PoC hides malware in Intel SGX enclave

News by Robert Abel

Researchers developed a proof of concept attack which allows them to hide malware in Intel's Software Guard eXtensions (SGX).

Researchers developed a proof of concept attack which allows them to hide malware in Intel’s Software Guard eXtensions (SGX).

Intel SGX is a feature found on all modern Intel CPUs that allows developers to isolate applications in secure "enclaves" and the attack allows researchers to hide undetectable malicious code from their security software within these enclaves, according to the proof of concept.

Previously, the only known vulnerabilities affecting SGX enclaves were side channel attacks that leaked data being processed into the enclave but now the most recent researcher demonstrates how the enclaves can be used to conceal malware.

Executing an attack depends on the attacker’s ability to install or trick a user into installing an app that sets up a malicious enclave and the researchers have found at least four methods an attacker could use to obtain a signature key and sign a malicious enclave. 

The malware impersonates its host application and uses the new TSX-based techniques including a memory-disclosure primitive and a write-anything-anywhere primitive.

Researchers also published a proof-of-concept code for enclave malware on GitHub.

This particular vulnerability is a great example of why a security strategy that relies heavily on endpoint agents for the detection of malware is flawed,"Bob Noel, VP of Strategic Relationships for Plixer told SC Media.

"Monitoring end devices can be an important part of a security stack, but it should only be part of the overall ecosystem. A critically important technology is network traffic analysis. Any compromised device will exhibit new network traffic patterns." 

Noel said for a compromised device to deliver value to a cyber-criminal, the miscreant must communicate it with it in some manner, whether that is to steal data, exchange information with a command and control server, move laterally throughout the environment to find critical assets, or simply cause disruption to the business. 

The researchers said their results laid the foundation for future research into more realistic trust relationships between enclave and non-enclave software, as well as the mitigation of enclave malware.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews