2019
DOI: 10.46586/tches.v2020.i1.321-347
|View full text |Cite
|
Sign up to set email alerts
|

Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX

Abstract: Software Guard Extension (SGX) is a hardware-based trusted execution environment (TEE) implemented in recent Intel commodity processors. By isolating the memory of security-critical applications from untrusted software, this mechanism provides users with a strongly shielded environment called enclave for executing programs safely. However, recent studies have demonstrated that SGX enclaves are vulnerable to side-channel attacks. In order to deal with these attacks, several protection techniques have been studi… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
19
0

Year Published

2020
2020
2024
2024

Publication Types

Select...
4
2
2

Relationship

0
8

Authors

Journals

citations
Cited by 21 publications
(19 citation statements)
references
References 9 publications
0
19
0
Order By: Relevance
“…PHT BranchScope [15], Bluethunder [24] Spectre-PHT [38] BTB SBPA [1], BranchShadow [40] Spectre-BTB [38]…”
Section: μ-Arch Buffermentioning
confidence: 99%
See 1 more Smart Citation
“…PHT BranchScope [15], Bluethunder [24] Spectre-PHT [38] BTB SBPA [1], BranchShadow [40] Spectre-BTB [38]…”
Section: μ-Arch Buffermentioning
confidence: 99%
“…However, previous work showed that Intel SGX root attackers can mount high-resolution, low-noise side-channel attacks through the cache [7,46,52], branch predictors [15,24,40], page-table accesses [63,65,71], or interrupt timing [64]. In response to recent transient-execution attacks [11,53,61,67], which can extract enclave secrets from side-channel resistant software, Intel released microcode updates which flush microarchitectural buffers on every enclave entry and exit [25,29].…”
Section: B Intel Sgxmentioning
confidence: 99%
“…For example, the slowdown of the target program and considerable communication overhead caused by triggering many branches could be leveraged as indicators of PHT attacks. In 2020, Huo et al [44] proposed Bluethunder, which is an evolutionary version of the BranchScope, creating collisions in a 2-level predictor to generate information leakage. Bluethunder makes improvements regarding the aforementioned third assumption in the BranchScope.…”
Section: Pht-based Attackmentioning
confidence: 99%
“…Firstly, exploring new uncovered attack surfaces that can be leveraged to attack SGX implementations is a promising research direction, which could prompt the research community to design new defending techniques to enhance the security of SGX. Moreover, most of the attack cases reviewed in Section 5 only abuse one attack surface (including [99], [91], [95], [39], [31], [69], [5], [17], [59], [21], [44], [94], [50]). Another promising research direction is to integrate newly discovered attack surfaces with those well-known ones (e.g., page table, CPU cache, and branch prediction table) to develop hybrid multi-level attack vectors with high precision.…”
Section: Future Directionsmentioning
confidence: 99%
“…Our attack leverages the SGX-Step [74] framework to forcibly step into a victim enclave code exactly one instruction at a time. While high-frequency timer interrupts have previously been leveraged to boost microarchitectural timing attacks [36,40,48,53,75], we exploit the architectural interrupt interface itself as a deterministic controlled-channel. Our attacks rely on the key observation that interrupts can force the enclave to advance exactly one instruction at a time.…”
Section: Introductionmentioning
confidence: 99%