https://github.com/sslab-gatech/branch-shadowing

The branch shadowing attack: Proof of concept
https://github.com/sslab-gatech/branch-shadowing

Last synced: 9 months ago
JSON representation

The branch shadowing attack: Proof of concept

• Host: GitHub
• URL: https://github.com/sslab-gatech/branch-shadowing
• Owner: sslab-gatech
• License: mit
• Created: 2018-03-30T14:51:59.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2018-03-30T19:51:05.000Z (almost 8 years ago)
• Last Synced: 2025-03-21T15:45:24.488Z (10 months ago)
• Language: C++
• Size: 68.4 KB
• Stars: 11
• Watchers: 16
• Forks: 7
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# The branch shadowing attack

*Branch shadowing* is a side-channel attack on Intel Software Guard Extensions

(SGX) that can reveal fine-grained control flows (branch granularity) in an SGX

enclave. This attack is possible because SGX does not clear branch history when

switching from enclave to non-enclave mode, leaving fine-grained branch

direction traces for the outside world to observe, resulting in an accurate

branch-prediction-based side channel.

This repository contains *partial* proof-of-concept code snippets of the branch

shadowing attack, including

 1. A modified Linux SGX driver (*mal-sgx-driver*) to execute and monitor

colliding branch instructions with Last Branch Record (LBR) trace

 2. Kernel patch (*linux-kernel*) and Local Advanced Programmable Interrupt

Controller (LAPIC) module (*lapic-freq-module*) to manipulate timer interrupt

frequency

 3. A kernel module to disable L1/L2 cache (*disable-cache-module*)

 

## More details

* Paper (**USENIX Security 2017**):

  https://gts3.org/assets/papers/2017/lee:sgx-branch-shadow.pdf

* Slides: https://gts3.org/assets/papers/2017/lee:sgx-branch-shadow-slides.pdf

* Talk: https://www.youtube.com/watch?v=XyvZDIIeLZI

## Demo

### Attacking RSA exponentiation

https://www.youtube.com/watch?v=jf9PanlF374

## Note

We **DO NOT** release an end-to-end, fully automated attack and our target

program. This is because, currently, our attack needs a lot of manual efforts

especially for aligning target and attack branch instructions. However, it does

not mean that our attack cannot be automated; with (a lot of) engineering

efforts, we believe that our attack can be fully automated.

We have a plan to release a fully-automated version of the branch shadowing

attack, but it will not be released in the near future.

Also, the current code attacks target branch instructions when an enclave

terminates for simplicity and manageability. Revising the code to attack

targets for every timer interrupt is an easy task.

## Contributors

* [Sangho Lee]

* [Ming-Wei Shih] 

* Prasun Gera

* [Taesoo Kim]

* [Hyesoon Kim] 

* [Marcus Peinado]

[Sangho Lee]: 

[Ming-Wei Shih]: 

[Taesoo Kim]: 

[Hyesoon Kim]: 

[Marcus Peinado]: