Home

Awesome

TeeJam

In TeeJam, we revisit and carefully analyze the 4k-aliasing effect. By combining 4k-aliasing with a high temporal resolution possible when single-stepping an SGX enclave, we construct a very precise, yet widely applicable attack with sub-cache-line leakage resolution. To demonstrate the significance of our findings, we apply the new attack primitive to break a hardened AES T-Table implementation that features constant cache line access patterns. The attack is up to three orders of magnitude more efficient than previous sub-cache-line attacks on AES in SGX.

Furthermore, we improve upon our previous work which showed partial exploitability of very faint leakages in a utility function loading base64-encoded RSA keys. We build an end-to-end attack exploiting the faint leakage that can recover 4096-bit keys in minutes on a laptop. Finally, we extend the key recovery algorithm to also work for RSA keys following the standard that uses Carmichael’s totient function, while previous attacks were restricted to RSA keys using Euler’s totient function.

This repository contains all code for the microarchitectural attacks and the reconstruction of the AES key. The RSA key reconstruction code for the attack on the base64 decoding can be found in this repo.

Prerequisites

System configuration

For SGX-Step to work properly a few kernel command line parameters have to be set. We went with the following line:

GRUB_CMDLINE_LINUX_DEFAULT="nox2apic iomem=relaxed no_timer_check nmi_watchdog=0 clearcpuid=514 pti=off rcuupdate.rcu_cpu_stall_suppress=1 msr.allow_writes=on vdso=0 intel_idle.max_cstate=1 processor.max_cstate=1 apparmor=0 isolcpus=0,1,4,5 nosmap nosmep

Isolating two cores for victim and attacker is sufficient.

Additionally we disabled

in the BIOS.

Then we set the CPU frequency and load the SGX-Step kernel module. For these steps we prepared the script local_setup.sh. Additionally it the script disables some prefetchers that can be configured via MSR. Please adapt the script to the number of cores of your processor.

Build and configure sgx-step

Usage

Remark 1: For each experiment / attack the attacking core must be adapted to be the hyperthread of the victim core (ATTACKER_CPU in ht_attack/src/c/main.c) Remark 2: Adjust the step_time_min / max thresholds in the analysis scripts to match the measurements on your platform to filter outliers Remark 3: Configuring the correct timer value for SGX-Step sometimes proofs tricky, especially with an attack continously spamming the hyperthread with memory writes. If one of the examples blows gets stuck in the first iteration, just restarting the attack usually helps (if the timeout is otherwise correctly configured)

The basic experiment

The basic experiment will access two addresses alternatingly and concurrently run another thread which causes a 4k-aliasing conflict to one of the addresses. The resulting log file can be plotted to visualize the introduced delay. The first parameter to the executable sets the log file's name and the second allows to change the analyzed page offset.

Attack on base64 decoding

Attack on cache-line protected AES T-Table encryption

Our paper

When citing our work, please use the following data:

@article{tches_SieckZBCEY24,
  author       = {Florian Sieck and
                  Zhiyuan Zhang and
                  Sebastian Berndt and
                  Chitchanok Chuengsatiansup and
                  Thomas Eisenbarth and
                  Yuval Yarom},
  title        = {TeeJam: Sub-Cache-Line Leakages Strike Back},
  journal      = {{IACR} Trans. Cryptogr. Hardw. Embed. Syst.},
  volume       = {2024},
  number       = {1},
  pages        = {457--500},
  year         = {2024},
  url          = {https://doi.org/10.46586/tches.v2024.i1.457-500},
  doi          = {10.46586/TCHES.V2024.I1.457-500},
}