Skip to content
/ SGX-PTE-SPY Public

A migration for the page table entry based side-channel attack agains SGX enclaves.

License

MIT license
15 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

itewqq/SGX-PTE-SPY

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
imgs
imgs
 
 
sgx-driver-patch
sgx-driver-patch
 
 
spy-kernel
spy-kernel
 
 
spy-user
spy-user
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.MD
README.MD
 
 
run.sh
run.sh
 
 

Repository files navigation

SGX-PTE-MOD

This is a migration for the page table entry based side-channel attack proposed in the paper "Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution", which appears in 2017 but still works for now (2024).

You can find the attack code from the original authors of the paper here. It was implemented within the Graphene-SGX framework, which I found to be out of maintenance and hard to adapt. Therefore, I rewrote the sgx-pte attack as a separate linux kernel module for extensibility and ease of use.

How it works?

I'm too lazy to repeat the details in the paper, but this chart should help.

overview

Usage

Basic steps:

  1. Get the virtual address of the MONITOR_PTE in the victim enclave, which works as a "trigger": whenever the page including this address is accessed, we interrupt the victim Enclave and check if the page in PTE_SETS has been accessed.
  2. Get the virtual addresses of the PTE_SETS: pages that you want to snoop on access patterns.
  3. Put these addresses accordingly to MONITOR_ADRS and the args of add_to_pte_set in the pte_utils.c and make&install the pte_spy_mod.ko. (I know it's kind of silly, but I'm too lazy to improve on this. It's enough for aCaDemIcs, isn't it?)
  4. Build the user mode library libsgx_pte_attack.so.
  5. Manage to inject the lib into the untrusted part (outside of enclave) of the victim process and call the sgx_enter_victim function to start the attack.

Notice that in SGX's threat model, an attacker can be assumed to have OS privileges, so all of the above steps is theoretically not hard to achieve (turning off ASLR, hacking the kernel page allocation mechanism and program loader, etc). Anyway, I provide a PoC that can be run directly ./run.sh, or manully:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
echo 0 | sudo tee /proc/sys/kernel/kptr_restrict
echo off | sudo tee /sys/devices/system/cpu/smt/control 
source /opt/openenclave/share/openenclave/openenclaverc
cd ~/sgx-pte-mod/spy-kernel/
make clean
make remake
cd ~/sgx-pte-mod/spy-user/helloworld/
make clean
make
make run

After that, check the trace in /sys/kernel/debug/tracing/trace to find the leaked page access pattern. Example output:

poc_output

Only the A/D bit detection method is tested, since the FLUSH+FLUSH method seems to be very unstable on my machine.

About

A migration for the page table entry based side-channel attack agains SGX enclaves.

Resources

Readme

License

MIT license
Activity

Stars

15 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages