Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Intel Security Operating Systems Programming Software

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software (arstechnica.com) 63

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

This discussion has been archived. No new comments can be posted.

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software

Comments Filter:
  • by zlives ( 2009072 ) on Tuesday February 12, 2019 @05:18PM (#58112014)

    DRM the gift that keeps on sucking dick.

    sorry about the rough language but this is about all that DRM deserves.

  • The computing industry has gone downhill fast. It had a promising start with open systems and software, but now everything is about proprietary crap and hiding what the computer is doing.
    • by dryriver ( 1010635 ) on Tuesday February 12, 2019 @05:49PM (#58112176)
      That is because the investor capital that powers the computing industry today comes from feckless investors who don't give a crap whether computing goes downhill or uphill. People keep talking about "Intel, AMD, Apple, Nvidia, Microsoft". It is the ANONYMOUS investors who SUPPLY the MONEY that keeps these supposed powerhouses humming that DO NOT CARE what quality of computing gear or software is provided to the end customer. These guys want to put 5 Billion in, and get 15 Billion out 3 years later. Producing IT stuff that "actually works well" is not something they care about, because it is more expensive and cuts into profits. Then there is also the "sociopathic bevavior disorder" that frequently comes with having a lot of cash-slash-power. Its probably lots of fun for these investors to a) sell shit products to the end user and b) make a lot of extra profit BY VIRTUE of selling shit products to the end user. You eat shit while they buy another hotel chain or budget airline. Seriously, it is the completely INVISIBLE and UNACCOUNTABLE investors behind big IT that call the shots, not product engineers at Intel, Apple, or Microsoft. Name 1 computing science graduate you know who would have afflicted the attrocity that was Windows 8/10 on an end user of their own volition. It is the investors BEHIND the companies that are calling the shots in the 21st Century, not people with CS or EE degrees that actually CARE what they give the end user.
      • I totally agree. Greed ruined computing when the sociopathic MBAs moved in and pushed the geeks out of the decision making. Pretty sad, but fairly typical. Once money is to be made, the MBAs move in.
        • The MBAs essentially get paid to divert attention AWAY from the big investors calling the real shots behind the scenes. Everbody focuses on Jimmy J. Doe or whatever, the asshole MBA CEO who takes a once great software or hardware maker and turns it into a manufacturer of turds. It isn't Jimmy J. Doe the MBA who calls the shots - the really big investors do that behind the scenes. Jimmy J. Doe the MBA gets his salary and bonus for APPEARING to run the company. He doesn't. His job is to keep unhappy customer'
          • The investors are MBAs too. Trust me, I have worked in the industry and know all about private investment funds coming in and changing everything.
      • by epine ( 68316 )

        It is the investors BEHIND the companies that are calling the shots ...

        You know, if you track it all the way through, the Wizard of Oz has a surprise ending.

        The Man Behind the Curtain [tvtropes.org]
        Big Shadow, Little Creature [tvtropes.org]

        Greedy people do shitty things behind closed doors. News at 11.

      • So the solution would be to remove those investors?

  • by ugen ( 93902 ) on Tuesday February 12, 2019 @05:21PM (#58112046)

    So a protected execution environment is protected from the rest of the system. Works as designed, then. That's the issue with anything (like weapons) - they don't differentiate whether they are used by "good" or "bad" guys (but for practical purposes "bad" guys get a lot more use out of them because they use these tools proactively, whereas "good" guys would only use them reactively).

    • by zlives ( 2009072 )

      "(the application, the operating system, and even the hypervisor) is potentially hostile" sounds like it was designed to be used for spyware. I guess it is working as advertised.

  • by Anonymous Coward on Tuesday February 12, 2019 @05:23PM (#58112058)

    Intel: Let's develop an architecture where an application can run with full protection from anything else running on the system.

    Malware authors: *writes malware to run on architecture*

    Intel: surprisedpikachu.png

  • by Anonymous Coward

    One rock can shatter it but you don't get the benefit of looking in.

  • by bobstreo ( 1320787 ) on Tuesday February 12, 2019 @05:33PM (#58112102)

    to mine bitcoins on other peoples computers.

  • by WoodstockJeff ( 568111 ) on Tuesday February 12, 2019 @05:40PM (#58112130) Homepage

    Doing a search on how to disable SGX, I found an article on how this can be used to write secure botnets... dated 2014. It's taken this long to publicly announce that this is a "bad thing"?

  • "Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software" actually sounds pretty cool from a technical point of view. Terrifying, but also cool. It would have been way cooler if the headline was "Researchers use Intel SGX to Put Operating Systems and their Associated Software Beyond the Reach of Malware" or even better, "Operating System Vendors use Intel SGX to Protect their Users from Malware"
  • Is this pretty much an every OS issue like Spectre/Meltdown?
    • by Altrag ( 195300 )

      It's in the chip so.. every intel-based system is vulnerable. Just a question of how easy through os makes it to abuse those powers.. and pretty much all os' will make it easy (at least for admin/root/whatever) because that's the entire function -- you can't enable "good" uses without also enabling "bad" uses.
      Of course that only becomes relevant once average consumers care about "good" usages (playing movies or games or whatever drm crap it's actually a designed for.) Prior to that happening, consumer-foc

  • "Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code"

    Well now we're fucked.

  • I clearly recall Internet Explorer being announced with "Features that make developers smile". I think this was IE6 And yes, it made all hackers laugh out loud. It made developers cry off course about the new load of attack vectors. "SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes." It does not take more than two seconds to realize that this "feature" is far more beneficial to malware than to user-approved softwa
  • I feel nostalgic for the times when customer backlash forced Intel to withdraw the "Processor Serial Number" misfeature from their new Pentium III CPUs. And this was back when the x86 architecture was the undisputed king, not on the path to irrelevance like it's now.

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"

Working...