Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

Starforce for the win

[zlives]

DRM the gift that keeps on sucking dick.

sorry about the rough language but this is about all that DRM deserves.

Re:

[110010001000]

Exactly. This is what it was designed for. More restrictions.

Re:

[dryriver]

Don't worry. All you'll need in the future will be Elon Musk's new AI brain implant chips. Those will - of course - come with no security vulnerabilities whatsoever. So there is no threat of brain-fucking malware or reality-censoring DRM code ever running amock in your now augmented brain and top-quality malware detection like McAffee BrainCleaner not being able to find it. A little more patience, brother. Soon you will not need to use those swiss-cheese Intel CPUs ever again. (Yes, that was sarcasm... Now

Re:Starforce for the win

[zlives]

Johnny mnemonic called, and he knows kungfu

Re:Starforce for the win

[dryriver]

Johnny Mnemonic can't make phonecalls right now, because a Windows 10 forced update related reboot-loop has rendered him incapacitated. He is lying facedown in the street thinking "Strawberries! I smell Strawberries!"

Re:

[zlives]

"I knew you'd smell good."
When something happens to you that hasn't happened before, don't you at least have to install chrome

Re:

[Opportunist]

No, you get burning chrome.

Re:

[muridae]

of all the times to not have mod points. I'd trade all tomorrows parties for a few mod points right now!

Re:

[Opportunist]

Whoa!

Re:Starforce for the win

[arglebargle_xiv]

This confirming Rule 37 for DRM, if a vendor implements consumer-hostile technology for Hollywood, it'll be used as consumer-hostile technology by everyone else.

Computing industry

[110010001000]

The computing industry has gone downhill fast. It had a promising start with open systems and software, but now everything is about proprietary crap and hiding what the computer is doing.

Re:Computing industry

[dryriver]

That is because the investor capital that powers the computing industry today comes from feckless investors who don't give a crap whether computing goes downhill or uphill. People keep talking about "Intel, AMD, Apple, Nvidia, Microsoft". It is the ANONYMOUS investors who SUPPLY the MONEY that keeps these supposed powerhouses humming that DO NOT CARE what quality of computing gear or software is provided to the end customer. These guys want to put 5 Billion in, and get 15 Billion out 3 years later. Producing IT stuff that "actually works well" is not something they care about, because it is more expensive and cuts into profits. Then there is also the "sociopathic bevavior disorder" that frequently comes with having a lot of cash-slash-power. Its probably lots of fun for these investors to a) sell shit products to the end user and b) make a lot of extra profit BY VIRTUE of selling shit products to the end user. You eat shit while they buy another hotel chain or budget airline. Seriously, it is the completely INVISIBLE and UNACCOUNTABLE investors behind big IT that call the shots, not product engineers at Intel, Apple, or Microsoft. Name 1 computing science graduate you know who would have afflicted the attrocity that was Windows 8/10 on an end user of their own volition. It is the investors BEHIND the companies that are calling the shots in the 21st Century, not people with CS or EE degrees that actually CARE what they give the end user.

Re:

[110010001000]

I totally agree. Greed ruined computing when the sociopathic MBAs moved in and pushed the geeks out of the decision making. Pretty sad, but fairly typical. Once money is to be made, the MBAs move in.

Re:

[dryriver]

The MBAs essentially get paid to divert attention AWAY from the big investors calling the real shots behind the scenes. Everbody focuses on Jimmy J. Doe or whatever, the asshole MBA CEO who takes a once great software or hardware maker and turns it into a manufacturer of turds. It isn't Jimmy J. Doe the MBA who calls the shots - the really big investors do that behind the scenes. Jimmy J. Doe the MBA gets his salary and bonus for APPEARING to run the company. He doesn't. His job is to keep unhappy customer'

Re:

[110010001000]

The investors are MBAs too. Trust me, I have worked in the industry and know all about private investment funds coming in and changing everything.

Re:

[epine]

It is the investors BEHIND the companies that are calling the shots ...

You know, if you track it all the way through, the Wizard of Oz has a surprise ending.

The Man Behind the Curtain [tvtropes.org]
Big Shadow, Little Creature [tvtropes.org]

Greedy people do shitty things behind closed doors. News at 11.

Re:

[Opportunist]

So the solution would be to remove those investors?

Re:

[110010001000]

I did make my own. What do you think of that "lol"?

