Differences
This shows you the differences between two versions of the page.
— |
pubs:asyncshock [2018-06-03 14:10] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves ====== | ||
+ | ==== Abstract ==== | ||
+ | |||
+ | Intel’s Software Guard Extensions (SGX) provide a new hardware-based | ||
+ | trusted execution environment on Intel CPUs using secure | ||
+ | enclaves that are resilient to accesses by privileged code and physical | ||
+ | attackers. Originally designed for securing small services, SGX bears | ||
+ | promise to protect complex, possibly cloud-hosted, | ||
+ | In this paper, we show that previously considered harmless synchronisation | ||
+ | bugs can turn into severe security vulnerabilities when using SGX. | ||
+ | By exploiting use-after-free and time-of-check-to-time-of-use (TOCTTOU) | ||
+ | bugs in enclave code, an attacker can hijack its control flow or bypass | ||
+ | access control. | ||
+ | |||
+ | We present AsyncShock, a tool for exploiting synchronisation bugs of | ||
+ | multithreaded code running under SGX. AsyncShock achieves this by | ||
+ | only manipulating the scheduling of threads that are used to execute | ||
+ | enclave code. It allows an attacker to interrupt threads by forcing segmentation | ||
+ | faults on enclave pages. Our evaluation using two types of Intel | ||
+ | Skylake CPUs shows that AsyncShock can reliably exploit use-after-free | ||
+ | and TOCTTOU bugs. | ||
+ | |||
+ | |||
+ | ==== Download ==== | ||
+ | |||
+ | [[https:// |