Skip to main content

Researchers exploit Intel SGX to hide malware

Image Credit: Intel

A team of researchers have discovered a way to run malicious code on systems with Intel chips in such a way that antivirus software is unable to detect it.

When the chip giant released its Skylake processors back in 2015, the company included a new feature called Software Guard eXtensions (SGX) that allows developers to isolate applications inside secure enclaves. 

The enclaves operate within a hardware-isolated section of the CPU's processing memory where applications can carry out operations dealing with sensitive details such as encryption keys, passwords, user data and more.

Researchers Michael Schwarz, Samuel Weiser and Daniel Gruss (who helped discover last year's Spectre attack) published a paper detailing how they were able to use SGX enclaves to hide malware that is undetectable by today's security solutions.

Malicious enclaves

Intel has made it difficult to create and load a malicious enclave by requiring SGX to only accept and launch enclaves that have been signed with a signature key from an internal whitelist of approved keys.

While these keys are usually only given to approved developers, the researchers discovered four ways an attacker could gain access to a signature key to sign a malicious enclave. A malicious enclave would still have difficulty infecting a system because SGX enclaves are restricted to a few commands and lack access to the operations carried out by a local operating system. 

However, the researchers were able to bypass this limitation by using a return-oriented programming (ROP) exploitation technique to piggy-back on Intel Transcational Synchronization eXtensions (TSX). This gave the enclave access to a wider set of commands than normal which could be used to carry out an attack.

Despite the fact that the team exploited SGX to run malicious code for research purposes, the discovery has huge cybersecurity implications since today's security products are unequipped to detect malware running inside an SGX enclave.

The researchers' paper titled “Practical Enclave Malware with Intel SGX” has now been published and it is certainly worth a read for those that want to learn more.

Via Ars Technica

Anthony Spadafora

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal and TechRadar. He has been a tech enthusiast for as long as he can remember and has spent countless hours researching and tinkering with PCs, mobile phones and game consoles.