RAIDING FORT KNOX —

SGX, Intel’s supposedly impregnable data fortress, has been breached yet again

ÆPIC Leak spills users' most sensitive secrets in seconds from SGX enclaves.

SGX, Intel’s supposedly impregnable data fortress, has been breached yet again
Intel

Intel’s latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company’s software guard extensions, the advanced feature that acts as a digital vault for security users’ most sensitive secrets.

Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

Cracks in Intel’s foundational security

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a “general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus.”

The example is purely hypothetical. Signal spokesperson Jun Harada wrote in an email: “Intel alerted us to this paper... and we were able to verify that the CPUs that Signal uses are not impacted by the findings of this paper and therefore are not vulnerable to the stated attack.”

Key to the security and authenticity assurances of SGX is its creation of what are called "enclaves," or blocks of secure memory. Enclave contents are encrypted before they leave the processor and are written in RAM. They are decrypted only after they return. The job of SGX is to safeguard the enclave memory and block access to its contents by anything other than the trusted part of the CPU.

Enter ÆPIC Leak

Since 2018, researchers have poked at least seven serious security holes in SGX, some of which completely undermined the assurances Intel makes about them. On Tuesday, a research paper publicly identified a new hole, which also completely breaks SGX guarantees in most 10th, 11th, and 12th generation Intel CPUs. The chipmaker said it released mitigations that prevent the researchers’ proof-of-concept exploit from working any longer. The researchers will present their findings on Wednesday at the Black Hat security conference in Las Vegas.

A list showing which Intel CPUs are vulnerable.
Enlarge / A list showing which Intel CPUs are vulnerable.
Borrello et al.

The vulnerability resides in APIC, short for Advanced Programmable Interrupt Controller. APIC is a mechanism built into many modern CPUs that manages and routes interrupts, which are signals generated by hardware or software that cause the CPU to stop its current task so it can process a higher-priority event. The researchers who discovered the flaw have named the vulnerability and their proof-of-concept exploit ÆPIC Leak.

An overview of ÆPIC Leak.
Enlarge / An overview of ÆPIC Leak.
Borrello et al.

The bug that makes ÆPIC Leak possible is what’s known as an uninitialized memory read, which happens when memory space isn't cleared after the CPU is done processing it, causing the leak of old data that is no longer needed. Unlike previous CPU flaws with names like Spectre, Meltdown, Foreshadow, and RIDL/Fallout/ZombieLoad—which were the result of transient execution creating side channels that revealed private data—ÆPIC Leak is an architectural flaw that resides in the CPU itself.

Channel Ars Technica