# MoLE: <u>Mitigation of Side-channel</u> Attacks against SGX via Dynamic Data <u>Location Escape</u>

Fan Lang<sup>1,2</sup>, Wei Wang<sup>1</sup>, Lingjia Meng<sup>1,2</sup>, Jingqiang Lin<sup>3</sup>, Qiongxiao Wang<sup>1</sup>, Linli Lu<sup>1</sup>

<sup>1</sup> State Ley Laboratory of Information Security, Institute of Information Engineering, China Academy of Sciences, Beijing 100089, China <sup>2</sup> School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100089, China

<sup>3</sup> School of Cyber Security, University of Sciences and Technology of China, Hefei 230027, Anhui, China

#### Abstract

Software Guard eXtension(SGX) is a set of instructions and mechanisms for memory accesses added to Intel architecture processors, which aim to provide integrity and confidentiality assurance.

Unfortunately, the security mechanism still has weakness, such as side-channel attacks(SCAs). Therefore, we propose MoLE, a dynamic data location randomization scheme to defend against SCAs and transient execution attacks that target sensitive data within enclaves. By continuously obfuscating the location of sensitive data at runtime, MoLE prevents the adversary from directly obtaining or disclosing data based on data access patterns.

# **SGX** (Software Guard Extensions)

- SGX can provide applications trusted execution environments, called enclave
  - Isolated from the OS by the hardware processor
  - Encrypted using processor-specific keys
  - Ensure the confidentiality and integrity of data and code in enclave
- Vulnerable to SCA



# **Cache SCA**

- Characteristics of cache side-channel attacks
  - No need to access the code or data in the isolated execution environment
  - By analyzing the cache side-channel information to indirectly obtain the key information
  - Such as, Prime + Probe





# Page Table SCA

- Characteristics of page table side-channel attacks
  - No need to access the target pages
  - By analyzing the page table side-channel information to indirectly obtain the key information



### **Meltdown-type Attack**

- Characteristics of page table side-channel attacks
  - Getting unauthorized access to the data with transient execution driven by fault or assist
  - Combining Flush + Reload Cache SCA
  - Such as, Foreshadow





# Solution—MoLE

- Basic idea
  - Constantly changing location of sensitive data at runtime to obfuscate the data access patterns
- Challenge
  - How to achieve untraceable data obfuscation against privileged attackers with single-step capability?
  - How to design a defense that is generalizable and relatively transparent to the target application?



# Technology

- TSX (Transactional Synchronization Extension)
  - TSX is Intel's implementation of hardware transactional memory (HTM)
    - > Operations within a transaction are atomic
    - > An interruption or exception causes a rollback
    - ➢ XBEGIN, XEND, XABORT, and XTEST
  - Support for multi-threading
  - Resistant to single-step behavior

### **Threat Model**

- Attackers have full control over the OS
  - Generate interruptions to single-step the target application
  - Block, replay, read, and modify all message outside enclaves

- Attackers have the ability to launch the following attacks
  - Cache SCAs
  - Page table SCAs
  - Meltdown-type transient execution attacks
- Do not consider LLC SCAs



### MoLE

MoLE defeats attacks by altering the sensitive data's location dynamicly at runtime, which we call dynamic data location *Escape*.



Embraced in a single transaction



### **Tunnels**

A designated portion of the enclave heap to store the sensitive data



The Tunnels has l (Each L1d cache set consists of l cache lines) items in the page list

# **Escape Function**

Computing new addresses for data Escape

Algorithm 1 The process of *Escape*.

- **Input:** The page list of MoLE *PL*, *PL* has *l* items; The last location of data  $L_O \in PL[i]$ ,  $0 \le i \le l$  and the size of data  $Size_{Data}$ ; The random numbers stored in RCX and RDX,  $R_C$ ,  $R_D$ ;
- **Output:** The new location of data,  $L_N$ ; The location of unrelated data,  $L_U$ ;
  - 1:  $L_B = [L_O \oplus R_C]_{NearBlock}$ ;  $L_B$  is the nearest free block to the result;
  - 2:  $L_N = L_B + R_D \mod(Size_B Size_{Data})$ ,  $L_N \in PL[i]$ ,  $0 \le j \le l$ ; Size\_B is the size of  $L_B$ ;
  - 3: for  $k = 0 \rightarrow l 1$  do
  - 4: L<sub>U</sub>[k] = PL[k] + (L<sub>N</sub>- PL[j] + k \* Size<sub>Data</sub>) mod (Size<sub>PL[j]</sub> - Size<sub>Data</sub>), k ≠ i, k ≠ j;
    5: end for

