WireTap: Breaking Server SGX via DRAM Bus Interposition
16 hours ago
- #SGX
- #Blockchain
- #Security
- Intel's Software Guard eXtensions (SGX) provides hardware-backed security for sensitive data, even against root-level attackers.
- A vulnerability in SGX allows attackers to physically inspect memory traffic using a cheap, easily built interposer device.
- The attack exploits deterministic memory encryption, enabling the extraction of SGX secret attestation keys.
- Real-world implications include breaches in SGX-backed blockchain deployments like Secret Network, Phala, Crust, and IntegriTEE.
- The attack setup involves a logic analyzer and DDR4 interposer to capture and analyze DRAM bus traffic.
- Deterministic encryption in SGX allows mapping encrypted memory to plaintext, breaking cryptographic security.
- A full key recovery against Intel SGX's Quoting Enclave (QE) was demonstrated, enabling forged SGX quotes.
- The forged quotes can bypass Intel's verification, allowing attackers to masquerade as genuine SGX hardware.
- Mitigations are limited as SGX does not protect against physical attacks; secure physical environments are recommended.
- The research highlights vulnerabilities in SGX deployments, impacting confidentiality and integrity in blockchain systems.