Intel designed its Software Guard Extensions (SGX) to increase the security of application code and data, but now security researchers discovered a vulnerability in SGX that can be used to hide malware. Instead of protecting users, this exploit turns SGX into a security threat. Details of how the attack works can be found at The Register.
In a paper scheduled for publication on Tuesday, "Practical Enclave Malware with Intel SGX," brainiacs at the Graz University of Technology in Austria describe a technique for bypassing various security technologies like ASLR, and executing arbitrary code that can steal information or conduct denial-of-service attacks, via SGX and ROP.
Enclaves have to talk to the outside world via their assigned host application, yet the team's SGX-ROP approach allows the enclave to meddle with the underlying system as a normal process. In effect, malware in the enclave is hidden from view, but it can potentially do what it likes to the environment around it. This also means the enclave can keep its vulnerability exploits and parts of its malicious behavior out of view and secret.
Intel is aware of the attack and issued the following statement to The Register. Basically, the chip giant recommends to not execute untrusted code.
Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Grus for their ongoing research and for working with Intel on coordinated vulnerability disclosure.