In modern computer systems, user processes are isolated from each other bythe operating system and the hardware. Additionally, in a cloud scenario it iscrucial that the hypervisor isolates tenants from other tenants that areco-located on the same physical machine. However, the hypervisor does notprotect tenants against the cloud provider and thus the supplied operatingsystem and hardware. Intel SGX provides a mechanism that addresses thisscenario. It aims at protecting user-level software from attacks from otherprocesses, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based side-channelattacks from a malicious SGX enclave targeting co-located enclaves. Our attackis the first malware running on real SGX hardware, abusing SGX protectionfeatures to conceal itself. Furthermore, we demonstrate our attack both in anative environment and across multiple Docker containers. We perform aPrime+Probe cache side-channel attack on a co-located SGX enclave running anup-to-date RSA implementation that uses a constant-time multiplicationprimitive. The attack works although in SGX enclaves there are no timers, nolarge pages, no physical addresses, and no shared memory. In a semi-synchronousattack, we extract 96% of an RSA private key from a single trace. We extractthe full RSA private key in an automated attack from 11 traces within 5minutes.
展开▼