You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have been analyzing several CC systems, especially the context switch implementations, to check if any security sensitive architectural state is not swapped appropriately:
Security vulnerability:
The existing context switch implementation does not swap the F-extension architectural state, or the senvcfg CSR.
This can lead to several attacks listed below, two of which have already been described here in the past (the first two in the list below).
Side-channel: An untrusted application can read information about exceptions that occur inside the confidential enclave through the fflags field in the fcsr register.
Computational integrity: An untrusted application modifies the floating point rounding mode (FRM) outside the enclave, which influences floating point computations inside the enclave.
Covert-channel: The fcsr is used to as an unintended communication channel between the untrusted OS and the enclave.
General-purpose F-ext registers: The above three attacks can also be conducted by leveraging the f0-f31 registers instead of the fcsr.
Misconfigured I/O fence operation: There is a FIOM bit in the senvcfg, which can be altered by a malicious attacker to cause race conditions in case of emulated I/O inside the enclave or to slow down the performance of the enclave.
The prior work that reported these issues already suggested some fixes in the SM or the RT to mitigate the first two attacks in the above list.
However, fixing these attacks in the SM instead of the RT provides security in both directions i.e. the enclave must be protected from the OS but the RT should not be allowed to read the ISA context of the host OS either.
Also, whenever anyone replaces the Eyrie RT with their own, having these fixes in the SM can provide defense-in-depth in case their RT does not take care of cleaning the floating point registers.
Best Regards.
The text was updated successfully, but these errors were encountered:
Hello,
We have been analyzing several CC systems, especially the context switch implementations, to check if any security sensitive architectural state is not swapped appropriately:
Security vulnerability:
The existing context switch implementation does not swap the F-extension architectural state, or the senvcfg CSR.
This can lead to several attacks listed below, two of which have already been described here in the past (the first two in the list below).
The prior work that reported these issues already suggested some fixes in the SM or the RT to mitigate the first two attacks in the above list.
However, fixing these attacks in the SM instead of the RT provides security in both directions i.e. the enclave must be protected from the OS but the RT should not be allowed to read the ISA context of the host OS either.
Also, whenever anyone replaces the Eyrie RT with their own, having these fixes in the SM can provide defense-in-depth in case their RT does not take care of cleaning the floating point registers.
Best Regards.
The text was updated successfully, but these errors were encountered: