Summary
Independent researchers have separately published methods to attack Intel® Software Guard Extensions (Intel® SGX) with a physical interposer device.
In the WireTap paper, researchers from Georgia Tech and Purdue University applied a passive interposer to read ciphertext memory of low entropy data to create a ciphertext-to-plain-text dictionary.
In the Battering RAM paper, researchers from KU Leuven and University of Birmingham developed a custom interposer to actively alias memory and gain arbitrary read/write access into Intel SGX-protected memory.
Both research teams assume a physical adversary has direct access to the hardware with a memory bus interposer. Both methods can then be used to attack Intel SGX-protected assets, including Intel SGX attestation keys. In a separate disclosure to Intel, Fortanix provided a potential attack that requires a replay-capable physical interposer. Such attacks are outside the scope of the boundary of protection offered by Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) based memory encryption, as originally stated in the 2021 Intel publication Supporting Intel® SGX on Multi-socket Platforms. As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.
Use of cryptographic integrity protection mode of Intel® Total Memory Encryption - Multi-Key (Intel® TME-MK) can provide additional protection against alias-based attacks, such as those outlined in the Battering RAM paper. This feature is available on 5th Generation Intel® Xeon® processors (formerly codenamed Emerald Rapids) and Intel® Xeon® 6 processor family with P-cores (formerly codenamed Granite Rapids).
Relying parties should understand the physical protection properties of the platforms they are trusting. Platform owners can demonstrate which platforms they control (and thereby their physical protection), by identifying which platform certificates they hold during attestation.
Acknowledgements
Intel would like to thank Alex Seto (Purdue), Oytun Kuday Duran (Georgia Tech), Samy Amer (Georgia Tech), Jalen Chuang (Georgia Tech), Stephan van Schaik (van Schaik LLC), Daniel Genkin (Georgia Tech) and Christina Garman (Purdue) for responsibly reporting WireTap to us.
Intel would like to thank Jesse De Meulemeester (KU Leuven), David Oswald (University of Birmingham), Ingrid Verbauwhede (KU Leuven), and Jo Van Bulck (KU Leuven) for responsibly reporting Battering RAM to us.
Intel would like to thank Jethro Beekman and Raoul Strackx (Fortanix) for sharing their potential attack using a replay-capable physical interposer.
References
S Johnson, R Makaram, A Santoni, V Scarlata, “Supporting Intel® SGX on Multi-Socket Platforms”