Feint accesses

### Implementation

#### Runtime Library

| Interface                                       | Purpose                                                                   |  |  |  |
|-------------------------------------------------|---------------------------------------------------------------------------|--|--|--|
| int MoLEInit()                                  | (ECALL) Allocate memory for the <i>Tunnels</i> and organize it            |  |  |  |
| IIIt MOLEIIII()                                 | RET: the <i>Tunnels</i> status                                            |  |  |  |
| void* MoLEMalloc(uint64_t ptr_size)             | Allocate buffer from the <i>Tunnels</i>                                   |  |  |  |
|                                                 | RET: allocation pointer, ptr_size: allocation size                        |  |  |  |
| uint64 MoLEMallocSize(void* ptr)                | Get allocation buffer size                                                |  |  |  |
|                                                 | RET: buffer size, ptr: buffer pointer                                     |  |  |  |
| void MoLEscape(void <sup>*</sup> ptr)           | If the buffer access reaches the access threshold, data <i>Escapes</i>    |  |  |  |
| volu wollescape(volu ph)                        | ptr: buffer pointer                                                       |  |  |  |
| void* MoLERealloc(void* ptr, uint64_t ptr_size) | Expand buffer size                                                        |  |  |  |
|                                                 | RET: new buffer pointer, ptr: original pointer, ptr_size: new buffer size |  |  |  |
| void MoLEFree(void* ptr)                        | Release buffer to the <i>Tunnels</i>                                      |  |  |  |
|                                                 | ptr: buffer pointer                                                       |  |  |  |

Encapsulating the operations for the *Tunnels* and the *Tunnels* data structure

### Implementation

#### LLVM Pass



Instrumenting the application enclave code about the annotation variables at the intermediate representation (IR) level

### **Implementation**

- Taint Tracking
  - There may be taint propagation when accessing sensitive data by some instructions
    - ≻ load
    - ≻ call



### Analysis

- Cache SCA
  - Prime + Probe
    - Escape evicts the preloaded data of various cache lines
- Page table SCA
  - Escape would allow sensitive data to be located on any page in the Tunnels
- Meltdown-type attack
  - > Escape make it difficult to get the exact location of the data
- Single-step tracking
  - TSX will roll operations within a transaction back to invalidate single-step tracking

- Cache SCA
  - As the access threshold T decreases, the cache access pattern becomes chaotic



- Page table SCA
  - With the Escape, the patterns of these two variables become confusing



(a) Without Escape

(b) The threshold of *Escape* T = 256

(c) The threshold of *Escape* T = 128

- Meltdown-type attack
  - Foreshadow
    - > The amount of stolen data decreases as the threshold T decrease



- > Nbench
  - When T∈{4,8,16,32,64,128}, the overhead is 7.89×, 4.78×, 3.14×, 2.29×, 1.89x, and 1.48×.



- > Nbench
  - Data size
  - Multi-threading



### **Related Work**

- Limiting concurrency
  - Usage restrictions (multi-threading)
- Obfuscation
  - Weak for single-step tracking

| Defensive                             | Scheme       | Protection scope      |                |               | Muti-      | Single-step |
|---------------------------------------|--------------|-----------------------|----------------|---------------|------------|-------------|
| concept                               | Scheme       | Cache SCA             | Page table SCA | Meltdown-type | threading  | tracking    |
| Limit interruption or concurrency     | Déjà Vu [14] | ~                     | ✓              | ×             | ✓          | ~           |
|                                       | Racing [13]  | <ul> <li>✓</li> </ul> | ×              | ×             | restricted | ~           |
|                                       | VARYS [32]   | ~                     | ×              | ×             | restricted | ~           |
| Isolate or obfuscate shared resources | T-SGX [39]   | <b>×</b>              | ✓              | ×             | ~          | ~           |
|                                       | Cloak [19]   | <ul> <li>✓</li> </ul> | ×              | ×             | ~          | ~           |
|                                       | KLOTSKI [48] | ×                     | ✓              | ×             | -          | ×           |
|                                       | OBFSCURO [5] | <ul> <li>✓</li> </ul> | ✓              | ×             | -          | ×           |
|                                       | DR.SGX [6]   | <ul> <li>✓</li> </ul> | ✓              | ✓             | ×          | ×           |
|                                       | MoLE         | ~                     | ~              | ~             | ✓          | ~           |

Limited defense range

