We present CacheOut, a new speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries. We show that despite Intel's attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.
Moreover, unlike previous MDS issues, we show in our work how an attacker can exploit the CPU's caching mechanisms to select what data to leak, as opposed to waiting for the data to be available. Finally, we empirically demonstrate that CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.
SGAxe is an evolution of CacheOut, specifically targeting SGX enclaves. We show that despite extensive efforts done by Intel in order to mitigate SGX side channels, an attacker can still breach the confidentiality of SGX enclaves even when all side channel countermeasures are enabled.
We then proceed to show an extraction of SGX private attestation keys from within SGX’s quoting enclave, as compiled and signed by Intel. With these keys in hand, we are able to sign fake attestation quotes, just as if these have initiated from trusted and genuine SGX enclaves. This erodes trust in the SGX ecosystem, as using such quotes an attacker can masquerade itself as a genuine SGX enclave to a remote party, while offering little protection in reality.
CacheOut can extract RSA keys from a user program performing RSA decryptions using its private key. In this example, sampling the victim’s data takes about 40 seconds and another 10 seconds is spent on recovering the key from the collected data.
Also available on YouTube.
To show our ability of leaking data from Intel SGX, we embedded the Mona Lisa (image on the left) inside an enclave. Then we collected some traces using CacheOut. We reconstruct the picture from these traces in real-time as shown in the image on the right.
We have also used CacheOut and SGAxe to recover private attestation keys from a fully updated SGX machine which is considered by Intel to be in a trusted status. With these private attestation keys in hands, we can sign arbitrary SGX attestation quotes which are then considered legitimate by Intel’s attestation service (or at least until they revoke our key). In the video below, we sign our own quote and then verify it against Intel’s Attestation Service.
Also available on YouTube.
We understand that remote attestion can be very tricky to pass. However, since we already done all the hard work of getting genuine attestation keys, we decided to help you out by developing a Twitter bot that passes SGX attestation for you. Our bot provides Attestation as a Service (AaaS), which allows you to get your own quotes signed with the keys we extracted using SGAxe. This way you can pass attestation without even owning an SGX machine. If you want to make use of our service, you can send a tweet to our bot @SGAxe_AaaS. If you’ll tweet it, we’ll sign it!
After discussing our paper more thoroughly with Intel, it turns out we are leaking from a new and undocumented data path that passes information between L1-D evictions and the LFB.
We also have new attacks, leaking AES and RSA keys, as well as neural network weights across processes and across virtual machines. We also show how to attack the operating system kernel and hypervisors, extracting stack canaries. Moreover, we have breached the confidentiality of SGX enclaves, reading data from within the enclave’s memory.
Finally, we present SGAxe, which is a followup to CacheOut that extracts SGX attestation keys from Intel’s quoting enclave. With these keys at hand, network attackers are able to impersonate as legitimate SGX enclaves thereby eroding trust in the entire SGX ecosystem.
Probably yes, unless you happen to have a CPU released after Q4 2018.
For a select number of processors released after Q4 2018, Intel advertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort. See Section 8 in our paper.
A list of affected products can be found here.
If you are using Intel SGX in production or if you are a developer who is using Intel SGX or plans to use Intel SGX, then it is very likely you are affected if you rely on remote attestation.
A list of affected products can be found here.
Intel will be providing CPU microcode updates to OEM vendors, that will be distributed to end users via BIOS updates. We recommend these to be installed as soon as they are available. In addition, Intel has provided recommendations for mitigation strategies for operating system (and hypervisor) software. More information can be found at Intel's Software Guidance on L1D Eviction Sampling and Intel's Security Advisory (SA-00329). We recommend that you install the software updates provided by your operating system and/or hypervisor vendor.
To mitigate SGAxe, Intel will first have to provide CPU microcode updates to patch the root cause behind CacheOut and L1DES to OEM vendors. These will then be provided to end users through BIOS updates. Intel will also perform a Trusted Compute Base (TCB) recovery, invalidation all previous attestation keys. This process will ensure that your system is in a secure state such that your system is able to use remote attestation again.
The first indication known to us of leakage from cache evictions can be seen in the Rogue In-Flight Data Load (RIDL) paper, authored by Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida, (VUSec). In addition, Intel also informed us that Moritz Lipp, Michael Schwarz and Daniel Gruss (TU Graz), as well as Jo Van Bulck (KU Leuven) also reported this issue.
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin (University of Michigan) and Yuval Yarom (University of Adelaide and Data61) performed an extensive analysis of how this vulnerability works and how an attacker can exploit it. More information can be found in our paper.
AMD is not affected by CacheOut, as AMD does not offer any feature akin to Intel TSX or Intel SGX on their current offerings of CPUs.
Arm and IBM do have a feature similar to Intel TSX, but we are currently unaware of whether any of their products are affected. We are also unaware of any other attack vectors to exploit CacheOut.
In the case of SGAxe, Intel SGX is currently only available on select Intel platforms. Therefore, other processor vendors are not affected by SGAxe.
No, these are bugs in the processor that an attacker can exploit. Software can mitigate these issues at the cost of features and/or performance. We hope that somewhere in the future Intel will release processors with in-silicon fixes against this issue.
While it is possible in theory, this is currently unlikely in practice. However, your anti-virus software may detect malware which uses this attack by comparing binaries once they become known.
Very unlikely, as both CacheOut and SGAxe do not leave any traces in traditional log files. However, as SGAxe compromised SGX attestation keys, one should be weary of suspicious (but valid) attestation quotes.
As far as we know, there are no known instances of malicious actors absuing CacheOut or SGAxe in the wild.
An operating system (OS) is system software responsible for managing your computer hardware by abstracting it through a common interface, which can be used by the software running on top of it.
