Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing (1611.06952v3)

Abstract: In this paper, we explore a new, yet critical, side-channel attack against Intel Software Guard Extension (SGX), called a branch shadowing attack, which can reveal fine-grained control flows (i.e., each branch) of an enclave program running on real SGX hardware. The root cause of this attack is that Intel SGX does not clear the branch history when switching from enclave mode to non-enclave mode, leaving the fine-grained traces to the outside world through a branch-prediction side channel. However, exploiting the channel is not so straightforward in practice because 1) measuring branch prediction/misprediction penalties based on timing is too inaccurate to distinguish fine-grained control-flow changes and 2) it requires sophisticated control over the enclave execution to force its execution to the interesting code blocks. To overcome these challenges, we developed two novel exploitation techniques: 1) Intel PT- and LBR-based history-inferring techniques and 2) APIC-based technique to control the execution of enclave programs in a fine-grained manner. As a result, we could demonstrate our attack by breaking recent security constructs, including ORAM schemes, Sanctum, SGX-Shield, and T-SGX. Not limiting our work to the attack itself, we thoroughly studied the feasibility of hardware-based solutions (e.g., branch history clearing) and also proposed a software-based countermeasure, called Zigzagger, to mitigate the branch shadowing attack in practice.

• The paper presents a novel branch shadowing attack that exploits branch prediction to infer fine-grained control flow in Intel SGX enclaves.
• It employs Intel PT, LBR, and APIC-based techniques to accurately track branch execution, reducing noise in side-channel measurements.
• Experimental results breach defenses like ORAM and SGX-Shield, highlighting vulnerabilities that call for hardware redesign and improved software countermeasures.

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing

The paper "Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing" introduces a novel attack method called branch shadowing. This attack exploits the branch prediction mechanism of Intel's SGX, a hardware-based trusted execution environment, to infer the fine-grained control flow of programs running inside enclaves.

Attack Overview

The branch shadowing attack measures the branch prediction behavior to determine the execution of conditional and indirect branches within the enclave. By manipulating the virtual address space and exploiting the branch target buffer (BTB) and last branch record (LBR), an adversary can deduce the control flow of enclave applications, bypassing existing defenses against coarse-grained attacks.

Exploitation Techniques

The authors developed two novel exploitation techniques to overcome practical challenges:

1. Intel PT and LBR-based Techniques: These methods utilize branch history information to infer fine-grained control flow with precision, minimizing noise that typically affects timing-based side-channel attacks.
2. APIC-based Control: This technique manipulates the Advanced Programmable Interrupt Controller (APIC) to gain execution control over interesting code blocks within the enclave.

Key Findings

The attack was demonstrated by breaking state-of-the-art security mechanisms such as ORAM schemes, SGX-Shield, and others. The authors also explored hardware-based solutions that propose clearing branch history during mode switches, suggesting modifications that impose minimal performance overhead.

Implications and Future Directions

The findings of this paper have significant implications for both the theoretical understanding and practical development of secure enclave environments. It highlights a critical vulnerability in Intel's SGX that may require hardware redesign to fully mitigate. The exploration of software-based counters such as the proposed Zigzagger, which obfuscates branch predictions, presents a potential mitigation strategy.

This research pushes the boundaries of side-channel analysis, emphasizing the need for continuous evolution of security practices as attackers leverage increasingly sophisticated methods. Future developments in AI could focus on detecting patterns associated with such attacks, potentially leading to real-time countermeasures in trusted execution environments. Additionally, advancements could explore enhancing existing software-based security frameworks to more effectively neutralize similar threats without relying solely on hardware modifications.