Abstract:
Enclave platforms like Intel SGX, Sanctum and Keystone promise attractive security guarantees but have not always lived up to their billing, mostly due to side-channel leaks in platform implementations. A particularly important side-channel in these platforms has been the page fault side-channel. This side channel has proven to be particularly problematic because it is deterministic and controllable by a malicious operating system. This paper presents a new attack on the page fault channel that works on the state-of-art proposal for secure demand paging in enclaves (InvisiPage, ISCA'19). The insight behind the attack is that even if the exact page fault addresses are hidden, the adversary may be able to infer the interval between when a page is evicted from an enclave and when it is fetched back into the enclave. Our evaluation shows this leak is sufficient to: (i) identify which application is being executed in an enclave, (ii) infer confidential details about the inputs to the application, and (iii) function as a covert channel between an untrusted enclave application and a malicious operating system.
