SGX-ROP: Practical Enclave Malware with Intel SGX
This repository contains the implementations of the DIMVA 2019 paper
- Practical Enclave Malware with Intel SGX by Schwarz, Weiser, and Gruss
The repository consists of three parts:
TAP + CLAW
Contains the Intel TSX-based primitives to check whether a page is mapped and writable without using syscalls.
Uses TAP + CLAW inside a (malicious) SGX enclave to break ASLR of the host application, create a ROP payload and mount a simple PoC attack (i.e., create a file in the current directory).
Shows how to use TAP as egg hunter for classical exploits.
Note on Broken Microcode
Intel released a document Performance Monitoring Impact of Intel Transactional Synchronization Extension Memory describing that certain microcode updates disable the usage of TSX within SGX. This inadvertently also breaks SGX ROP in the current form. In case you have such a microcode update, you have the following possibilities:
Disable the Microcode Update
For demo/testing purposes, it is the easiest to simply disable the microcode update. This can be done using the boot parameter
Replace TSX with DataBounce or EchoLoad
In case you cannot disable the microcode update, or TSX is disabled, e.g., due to security reasons, you can replace TSX with a different primitive. Possible alternatives based on transient-execution attacks that have been shown to works are DataBounce as described in
- Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs by Schwarz, Canella, Giner, and Gruss
and EchoLoad, which also works on CPUs where DataBounce is mitigated, as described in
- KASLR: Break It, Fix It, Repeat by Canella, Schwarz, Haubenwallner, Schwarzl, and Gruss.
All code is licensed under the MIT license.