sensitive data of bug-free software is using side-channel attacks. However, in traditional settings (e.g., cloud environments), communities do not consider side-channel attacks as serious security problems because these attacks generally suffer from the following limitations.

  1. Strict prerequisites. To successfully launch a side-channel attack, an attacker has to meet several requirements that are difficult to satisfy in practice. For instance, Flush+Reload cache attacks require spy (under the control of the attacker) and victim programs to be located in the same physical CPU core. Moreover, the spy program needs to know the addresses of the shared libraries used by the victim program. To improve the accuracy and resolution of the attack, the spy program has to synchronize with the execution of the victim program that is of interest (e.g., processing sensitive data).

  2. High levels of noise. Measuring side-channel information suffers from high levels of noise. The sources of the noise include both the underlying system (i.e., the OS kernel) and other concurrent programs. That is, the OS kernel and other concurrent programs can share the CPU caches with victim and spy programs, and therefore easily interfere the states of the caches. As a result, the spy program, which launches cache-based attacks, can obtain noisy information.

  3. Low temporal resolution. With only the control over the spy program, the attacker can affect (i.e., slow down) the execution time of the victim program. As a result, the frequency of side-channel probing, which depends on how the OS schedules the spy and victim programs, is relatively low. Such low temporal resolution of the information makes the attacks less effective in practice.

One root cause of the abovementioned limitations in traditional settings is its weak adversary model; that is, in a cloud-like environment, an attacker has no privilege to control the entire environment. Instead, the attacker is only able to rent a VM that is possibly co-located with a victim VM, and run a spy program inside that VM to target a program inside the victim VM. This inherently suffers from all the limitations.

Why are SGX side-channel attacks more serious?

The weak adversary model significantly limits the capabilities of side-channel attacks and, more importantly, assuming a strong adversary model does not make sense in most of the practical scenarios. For example, although an attacker who has the control over an OS can overcome the abovementioned limitations and launch effective side-channel attacks against a victim program. However, given such high privilege, the attacker can directly extract sensitive data from the victim program; that is, the strong attacker generally does not need to rely on side channels at all.

However, this is not the case in the context of Intel Software Guard Extensions (SGX). The high-level goal of SGX is to protect a user-space program in a hostile environment (e.g., a public cloud in which administrators are untrusted). More specifically, SGX protects the program from all privileged accesses including those from an OS and a hypervisor. Unfortunately, the design of SGX does not consider side-channel attacks, and therefore the program is still vulnerable to this type of attacks.

Given that an SGX-protected program is still vulnerable to side-channel attacks, the SGX's strong adversary model (e.g., an attacker controls the underlying OS) allows powerful attacks with all the limitations addressed. More specifically, the attacker can easily meet the prerequisites of attacks by having control over the entire system. In addition, the attacker can apply several noise reduction techniques (e.g., running the program in an isolated core) according to the type of side channel. To improve the temporal resolution of attacks, the attacker can slow down and/or frequently interrupt the execution of the program (i.e., achieve near single-stepping).

By taking advantage of the strong adversary model, communities have proposed several side-channel attacks against SGX that bypass its protection. These attacks demonstrate not only a new type of side channels but also significant improvement over the traditional ones. We summarize the state-or-the-art attacks against SGX in the following table.

Attack Source Granularity High-freq interrupt
Controlled-channel attacks [1] Page faults Page No
Stealthy page-table-based attacks [2] Page-table flags Page Yes
Branch Shadowing [3] Branch target buffer/Branch predictor Branch Yes
BranchScope [4] Branch predictors Branch Yes
Last-level cache attacks [5] Last-level caches Cacheline No
L1 cache attacks without Hyperthread [6] L1 caches Cacheline Yes
L1 cache attacks with Hyperthread [7] L1 caches Cacheline No
TLB-based attacks [8] TLB Page Yes

TSX-based defenses

Defending against side-channel attacks under the strong adversary model is not an easy task. System-level approaches (e.g., isolating the source of side channels for a program) are not applicable because the OS is untrusted. Although software-based approaches (e.g., ORAM) are effective, they generally incur significant runtime overhead. Hardware-based approaches are both effective and efficient, but they are expensive and may take too much time to be adopted and deployed.

With the goal of having practical defenses, communities have explored an alternative approach that relies on an existing hardware feature: Intel Transaction Synchronization Extensions (TSX). The original purpose of TSX is to enable hardware-based transactional memory. More specifically, TSX allows developers to put a piece of code inside a transaction that ensures the atomicity of memory accesses made by the code. When the TSX detects events that violate the atomicity, it aborts the on-going transaction and invokes a user-space fallback handler without notifying the underlying OS. The key observation from communities is that these events include ones that are required by side-channel attacks.

