Monitoring Performance Metrics is not Enough to Detect Side-Channel Attacks on Intel SGX

Side-channel vulnerabilities of Intel SGX is driving the research community towards designing low-overhead detection tools. The ones available to date are grounded on the observation that attacks affect the performance of the victim application (in terms of runtime, enclave interruptions, etc.), so they monitor the potential victim and raise an alarm if the witnessed performance is anomalous. We show that tools monitoring the performance of an enclave to detect side-channel attacks may not be effective. Our core intuition is that these tools are geared towards an adversary that interferes with the victim's execution in order to extract the most number of secret bits (e.g., the entire secret) in one or few runs. They cannot, however, detect an adversary that leaks smaller portions of the secret - as small as a single bit - at each execution of the victim. In particular, by minimizing the information leaked at each run, the impact of the attack on the application's performance is significantly lessened, so that the detection tool notices no attack. By repeating the attack multiple times, and each time leaking a different part of the secret, the adversary can recover the whole secret and remain undetected. Based on this intuition, we adapt attacks leveraging page-tables and L3 cache so to bypass available detection mechanisms. We show how an attacker can leak the secret key used in an enclave running various cryptographic routines of libgcrypt. Beyond cryptographic software, we also show how to leak predictions of enclaves running decision-tree routines of OpenCV.