Konubinix' opinionated web of thoughts

Sgx Security and Attacks

Fleeting

SGX Security

it is still vulnerable to certain types of attacks

https://sgx101.gitbook.io/sgx101/sgx-bootstrap/ccs17-tutorial

One type of vulnerabilities is memory corruption that enables control-flow hijacking attacks such as return-oriented programming (ROP) and return-to-libc attacks

https://sgx101.gitbook.io/sgx101/sgx-security

Intel SGX is not as secure as we thought

https://sgx101.gitbook.io/sgx101/sgx-security

Another type of vulnerabilities is uninitialized memory that may allow untrusted host (i.e., the OS) to infer the data inside an enclave

https://sgx101.gitbook.io/sgx101/sgx-security/memory-corruption

The threat model of SGX, which assumes that even privileged software (e.g., an OS and a hypervisor) is untrusted, enables broader and stronger classes of side channels

https://sgx101.gitbook.io/sgx101/sgx-security/uninitialized-memory

cache attacks. By exploiting the timing difference between accessing cached and non-cached data, the attacks infer the particular the memory accesses of a victim process by manipulating CPU caches.

https://sgx101.gitbook.io/sgx101/sgx-security/page-table-based-attack

one class of side-channel attacks (i.e., page-table-based attacks) that is unique to the SGX settings

https://sgx101.gitbook.io/sgx101/sgx-security/page-table-based-attack

unique class of side-channel attacks in the SGX settings is branch-prediction-based attacks

https://sgx101.gitbook.io/sgx101/sgx-security/cache-attack

row hammer attacks are also effective on SGX.

https://sgx101.gitbook.io/sgx101/sgx-security/branch-shadowing

side channels that draws significant attention is speculative execution side channels

https://sgx101.gitbook.io/sgx101/sgx-security/row-hammer-attack

Notes linking here