SGX Attacks - Max Fang's Notes

# Attacks on SGX Links: [[Confidential Computing]], [[SGX]], [[Security]] ## See ### - [[Load Value Injection]] ### - [[Foreshadow]] ### - [[AEPIC Leak]] ### - [[Plundervolt]] ### - [[SGAxe]] ## Resources ### (GSheets) [Summary of SGX Attacks](https://docs.google.com/spreadsheets/d/1Z5OL95QDupwnTe_OXQFwmbH5dx4j9G8Aag-LxI6Tua0/edit#gid=0) ### (Wikipedia section) [List of SGX vulnerabilities](https://en.wikipedia.org/wiki/Software_Guard_Extensions#List_of_SGX_vulnerabilities) **Listed attacks** - Prime+Probe attack - Spectre-like attacks - Enclave attack - MicroScope replay attack - [[Plundervolt]] - [[Load Value Injection]] ([[Load Value Injection|LVI]]) - [[SGAxe]] - [[AEPIC Leak]] ### (2020 Paper) A Survey of Published Attacks on Intel SGX [abstract](https://arxiv.org/abs/2006.13598), [pdf](https://arxiv.org/pdf/2006.13598.pdf) **Useful table** ![[Screen Shot 2022-11-21 at 7.46.42 PM.png]] **Categories of attacks** - Controlled channel attacks - Cache attacks - Branch prediction attacks - Speculative execution attacks - Rogue data cache loads **Categories of defenses** - Microcode patch - System design - Compiler / SDK - Application design - Other custom solutions ## ["SGX Security" section of SGX 101](https://sgx101.gitbook.io/sgx101/sgx-security) (A bit out of date) **Categories of attacks** - Memory Corruption - Uninitialized memory - Page-table-based Attacks - Cache Attacks - Branch Shadowing - Row Hammer Attacks - Speculative Execution Side Channels ([[Foreshadow]]) ## More attacks, unexplored ### Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend [abstract](https://www.usenix.org/conference/usenixsecurity21/presentation/puddu), [pdf](https://www.usenix.org/system/files/sec21-puddu.pdf), [video](https://www.youtube.com/watch?v=ti58SJ1ie3A), [slides](https://www.usenix.org/system/files/sec21_slides_puddu.pdf) ### SmashEx: Smashing SGX Enclaves Using Exceptions [main site](https://jasonyu1996.github.io/SmashEx/), [abstract](https://dl.acm.org/doi/10.1145/3460120.3484821), [pdf](https://dl.acm.org/doi/pdf/10.1145/3460120.3484821)