Hacking in Darkness: Return-oriented Programming against Secure Enclaves

Intel Software Guard Extensions (SGX) is a hardware-based Trusted Execution Environment (TEE) that is widely seen as a promising solution to traditional security threats. While SGX promises strong protections to bug-free software, decades of experience show that we have to expect vulnerabilities in any non-trivial application. In a traditional environment, such vulnerabilities often allow attackers to take complete control over the vulnerable systems. Efforts to evaluate the security of SGX have been focusing on side-channels. So far, neither a practical attack against a vulnerability in enclave code nor a proof-of-concept attack scenario has been demonstrated. Thus, a fundamental question remains: What are the consequences and dangers of having a memory corruption vulnerability in enclave code?

To answer this question, we comprehensively analyze the exploitation technique against vulnerabilities inside enclaves. We demonstrate practical exploitation techniques, called Dark-ROP, which can completely disarm the security guarantees of SGX. Dark-ROP exploits a memory corruption vulnerability in the enclave software through return-oriented programming (ROP), but it differs significantly in a sense that the target enclave runs under a solid hardware protection. We overcome this problem by exploiting SGX-specific properties and obstacles by formulating a novel ROP attack scheme against SGX under practical assumptions. Specifically, we have built several oracles that tell the status of enclave execution to the attacker in order to enable launching of ROP attack while both code and data are hidden. Additionally, we exfiltrate the enclave’s code and data into a shadow application to fully control the execution environment while satisfying all security requirements of SGX. This shadow application emulates the enclave under the complete control of the attacker, using the enclave (through ROP calls) only to perform SGX operations such as reading the enclave’s SGX crypto keys.

The consequences of Dark-ROP are alarming; the attacker can completely breach the enclave’s memory protections and trick the SGX hardware into disclosing the enclave’s encryption keys and producing measurement reports that defeat remote attestation. This result strongly suggests that traditional security mitigation should be taken more seriously than common directions that communities are actively taking for convince (e.g., Haven or Graphene), which essentially increase the trust computing base and the attack surface.