A team of researchers have discovered a way to run malicious code on systems with Intel chips in such a way that antivirus software is unable to detect it.
When the chip giant released its Skylake processors back in 2015, the company included a new feature called Software Guard eXtensions (SGX) that allows developers to isolate applications inside secure enclaves.
The enclaves operate within a hardware-isolated section of the CPU’s processing memory where applications can carry out operations dealing with sensitive details such as encryption keys, passwords, user data and more.
Researchers Michael Schwarz, Samuel Weiser and Daniel Gruss (who helped discover last year’s Spectre attack) published a paper detailing how they were able to use SGX enclaves to hide malware that is undetectable by today’s security solutions.
Intel has made it difficult to create and load a malicious enclave by requiring SGX to only accept and launch enclaves that have been signed with a signature key from an internal whitelist of approved keys.
While these keys are usually only given to approved developers, the researchers discovered four ways an attacker could gain access to a signature key to sign a malicious enclave. A malicious enclave would still have difficulty infecting a system because SGX enclaves are restricted to a few commands and lack access to the operations carried out by a local operating system.
However, the researchers were able to bypass this limitation by using a return-oriented programming (ROP) exploitation technique to piggy-back on Intel Transcational Synchronization eXtensions (TSX). This gave the enclave access to a wider set of commands than normal which could be used to carry out an attack.
Despite the fact that the team exploited SGX to run malicious code for research purposes, the discovery has huge cybersecurity implications since today’s security products are unequipped to detect malware running inside an SGX enclave.
The researchers’ paper titled “Practical Enclave Malware with Intel SGX” has now been published and it is certainly worth a read for those that want to learn more.
Via Ars Technica