Receiving SMS online guarantees the security of your mobile number when registering on suspicious sites.
Michael Schwartz, Samuel Weiser, and Daniel Gruss of Graz University of Technology in Austria analyzed Intel SGX and the practicality of using enclave malware. It is worth noting that Schwartz and Gruss also participated in the discovery of the notorious vulnerabilities Meltdown and Specter.
Intel Software Guard Extension (SGX) is an isolated technology present in Intel processors. It is designed to protect code and data from disclosure and alteration - even if the system has been hacked - allowing developers to split their applications into hardware-protected areas of memory called enclaves. Technology is touted for the cloud, digital rights management (DRM), secure browsing, and other applications.
Intel SGX may be used by malware. Although this technology can be very useful, it can also be used for malicious purposes. SGX enclaves can be ideal for hiding malware because they do not allow antiviruses to check the code that executes in them, and cybercriminals can develop ransomware programs that store encryption keys inside the enclave to make file recovery impossible.
Researchers in the past have demonstrated that enclave malware can use side channels to steal confidential information, but it has been suggested that there are serious limitations on what enclave malware can do. Some previously developed enclave malware relied on an application running on the host to perform malicious actions.
However, researchers at Graz University of Technology have now shown that enclave malware can be practical and does not necessarily need support from a malicious host application. They demonstrated how malware can circumvent SGX restrictions and covertly use a secure host application.
In the attack scenario described by experts, the victim uses a reliable and secure system. An attacker delivers a secure application that uses a malicious enclave during execution. The host application communicates with the enclave through an interface that should not allow the enclave to attack the application.
However, despite serious limitations, the researchers demonstrated that you can avoid exiting the enclave and execute arbitrary code with host privileges even without using any hardware flaws in SGX. An attack can even bypass exploit protection such as ASLR, stack canaries, and Address Sanitizer.
Theoretical attack scenarios described by experts include criminal threat actors who present malware as computer games that require the execution of the DRM enclave, a messaging application that launches the enclave for security reasons, and a special decoder that allegedly needs the enclave to provide the function of interest. In attack scenarios, enclave malware is delivered through state-approved applications, such as digital signature tools.
According to experts, hackers can steal or encrypt files for ransom, or perform actions on behalf of the victim, including sending phishing emails or launching denial of service (DoS) attacks.
Sophisticated threat actors may find this method useful, as it can help them ensure that the zero-day vulnerabilities used in their attacks are not detected if their malware is detected. This method allows an attacker to activate an exploit at a certain point in order to prevent detection before execution, which can be useful for large-scale synchronized threats, such as botnets and ransomware.
“[Hiding] malware in the SGX enclave gives attackers a plausible denial and stealth until they decide to launch an attack.” This is especially true for trigger-based malware that uses the zero-day exploit, but also to provide plausible denial for legal or political reasons, for example, for a state entity. Possible scenarios range from synchronized large-scale denial of service attacks to targeted attacks on individuals, ”the researchers explained.
“We conclude that instead of protecting users from harm, SGX currently poses a security risk by fostering so-called super-malware with attack-ready exploits. Our results lay the foundation for future research on more realistic trusting relationships between enclaves and non-enclaves, as well as on reducing enclave malware, ”they said.
Intel thanked the researchers for their work and for coordinating the disclosure of the method. However, tech giant says the study is "based on assumptions that are outside the scope of the threat model for Intel SGX."
“The value of Intel SGX is to execute code in a secure enclave; however, Intel SGX does not guarantee that the code executed in the enclave is obtained from a reliable source. In all cases, we recommend using programs, files, applications and plugins from reliable sources, ”Intel said.