Security News > 2021 > October > Researchers Break Intel SGX With New 'SmashEx' CPU Attack Technique
The vulnerability was discovered by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology in early May 2021, who used it to stage a confidential data disclosure attack called "SmashEx" that can corrupt private data housed in the enclave and break its integrity.
Introduced with Intel's Skylake processors, SGX allows developers to run selected application modules in a completely isolated secure compartment of memory, called an enclave or a Trusted Execution Environment, which is designed to be protected from processes running at higher privilege levels like the operating system.
"For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point," the researchers outlined.
"This feature enables enclave runtimes to support in-enclave exception or signal handling, but it also opens up enclaves to re-entrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle re-entrancy in their exceptional handling safely."
Since SmashEx affects runtimes that support in-enclave exception handling, the researchers noted that "Such OCALL return flow and the exception handling flow should be written with care to ensure that they interleave safely," and that "When the OCALL return flow is interrupted, the enclave should be in a consistent state for the exception handling flow to progress correctly, and when the exception handling flow completes, the enclave state should also be ready for the enclave to resume."
"Asynchronous exception handling is a commodity functionality for real-world applications today, which are increasingly utilizing enclaves," the researchers said, adding the research highlights "The importance of providing atomicity guarantees at the OS-enclave interface for such exceptions."