Furthermore, the operating system decides how this hardware is shared by your software, and as such has access to all the data stored in your computer's memory. Thus, it is essential to isolate the operating system from other programs running on the same machine.
CacheOut violates the operating system's privacy by extracting information from it that facilitates other attacks, such as buffer overflow attacks.
More specifically, modern operating systems employ Kernel Address Space Layout Randomization (KASLR) and stack canaries. KASLR randomizes the location of the data structures and code used by the operating system, such that the location is unknown to an attacker. Stack canaries put secret values on the stack to detect whether an attacker has tampered with the stack. CacheOut extracts this information from the operating system, essentially enabling full exploitation via other software attacks, such such as buffer overflow attacks.
CacheOut can leak information from other processes running on the same thread, or across threads on the same CPU core. As an example, we successfully leaked both the decrypted output and the AES key from another process performing AES decryptions.
Virtualization is a feature supported by modern CPUs that enables software emulation of the computer's physical hardware. This essentially allows you to instantiate multiple computers (called virtual machines), each running their own operating system and software, all while sharing the same underlying physical hardware.
Cloud providers use virtualization to partition and isolate physical hardware, such that customers can rent the hardware instead of having to purchase, set up, and maintain their own infrastructure. As many cloud instances share the same physical hardware, it is essential that cloud vendors maintain isolation between these instances.
CacheOut exploits hardware security vulnerabilities inside the processor to leak information from both the virtual machine manager (hypervisor) and co-resident virtual machines. However, cloud providers have already deployed countermeasures against CacheOut as a result from our work.
Intel Security Guard Extensions (SGX) offer an even stronger isolation guarantee that allows third parties to run their software in secure enclaves, with protection against a compromised operating system and/or hypervisor.
CacheOut exploits the hardware vulnerabilities we uncovered to dump the contents of SGX enclaves. As such, any information stored inside the enclave can be potentially leaked by CacheOut. SGAxe further extends this to recover SGX attestation keys, allowing network attackers to impersonate as legitimate SGX enclaves.
Intel SGX allows third-parties to run code on your machine with the guarantee that the code cannot be compromised. However, without the ability for the enclave to prove its genuinity to remote parties over the netwrok, Intel SGX would be useless. This is where remote attestion comes into play, as it allows your computer to cryptographicly prove that your information is protected by a genuine Intel machine.
Remote attestation in Intel SGX is interesting for many kinds of application where a third-party wants to run code on your machine with the guarantee that it cannot be compromised. Developers are slowly adopting Intel SGX to develop such applications, including blockchains, DRM and secure data storage for contacts and fingerprints.
With SGAxe we are able to leak the attestation private key, the key that SGX uses to sign quotes from enclave. Having recovered the attestaion key, we created our own rogue quoting enclave, which will sign arbitrary quotes as if these have from genuine SGX enclaves. Finally, since in some modes the attestation key cryptographically hides the identitiy of the signer to provide anonymity, third-party developers might be unable to track down who signed these fictitious quotes.
CacheOut is related to, and inspired by, previous work in speculative execution, including Spectre and Meltdown. Moreover, CacheOut bypasses the hardware mitigations released by Intel in response to Meltdown, thereby necessitating additional software fixes.
Microarchitectural Data Sampling (MDS) shows that an attacker can sample in-flight data from various microarchitectural buffers. As a response to this, Intel recommends that operating system vendors overwrite the contents of these buffers. However, CacheOut demonstrates that this mitigation is incomplete, as we can force the victim's data out of the L1-D Cache into the microarchitectural buffers after the operating system clears them. We then subsequently leak the contents of the buffers and obtain the victim's data.
As Crosstalk and SGAxe share a joint release, you may also have heard of or be hearing about Crosstalk. Similar to CacheOut and SGAxe, Crosstalk is a transient execution attack that is able to leak data from a micro-architectural buffer. While CacheOut and SGAxe focus on the Line Fill Buffer, Crosstalk instead focuses on the staging buffer, which is a buffer that is shared between different CPU cores. Therefore, Crosstalk is the very first cross-core transient execution attack.
It turns out that this staging buffer is shared between specific x86 instructions like cpuid and rdrand. As rdrand is the only source for random numbers trusted by Intel SGX, having the ability to leak the random numbers generated by rdrand is quite problematic. Especially since random numbers are essential for certain cryptographic algorithms. Like SGAxe, Crosstalk therefore focuses on Intel SGX.
More information about Crosstalk can be found at VUSec's project page for Crosstalk.
Foreshadow is a speculative execution attack that targets both virtualized environments and Intel SGX. When Foreshadow was announced on January, 2018, Foreshadow allowed an attacker to extract the SGX sealing keys, just like SGAxe.
However, a lot of things have changed in those two years: machines have been patched and hardened against attacks like Meltdown, Foreshadow and MDS. Attestation keys extracted by Foreshadow have long since been revoked by Intel. With SGAxe we show that, despite all of these efforts, it is still possible for an attacker to extract the SGX attestaion keys and sign counterfeit quotes outside of Intel SGX.
The main idea behind our attack is to force the victim's data out of the CPUs cache into a leaky buffer, and then subsequently leak it. ·Cache and cash also happen to be homophones, which means that CacheOut sounds the same as "cash out". This also explains our use of the dollar signs in the logo.
The logo symbolizes putting an axe to a chip, or rather putting an axe to SGX, as it breaches the security guarantees of SGX. SGAxe is also close to the pronunciation of SGX.
Intel assigned CVE-2020-0549: "L1D Eviction Sampling (L1DES) Leakage" with a CVSS score 6.5 Medium to this vulnerability.
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contracts FA8750-19-C-0531 and HR001 120C0087, by the National Science Foundation under grant CNS-1954712, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.