Advertisement

AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves

  • Nico WeichbrodtEmail author
  • Anil Kurmus
  • Peter Pietzuch
  • Rüdiger Kapitza
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)

Abstract

Intel’s Software Guard Extensions (SGX) provide a new hardware-based trusted execution environment on Intel CPUs using secure enclaves that are resilient to accesses by privileged code and physical attackers. Originally designed for securing small services, SGX bears promise to protect complex, possibly cloud-hosted, legacy applications. In this paper, we show that previously considered harmless synchronisation bugs can turn into severe security vulnerabilities when using SGX. By exploiting use-after-free and time-of-check-to-time-of-use (TOCTTOU) bugs in enclave code, an attacker can hijack its control flow or bypass access control.

We present AsyncShock, a tool for exploiting synchronisation bugs of multithreaded code running under SGX. AsyncShock achieves this by only manipulating the scheduling of threads that are used to execute enclave code. It allows an attacker to interrupt threads by forcing segmentation faults on enclave pages. Our evaluation using two types of Intel Skylake CPUs shows that AsyncShock can reliably exploit use-after-free and TOCTTOU bugs.

Keywords

Intel Software Guard Extensions (SGX) Threading Synchronisation Vulnerability 

Notes

Acknowledgements

We would like to thank the anonymous reviewers for their input. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No. 645011 and No. 644412.

References

  1. 1.
  2. 2.
    Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI 2014, pp. 267–283 (2014)Google Scholar
  3. 3.
    Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Comput. Syst. 2(2), 131–152 (1996)Google Scholar
  4. 4.
    Borisov, N., Johnson, R., Sastry, N., Wagner, D.: Fixing races for fun and profit: how to abuse atime. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 20 (2005)Google Scholar
  5. 5.
    Checkoway, S., Shacham, H.: Iago attacks: why the system call API is a bad untrusted RPC interface. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2013, pp. 253–264 (2013)Google Scholar
  6. 6.
    Chew, L., Lie, D.: Kivati: fast detection and prevention of atomicity violations. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 307–320 (2010)Google Scholar
  7. 7.
    Dean, D., Hu, A.J.: Fixing races for fun and profit: how to use access(2). In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 14 (2004)Google Scholar
  8. 8.
    Flanagan, C., Freund, S.N.: Atomizer: a dynamic atomicity checker for multithreaded programs. SIGPLAN Not. 39(1), 256–267 (2004)CrossRefzbMATHGoogle Scholar
  9. 9.
    Gao, Q., Zhang, W., Chen, Z., Zheng, M., Qin, F.: 2ndStrike: toward manifesting hidden concurrency typestate bugs. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pp. 239–250 (2011)Google Scholar
  10. 10.
    Hariri, A.-A., Zuckerbraun, S., Gorenc, B.: Abusing silent mitigations. In: BlackHat USA (2015)Google Scholar
  11. 11.
    Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013, p. 11: 1 (2013)Google Scholar
  12. 12.
    Intel: Intel\(\textregistered \) Software Guard Extensions SDK for Linux* OS, Revision 1.5. https://01.org/intel-software-guard-extensions/documentation/intel-sgx-sdkdeveloper-reference
  13. 13.
    Intel: Intel(R) Software Guard Extensions Programming Reference, Revision 2. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf
  14. 14.
    Jurczyk, M., Coldwind, G.: Identifying and exploiting windows kernel race conditions via memory access patterns. In: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns, p. 69 (2013)Google Scholar
  15. 15.
    Lu, S., Park, S., Seo, E., Zhou, Y.: Learning from mistakes: a comprehensive study on real world concurrency bug characteristics. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XIII, pp. 329–339 (2008)Google Scholar
  16. 16.
    Lu, S., Tucek, J., Qin, F., Zhou, Y.: AVIO: detecting atomicity violations via access interleaving invariants. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XII, pp. 37–48 (2006)Google Scholar
  17. 17.
    Lucia, B., Ceze, L.: Finding concurrency bugs with context-aware communication graphs. In: Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 42, pp. 553–563 (2009)Google Scholar
  18. 18.
    McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013, p. 10: 1 (2013)Google Scholar
  19. 19.
    PaX, PaX address space layout randomization (ASLR) (2003)Google Scholar
  20. 20.
    Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., Anderson, T.: Eraser: a dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst. 15(4), 391–411 (1997)CrossRefGoogle Scholar
  21. 21.
    Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M.: VC3: trustworthy data analytics in the cloud using SGX. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 38–54 (2015)Google Scholar
  22. 22.
    Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: Proceedings of the 2012 USENIX Annual Technical Conference (USENIX ATC 2012), pp. 309–318 (2012)Google Scholar
  23. 23.
    Serebryany, K., Iskhodzhanov, T.: ThreadSanitizer: data race detection in practice. In: Proceedings of the Workshop on Binary Instrumentation and Applications, pp. 62–71 (2009)Google Scholar
  24. 24.
    Sinha, R., Rajamani, S., Seshia, S., Vaswani, K.: Moat: verifying confidentiality of enclave programs. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1169–1184 (2015)Google Scholar
  25. 25.
    Tsafrir, D., Hertz, T., Wagner, D., Da Silva, D.: Portably solving file TOCTTOU races with hardness amplification. In: FAST 2008, pp. 1–18 (2008)Google Scholar
  26. 26.
    Twiz, S.: Attacking the Core: Kernel Exploitation Notes. Phrack 64 file 6Google Scholar
  27. 27.
    Xiong, W., Park, S., Zhang, J., Zhou, Y., Ma, Z.: Ad hoc synchronization considered harmful. In: OSDI, pp. 163–176 (2010)Google Scholar
  28. 28.
    Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 640–656 (2015)Google Scholar
  29. 29.
    Yang, J., Cui, A., Stolfo, S., Sethumadhavan, S.: Concurrency attacks. In: Presented as Part of the 4th USENIX Workshop on Hot Topics in Parallelism (2012)Google Scholar
  30. 30.
    Yang, J., Cui, H., Wu, J., Tang, Y., Hu, G.: Making parallel programs reliable with stable multithreading. Commun. ACM 57(3), 58–69 (2014)CrossRefGoogle Scholar
  31. 31.
    Yu, Y., Rodeheffer, T., Chen, W.: RaceTrack: efficient detection of data race conditions via adaptive tracking. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, SOSP 2005, pp. 221–234 (2005)Google Scholar
  32. 32.
    Zhang, W., Sun, C., Lu, S.: ConMem: detecting severe concurrency bugs through an effect-oriented approach. In: Proceedings of the Fifteenth Edition of ASPLOS on Architectural Support for Programming Languages and Operating Systems, ASPLOS XV, pp. 179–192 (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Nico Weichbrodt
    • 1
    Email author
  • Anil Kurmus
    • 2
  • Peter Pietzuch
    • 3
  • Rüdiger Kapitza
    • 1
  1. 1.TU BraunschweigBraunschweigGermany
  2. 2.IBM Research ZurichZürichSwitzerland
  3. 3.Imperial College LondonLondonUK

Personalised recommendations