Intel SGX: Not So Safe After All, ÆPIC Leak

Intel’s Software Guard Extensions (SGX) memory encryption technology sounded like such a good idea back in 2015. This set of security instructions would enable programmers to set up protected private memory regions, called enclaves. Within them, data and code would be decrypted as needed. Oh well, it was a nice idea while it lasted. Over half-a-dozen vulnerabilities, including one Spectre variation, soon appeared. And now, at the 2022 Black Hat Security Conference, another CPU-based security hole has been uncovered: ÆPIC Leak.
This one, dug up by European graduate students and an AWS researcher, is a new Intel architectural CPU bug that can leak data without using a side channel. It’s in a word, “Bad!”
Affected CPUs
According to the researchers, with exploits using their discovery, secrets can be leaked from the processor on most 10th, 11th, and 12th generation Intel CPUs. This includes Sunny Cove microarchitecture designs such as Intel’s 10th generation Ice Lake CPUs; its current third generation Xeon scalable server CPUs (Ice Lake SP); and new 12th generation Alder Lake CPUs (Golden Cove). Intel, however, claims that the Alder Lake CPUs aren’t affected.
The ÆPIC Leak works by sampling data transferred between the L2 and last-level cache. This includes SGX enclave data, from the super queue. An attacker can target data in use, such as register values and memory loads, and data at rest, e.g., SGX-enclave data pages. So this end-to-end attack extracts AES-NI, RSA, and even SGX attestation keys from enclaves within a few seconds.
Unlike the infamous transient execution attacks Meltdown and Spectre, ÆPIC Leak is an architectural bug. An attacker can get to the sensitive data without relying on a noisy, side channel. That makes attacks potentially easier to pull up.
Good News
The good news is that pulling such an attack off requires admin or root privilege. In addition, on clouds with virtual machines (VM), hypervisors don’t allow direct access to the local hardware’s Advanced Programmable Interrupt Controller (APIC). Thus, the nightmare security case of cloud-based VMs being cracked can’t happen.
It’s a different story for systems using SGX-based memory encryption for secure, isolated environments. There are at least two techniques, Cache Line Freezing and Enclave Shaking, which can snatch AES-NI keys and RSA keys from Intel’s IPP library and the Intel SGX sealing and remote attestation keys.
Fixing the Problem
Intel is working on fixing this problem. It begins with Intel creating an updated Intel SGX Software Development Kit (SDK) that helps mitigate potential exposure. Intel also recommends users update to the latest firmware. Microcode to address the problem is already available for Linux. The Trusted Computing Base (TCB) recovery for ÆPIC Leak, however, won’t be available until March 7, 2023.
That’s all to the good, but I agree with the researchers. “The only short-term mitigations for ÆPIC Leak are to disable APIC MMIO or not rely on SGX.”
While its Common Vulnerability Scoring System (CVSS) score is only 6.0, for people that rely on SGX for security, it’s much nastier.
It’s also worth pointing out that Intel has already depreciated SGX on some processor families. This depreciation has already caused one unexpected side effect. Consumer users of Intel’s 11th and 12th-gen CPUs can’t watch UHD Blu-ray content in 4K because its digital rights management (DRM) “protection” won’t work without SGX. It’s possible that enterprise software programs may also have trouble without SGX.