TEE: Vulnerabilities
my notes
Availability failures
Trusted hardware in general cannot ensure availability. A malicious host can terminate enclaves, and even an honest host could lose enclaves in a power cycle.
That's why TEEs should be stateless, and any persistent state is stored in the globally available ledger.
Timer failures
TEEs in general lack trusted time sources. A malicious host have a control of enclave's timer. Thus a TEE must minimize reliance on the TEE timer.
Key management problems
TEE state can persisist by encryption with confidentiality features, but problem is that how one can persist the encryption keys.
Generally the method is to replacate keys across multiple TEEs.
However, a higher replication factor means not only better resiliency to state loss, but also a larger attack surface.
There is in general a fundamental tension between exposure risk and availability.
Long-term keys as master key can be generate by DKG protocol among TEEs (a.k.a. Key Management Committee)
Each symmetric key (short-term keys) used to encrypt and decrypt state which is stored in a persistent ledeger can be derived from a long-term keys.
Short-term keys expire every epoch.
To get each shor-term keys: K_c_t where c: contract, t: epoch, TEE first establishes secure channels and authenticates itself with KMC cluster and construct it based on Langrange Coeffiecients.
Atomic delivery of execution results
m1, which delivers the output to the caller
m2, which delivers the state update to the blockchain
rewind attack
time access
For instance doing an HTTP GET request to www.google.com will provide a reading from Google's clocks in the HTTP result headers
memento attacks to sealed data
That attack is when the host gives you back older data than was requested. The system clock is controlled by the owner of the computer and so can't be relied on.
side channel attacks
architectual
Message sizes
Message processing time
Storage access patterns
micro-architectual
exploiting the speculative execution capability of the processor to make an enclave compute on invalid data.
expect that the host isn't normally malicious.
PLATYPUS
2020/11/11
CPUのpower consumptionのモニタリングデータをunprivilegedなユーザーがアクセス
CacheOut / SGAxe
ZombieLoad: Cross-privilege-boundary data sampling
LVI: Hijacking transient execution through microarchitectural load value injection
plundervolt
CVE-2019-11157
microcode, BIOS updateパッチ済み
Changing values in SGX-protected memory (i.e. attacks the integrity), whereas speculative execution attacks like Foreshadow or Spectre allow to read data from SGX enclave memory (i.e. attacks the confidentiality).
If a remote attacker can become root in the untrusted OS, she can also mount the Plundervolt attack.
SGX-ROP attack
2019/02
ROP(Return Oriented Programming)活用により通常よりも強いアクセス権をenclaveに与えることが可能に。
Foreshadow
CVE-2018-3615 , CVE-2018-3620, CVE-2018-3646
L1 Terminal Fault (L1TF) と呼ばれるサイドチャネル攻撃の一種
L1キャッシュは命令とデータ用に分割されたキャッシュを持つハーバードアーキテクチャ
L2とL3は命令とデータ混在のユニファイドキャッシュ
attackerがpageにマッピングされていない領域を読もうとpage faultを起こすと、page faultが処理される短時間の間、メモリ保護機構が無効になってしまい、その間投機実行によりL1 Data Cacheの内容が読めてしまう
そして、Spectre Variant 1のようにFLUSH+RELOADで読みたいデータの痕跡をキャッシュに残すことで、投機実行の結果がキャンセルされてもデータがキャッシュに残り、サイドチャネル攻撃により値の復元が可能
攻撃者がEnclave内のデータへアクセス
https://www.youtube.com/watch?v=EahQBMuhx5Y
Spectre/Meltdown
SGX Cache Attacks
Rollback Attack
Remote Attestation
https://gyazo.com/e2d00e2d9c452f77a04c7b01e182e579
Without involving Intel’s attestation service while conducting attestation, OPERA is unchained from Intel, although it relies on Intel to establish a chain of trust whose anchor point is the secret rooted in SGX hardware.
Others