Spectre-Inspired Attacks Can Steal Data from Intel SGX Enclaves

Researchers have developed new techniques inspired by the recent Spectre CPU vulnerability to completely compromise the confidentiality of hardware-based secure enclaves created with Intel’s Software Guard eXtensions (SGX).

SGX is a feature present in 6th generation (Skylake) and later Intel CPUs that provides a shielded execution environment for applications. Programs or program components can use the technology to set up secure enclaves to execute sensitive code or to store secrets.

The main security guarantee of SGX is that no program other than the one that created an enclave—not even the OS or hypervisor—can access its memory. The technology, which allows applications to protect data even if a system is compromised or in control of a malicious insider, has been adopted by public clouds, including Microsoft Azure.

Researchers from Ohio State University have developed new side-channel attack techniques based on branch target injection (Spectre variant 2) that allow them to steal data from SGX enclaves. This is possible because all SGX runtime libraries (Intel SGX SDK, Rust-SGX and Graphene-SGX) used by application developers have vulnerable code patterns. The researchers have named their new class of attacks SgxPectre.

“To demonstrate their practicality, we systematically explored the possible vectors of branch target injection, approaches to win the race condition during enclave’s speculative execution, and techniques to automatically search for code patterns required for launching the attacks,” the researchers said in their paper.

A tool has been released on GitHub that can help developers identify vulnerable code patterns in their own applications and proof-of-concept attack code will be released at a later date. The issue was disclosed to Intel before the paper was published and the company plans to release an update to its SGX SDK later this month that will contain mitigations.

Memcached-Based DDoS Attacks Hit New 1.7Tbps Record

GitHub was hit by a record distributed denial-of-service (DDoS) attack last week that was launched through compromised Memcached servers and peaked at 1.35Tbps. That record has now been surpassed by a new attack that used the same technique and hit 1.7Tbps.

The new attack was recorded Monday by Netscout’s DDoS mitigation division Arbor Networks and was directed at an unnamed U.S.-based service provider. The largest DDoS attack Arbor had previously recorded occurred in 2016 and peaked at 650Gbps.

The new DDoS reflection and amplification technique that abuses the more than 88,000 publicly exposed Memcached servers has pushed DDoS attacks past the 1Tbps mark and might become the norm. Some large hosting providers have taken action to prevent Memcached servers hosted on their networks from being abused, but this will only put a dent in the overall numbers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” the Arbor researchers said in a blog post.

Companies can defend against such attacks by filtering incoming traffic on port UDP port 11211, which is used by Memcached servers to deliver data.

Decryption Tools Available for GandCrab and Annabelle Ransomware

Security researchers from Bitdefender have released decryption tools for two families of ransomware called GandCrab and Annabelle. The tools are available on the Europol-maintained NoMoreRansom.org website.

The GandCrab decryptor was created in collaboration with the Romanian Police and the General Prosecutor’s Office. The ransomware spreads through malicious advertisements and has made 50,000 victims worldwide. It stands apart from similar threats because it asks for ransoms to be paid in Dash cryptocurrency.

The Annabelle ransomware is more complex and also overwrites computers’ master boot records (MBR), leaving them unable to boot into their operating systems. To use the new decryptor tool, victims first have to restore or rebuild the computer’s MBR using some other utilities and then remove some registry keys following instructions provided by Bitdefender in a blog post.

Featured eBook
The Main Application Security Technologies to Adopt by 2018

The Main Application Security Technologies to Adopt by 2018

As hacker attacks on the application layer evolve, the need for application security that provides continuous coverage and real-time protection and remediation becomes a top priority. The tools and practices that used to provide security to organizations no longer provide a complete solution in today’s developer ecosystem. Security practices need to change, being implemented and ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 183 posts and counting.See all posts by lucian-constantin

One thought on “Spectre-Inspired Attacks Can Steal Data from Intel SGX Enclaves

Comments are closed.