The first proposal of TSX-based approach is T-SGX [9], which targets mainly the controlled-channel (page-fault-based) attacks. The key property of TSX that T-SGX utilizes is that TSX aborts an on-going transaction when a page fault occurs while suppressing it (i.e., the page fault is not delivered to the OS). Based on this property, T-SGX transforms a program during compile time to ensure the entire program is covered by multiple transactions. This approach effectively mitigates the controlled-channel attacks.

In addition to suppressing page faults, another important property of TSX is that it also aborts transactions when there are interrupts. According to the table in the previous section, frequent interrupts are essential to most of the side-channel attacks. For example, although the stealthy page-table-based attacks avoid the need of page faults and infer the page accesses through monitoring page-table flags (e.g., dirty and access bits), the attacks still require frequent interrupts to flush the TLB and clear the flags. For cache-, branch-prediction-, and TLB-based attacks, frequent interrupts are also necessary to obtain fine-grained information (i.e., achieve high temporal resolution). With the capability of detecting interrupts, an SGX-protected program can detect abnormally high-frequent interrupts, and therefore effectively mitigate the attacks.

For cache-based attacks that do not require frequent interrupts, another TSX-based approach, Cloak [10], utilizes the distinct property of TSX: aborting a transaction when a cache conflict occurs (e.g., eviction). Causing cache eviction is essential for cache-based attacks (e.g., using Prime+Probe) against SGX because SGX does not share its memory with other programs by design (i.e., there is no Flush+Reload attack). Cloak ensures that a concurrent cache eviction on sensitive data always results in aborting an on-going transaction by including all the sensitive data in a transaction. As a result, Cloak allows an SGX-protected program to detect malicious cache eviction, and thus mitigates the cache-based attacks that do not require interrupts.

Attack Source Granularity High-freq interrupt
Controlled-channel attacks [1] Page faults Page No
Stealthy page-table-based attacks [2] Page-table flags Page Yes
Branch Shadowing [3] Branch target buffer Branch Yes
BranchScope [4] Branch predictors Branch Yes
Last-level cache attacks [5] Last-level caches Cacheline No
L1 cache attacks without Hyperthread [6] L1 caches Cacheline Yes
L1 cache attacks with Hyperthread [7] L1 caches Cacheline No
TLB-based attacks [8] TLB Page Yes

The above table summarizes the TSX-based defenses against state-of-the-art side-channel attacks against SGX. The green and yellow indicate the protection provided by T-SGX and Cloak, respectively. Combining both approaches can already effectively mitigate all the attacks.

Takeaway

Most of the studies underlook the effectiveness of T-SGX because its main focus is to defend against controlled-channel attacks. Note that controlled-channel attacks were the only known attacks at the time T-SGX was proposed. However, the feature of disallowing frequent interrupts effectively prevents attackers from obtaining side-channel information with high temporal resolution, and therefore mitigating many later-introduced attacks. Moreover, because all the other known attacks that do not require interrupts are based on the cache, Cloak shows that using TSX also effectively prevents them. As a result, we conclude that, by using TSX-based defenses, the advantage of launching side-channel attacks with the strong adversary model no longer holds. One may argue that TSX-based defenses still have some flaws. Indeed, this is because TSX is not designed to use in these ways. However, these approaches already raise the bar enough for making state-of-the-art attacks impractical (i.e., similar to the traditional ones), and we expect to see a similar hardware-based feature that dedicates for defending side-channel attacks in the future.

Reference

[1] Y. Xu, W. Cui, and M. Peinado. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems." In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015.

[2] J. V. Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, R. Strackx. "Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.

[3] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. "Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.

[4] D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. "BranchScope: A new side-channel attack on directional branch predictor." In Proceedings of the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Williamsburg, VA, Mar. 2018.

[5] M. Schwarz, S. Weiser, D. Gruss, C. Maurice, and S. Mangard. "Malware guard extension: Using SGX to conceal cache attacks." In Proceedings of the 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2017.

[6] M. Hähnel, W. Cui, and M. Peinado. High-Resolution Side Channels for Untrusted Operating Systems. In Proceedings of the 2017 USENIX Annual Technical Conference (ATC), Santa Clara, CA, July 2017.

[7] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, and A. Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. In Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT), Vancouver, BC, Canada, Aug. 2017.

[8] W. Wang, G. Chen, X. Pan, Y. Zhang, X. Wang, V. Bindschaedler, H. Tang, and C. A. Gunter. "Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX." In ACM SIGSAC Conference on Computer and Communications Security, 2017.

[9] M.-W. Shih, S. Lee, T. Kim, and M. Peinado. "T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs." In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb.–Mar. 2017.

[10] D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. "Strong and Efcient Cache Side-Channel Protection using Hardware Transactional Memory." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.