Recent studies have identified a new attack vector, WireTap. This approach first leverages Intel’s Software Guard Extensions (SGX) to recover critical Extended Elliptic Curve Digital Signature Algorithm (ECDSA) keys. The research team crafted this attack to mount a complete key recovery attack against Intel SGX’s Quoting Enclave (QE). This finding has serious implications for the confidentiality of data running inside SGX enclaves.
WireTap operates with the help of an interposer that goes between the CPU and the memory module. This configuration allows it to monitor and record data traveling between these elements. The researchers presented their findings in a shifting tides report. They wrote at length about how ideal this technique is at circumventing SGX’s security protections.
The Mechanics of WireTap
Staff time WireTap setup requires an upfront commitment of around $1,000 (including the cost of the logic analyzer we provide). This cost is significantly higher than its cousin, Battering RAM, which can be set up for under $50. Both attacks are based on exploiting the deterministic encryption used by Intel SGX, albeit from different angles at the problem.
Deterministic encryption is no small part of SGX’s security foundation. It has vulnerabilities that can be exploited by methods such as WireTap and Battering RAM. The researchers underscored their success at extracting attestation keys. These keys serve as the basis for determining whether a piece of code is executing within SGX.
“Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.” – The researchers
Implications for ECDSA Key Security
With extraction of the ECDSA signing key through WireTap, attackers can sign arbitrary SGX enclave reports. This unique and hazardous potentiality for misuse leads to questions about the integrity and confidentiality of highly sensitive information being processed within these enclaves. SGX is often touted as a foundation for secure processing in a variety of applications from cloud computing to online transactions. This vulnerability can be exploited with global impact.
Intel’s public response to these findings has been extremely positive. They claim that these attacks are beyond the security perimeter of Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) memory encryption. Yet the chipmaker refuses to release a Common Vulnerabilities and Exposures (CVE) listing for these exploits. Their resolve has only deepened.
“As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.” – The chipmaker
Relationship Between WireTap and Battering RAM
WireTap and Battering RAM are very much complementary attacks, each analyzing different properties of deterministic encryption. And although WireTap uses a more advanced configuration that requires an interposer, Battering RAM uses a cheaper method. Both approaches highlight the insecurities in Intel’s encryption systems and the need for stronger security protections.
The researchers share successful tactics for carrying out these attacks. We’re excited that they too recognize the importance of continuous measurement in cybersecurity practices. These attacks demonstrate the multifaceted difficulties involved in protecting vulnerable, especially deterministic encrypted systems. Developers and users alike must continue to stay aware to defend against these threats.