Re:

[dryriver]

I have a better idea than you. When computer gear or software FUCKS UP as it often does, lets have legislation that lets us get FINANCIAL COMPENSATION directly from the INVESTORS that are behind the company. Example: An Intel CPU flaw lets malware ruin my productivity on a given computer? I get direct compensation from the oil-rich Arab or gas-rich Russian rich person who is responsible for Intel shipping CPUs with eggregious security flaws. See what I did there? Holding the INVESTOR not the PRODUCT ENGINEE

Re:

[Opportunist]

I was thinking of shooting them, but I like your idea better. Rope's cheaper than bullets and can be reused.

Re:

[AxeTheMax]

I do see what you did there. You blamed foreigners for issues in products designed and mostly made in the US. Not just any foreigners, but those that are the standard targets of American prejudices.

Works as designed

[ugen]

So a protected execution environment is protected from the rest of the system. Works as designed, then. That's the issue with anything (like weapons) - they don't differentiate whether they are used by "good" or "bad" guys (but for practical purposes "bad" guys get a lot more use out of them because they use these tools proactively, whereas "good" guys would only use them reactively).

Re:

[zlives]

"(the application, the operating system, and even the hypervisor) is potentially hostile" sounds like it was designed to be used for spyware. I guess it is working as advertised.

It's 2019, let me respond with a meme

[Anonymous Coward]

Intel: Let's develop an architecture where an application can run with full protection from anything else running on the system.

Malware authors: *writes malware to run on architecture*

Intel: surprisedpikachu.png

Opaque Glass House?

[Anonymous Coward]

One rock can shatter it but you don't get the benefit of looking in.

Re:

[Opportunist]

Pretty good analogy, actually.

Re:

[Narcocide]

Too true, too true.

Re:

[Opportunist]

When you're analyzing what malware does, you want to run malware. Preferably in a lab condition where you can watch and analyze what it does. So you can then create a malware scanner that finds and neutralizes the threat.

I wonder if you could use this

[bobstreo]

to mine bitcoins on other peoples computers.

Re:

[JustAnotherOldGuy]

to mine bitcoins on other peoples computers.

Shhhhhhhhh.

Old news, newly discovered

[WoodstockJeff]

Doing a search on how to disable SGX, I found an article on how this can be used to write secure botnets... dated 2014. It's taken this long to publicly announce that this is a "bad thing"?

Re:

[Opportunist]

This thing is closer to a gun than a knife, though. A gun only has one function, it shoots bullets with the intent to hit something. This isn't something you "have to" have to survive. You can pretty much go through your life without ever touching a gun, let alone firing it.

A knife, on the other hand, is something that you almost have to use. There are certain things in everyday (civilized) life that you can only do sensibly with a knife.

This is quite similar. You can go through your computer life without e

Too bad the headline isn't reversed

[Nkwe]

"Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software" actually sounds pretty cool from a technical point of view. Terrifying, but also cool. It would have been way cooler if the headline was "Researchers use Intel SGX to Put Operating Systems and their Associated Software Beyond the Reach of Malware" or even better, "Operating System Vendors use Intel SGX to Protect their Users from Malware"

Is this a Windows only vulnerability, or...?

[rnmartinez]

Is this pretty much an every OS issue like Spectre/Meltdown?

Re:

[Altrag]

It's in the chip so.. every intel-based system is vulnerable. Just a question of how easy through os makes it to abuse those powers.. and pretty much all os' will make it easy (at least for admin/root/whatever) because that's the entire function -- you can't enable "good" uses without also enabling "bad" uses.
Of course that only becomes relevant once average consumers care about "good" usages (playing movies or games or whatever drm crap it's actually a designed for.) Prior to that happening, consumer-foc

Wonderful

[JustAnotherOldGuy]

"Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code"

Well now we're fucked.

Features that make developers smile

[Errol backfiring]

I clearly recall Internet Explorer being announced with "Features that make developers smile". I think this was IE6 And yes, it made all hackers laugh out loud. It made developers cry off course about the new load of attack vectors. "SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes." It does not take more than two seconds to realize that this "feature" is far more beneficial to malware than to user-approved softwa

I feel nostalgic...

[vbdasc]

I feel nostalgic for the times when customer backlash forced Intel to withdraw the "Processor Serial Number" misfeature from their new Pentium III CPUs. And this was back when the x86 architecture was the undisputed king, not on the path to irrelevance like it's now.