Existing tools to detect side-channel attacks on Intel SGX are grounded on the observation that attacks affect the performance of the victim application. As such, all detection tools monitor the potential victim and raise an alarm if the witnessed performance (in terms of runtime, enclave interruptions, cache misses, etc.) is out of the ordinary. In this paper, we show that monitoring the performance of enclaves to detect side-channel attacks may not be effective. Our core intuition is that all monitoring tools are geared towards an adversary that interferes with the victim's execution in order to extract the most number of secret bits (e.g., the entire secret) in one or few runs. They cannot, however, detect an adversary that leaks smaller portions of the secret - as small as a single bit - at each execution of the victim. In particular, by minimizing the information leaked at each run, the impact of any side-channel attack on the application's performance is significantly lowered - ensuring that the detection tool does not detect an attack. By repeating the attack multiple times, each time on a different part of the secret, the adversary can recover the whole secret and remain undetected. Based on this intuition, we adapt known attacks leveraging page-tables and L3 cache to bypass existing detection mechanisms. We show experimentally how an attacker can successfully exfiltrate the secret key used in an enclave running various cryptographic routines of libgcrypt. Beyond cryptographic libraries, we also show how to compromise the predictions of enclaves running decision-tree routines of OpenCV. Our evaluation results suggest that performance-based detection tools do not deter side-channel attacks on SGX enclaves and that effective detection mechanisms are yet to be designed.
翻译:用于检测Intel SGX的侧道攻击的现有工具基于袭击会影响受害者应用功能的观察。 因此, 所有检测工具都会对潜在受害者进行监测, 并提醒他们, 如果见证性表演( 运行时间、 飞地中断、 缓存失踪等) 异常正常, 则所有检测工具都会显示, 监测飞地探测侧道攻击的性能可能并不有效。 我们的核心直觉是, 所有监控工具都针对一个敌人, 干扰受害者执行的操作, 从而影响受害者应用的性能。 因此, 所有检测工具都会对潜在受害者应用的性能产生影响。 因此, 所有检测工具都会在一次或几次的运行中, 都会监测潜在秘密部分( 如运行时间、 飞地中断、 缓存失灵等 ), 然而, 通过将任何侧门攻击的性能检测工具都大大降低, 确保检测工具无法检测出一次攻击 。 通过多次重复攻击, 一次在秘密的某部分, 直径的常规检测, 也无法发现一个小部分, 秘密的直路路路路路 3 显示, 我们所知道的直路路路路的精确 的检测机制如何恢复了整个的准确探测,, 显示, 我们所知道的直路路路路的直路的直路的运行的 显示, 显示整个的直路路路路路路路路的精确 显示, 显示, 直路的精确的精确的运行的运行的运行的精确的运行的精确路路路路路的精确路路路 显示, 显示, 显示, 显示, 显示, 显示, 显示, 显示, 直路路路的精确的精确的精确的精确的精确的运行的触 显示, 显示, 显示, 显示, 显示, 显示, 显示,我们所 显示, 显示, 显示, 显示, 显示, 我们的直路的直路路的 显示,我们所知道的直路的直路的直路的直路的触 直路的直路的直路的触 显示, 直路的测测 显示, 显示, 显示, 显示, 显示, 显示, 直路的直路的直路的直路徑 直路的直路