3 min Security

Security feature in Intel chips abused to hide malware

Security feature in Intel chips abused to hide malware

Security researchers discovered a way to use Intel SGX to hide malware code so the operating system and antivirus programs can’t access it.

Intel processors are once again vulnerable to hacker abuse, although the newly discovered security problem is less serious than Spectre or Meltdown. Researchers at Graz University of Technology discovered a way to exploit Intel SGX and hide malware. Arstechnica knows that.

SGX, short for Software Guard eXtentions, is a relatively new feature that Intel has been putting into its cpus since Skylake. With SGX it is possible to create so-called enclaves. In these enclaves, code is executed in a very secure manner. Everything that goes in and out of the enclave is encrypted, and attempts to look from the outside at what’s going on in the SGX enclave are blocked at processor level.

Sensitive code

SGX is designed to run very sensitive pieces of code. Examples are the encryption of biometric data, or the use of DRM code to combat piracy. The CPU assumes that the code in the enclave must be protected at all costs, and that all other software, including the operating system, poses a potential threat. This has the side effect that antivirus software does not have access to the enclave either.

The technology effectively offers great added value and has gained in popularity in recent years. This prompted the researchers to see if they could turn the tables: would it be an option to hide rogue code in an enclave, and use the protection that the Intel CPU offers against the OS in this way?

Vulnerable despite restrictions

The short answer turns out to be yes, although it is not easy. With cpus of the eighth generation, Intel makes it a little easier to run code in enclaves, so those systems are the most vulnerable. Older processors only run code in an enclave if it has a valid certificate, and that must come from Intel itself. However, the researchers discovered that it is possible to have a reliable-looking application certified, and to use it as a kind of trojan horse to load code for ransomware malware, for example.

SGX has some other limitations. For example, code from an enclave cannot simply modify data from the protected environment. Researchers found a solution for this as well. It turns out to be perfectly possible to carry out a return oriented programming (ROP) attack, in which the code of a legitimate application is misused to make the system do other things.

Extra vicious ransomware

The researchers mainly see an application of SGX attacks within the ransomware category of malware. Such attacks could easily put the encryption of data in a SGX enclave. This makes it even more difficult to find the encryption key and counteract the attack.

Intel itself says that SGX works as intended. The technology protects the code, but does not guarantee the intentions of the code itself. In combination with the certificates, the protection against misuse of SGX is also quite good. However, it is to be hoped that Intel will take the information to heart. After all, as SGX becomes more important, and it becomes easier to create enclaves, so does the potential for abuse.

Related: The curse of Spectre: Why does it keep haunting you and Intel?

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.