Shulou(Shulou.com)06/02 Report--

This article shows you how to build the penetration test attack framework Sgx-Step for the Intel SGX platform. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Overview of tools

Trusted execution environment such as Intel SGX can ensure that sensitive computing will not be affected when the target computer is attacked or invaded by the network. SGX-Step introduced in this paper is an open source channel detection attack framework for Intel SGX platform. SGX-Step consists of a Linux kernel driver and a user space library, which will allow us to configure untrusted page table entries and completely interrupt x86 APIC timers from the user space environment (Enclave). We propose and evaluate an improved single-step Enclave execution technique based on instruction-level granularity and demonstrate how SGX-Step can perform a variety of advanced attacks.

Different from the previous Enclave preemption scheme, the key of the SGX-Step design is to save the physical memory location of the page table items and the local APIC memory mapping I bank O configuration register and x86 interrupt descriptor table (IDT). This will allow untrusted host processes (controlled by attackers) to easily (I) track or modify Enclave page table entries, (ii) configure one-time / periodic interrupts for APIC timers, (iii) trigger internal processor interrupts, (iv), and register custom interrupt handlers entirely in user space.

The following figure shows the hardware and software steps when our framework interrupts and restores SGX Enclave:

1. The local APIC timer is interrupted to reach an encrypted instruction.

2. The processor executes the AEX procedure, which securely stores the execution context in the SSA frame of the enclave, initializes the CPU register, and stores the vector to the (user space) interrupt handler registered in IDT.

3. At this point, any attack-specific spyware code can be easily inserted.

4. The code base will return to the user space AEP. We modified the untrusted runtime environment of the official SGX SDK to make it easy to register a custom AEP stub.

5. Next, before executing (6) ERESUME, we configure a local APIC timer for the next interrupt by writing the initial count MMIO register.

Project Construction & Operation

SGX-Step needs to use a SGX-capabel Intel processor and a Linux core. We upgraded it to i7-6500U/6700 CPU and can run on the Ubuntu 16.04 (kernel version 4.15.0) platform. The relevant Linux kernel parameters are as follows:

The Linux kernel parameter feature nox2apic configures the local APIC device in memory-mapped I _ peg O mode (to take advantage of the precise single-step function of SGX-Step). Iomem=relaxed, no_timer_check filters unwanted warning messages in kernel logs. Isolcpus=1 associates the target process with a separate CPU core. Dis_ucode_ldr disables CPU microcode updates.

We can pass the appropriate startup parameters to the kernel execution in the following ways:

$sudo vim / etc/default/grub # GRUB_CMDLINE_LINUX_DEFAULT= "quiet splash nox2apic iomem=relaxed no_timer_check isolcpus=1" $sudo update-grub & & sudo reboot

Finally, in order to reproduce our research results, please make sure that C-States and SpeedStep technologies are disabled in BIOS. The following table lists the Intel CPU currently supported by the tool and the corresponding single-step APIC timer interval (libsgxstep/config.h):

Module name CPU Frequency APIC timer interval Skylakei7-67003.4 GHz19Skylakei7-6500U2.5 GHz25Skylakei5-6200U2.3 GHz28Kaby Lake Ri7-8650U1.9 GHz34Coffee Lake Ri9-9900K3.6 GHz211, repair and installation SGX SDK

To enable and register a custom AEP stub, we modified the untrusted runtime environment of the official Intel SGX SDK:

$git submodule init$ git submodule update$. / install_SGX_driver.sh # tested on Ubuntu 16.04 $. / patch_sdk.sh$. / install_SGX_SDK.sh # tested on Ubuntu 16.042, build and load / dev/sgx-step

SGX-Step comes with loadable kernel modules that support exporting IOCTL interfaces. Run the following command to build and load the / dev/sgx-step drive:

$cd kernel$ make clean load3, build and run the test application $cd app/bench$ NUM=100 STRLEN=1 make parse # alternatively vary NUM and use BENCH=1 or ZIGZAG=1 $# (above command defaults to the Dell Inspiron 13 7359 evaluation laptop machine;$ # use DESKTOP=1 to build for a Dell Optiplex 7040 machine) $# use SGX_SDK=/home/jo/sgxsdk/ for a local SDK installation$ # use M32 testing 1 To produce a 32-bit executable using SGX-Step in the project

If you want to use SGX-Step in your project, the easiest way is to use the git submodule:

$cd my/git/project$ git submodule add [email protected]: jovanbulck/sgx-step.git$ cd sgx-step # Now build `/ dev/sgx- step` and `libsgxstep` as described above

Next, go to the app directory and look at Makefiles, and you will see a client application connected to libsgxstep and other local SGX SDK/PSW packages.

The above content is how to build the penetration test attack framework Sgx-Step for the Intel SGX platform. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.