SGX, Intel’s supposedly impregnable data fortress, has been breached yet again

Article note: The search method is neat, they found that the collection of known processor vulnerabilities in pairs (every transient execution vulnerability had a static ISA vulnerability with the same underlying mechanism)... except for one where there were only known transient attacks. So they built tools to hunt for it, and sure enough, ISA vulnerability. Which renders SGX useless (again). Demonstrating, once again, that high-complexity ISA features will cause bugs, either by implementation bugs or interactions.

Enlarge (credit: Intel)

Intel’s latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company’s software guard extensions, the advanced feature that acts as a digital vault for security users’ most sensitive secrets.

Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

Cracks in Intel’s foundational security

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a “general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus.”