SoK: How not to architect your next-generation TEE malware?

Kucuk, KA; Moyle, S; Martin, A; Mereacre, A; Allott, N

Conference item

SoK: How not to architect your next-generation TEE malware?

Abstract:: Besides Intel’s SGX technology, there are long-running discussions on how trusted computing technologies can be used to cloak malware. Past research showed example methods of malicious activities utilising Flicker, Trusted Platform Module, and recently integrating with enclaves. We observe two ambiguous methodologies of malware development being associated with SGX, and it is crucial to systematise their details. One methodology is to use the core SGX ecosystem to cloak malware; potentially affecting a large number of systems. The second methodology is to create a custom enclave not adhering to base assumptions of SGX, creating a demonstration code of malware behaviour with these incorrect assumptions; remaining local without any impact. We examine what malware aims to do in real-world scenarios and state-of-art techniques in malware evasion. We present multiple limitations of maintaining the SGX-assisted malware and evading it from anti-malware mechanisms. The limitations make SGX enclaves a poor choice for achieving a successful malware campaign. We systematise twelve misconceptions (myths) outlining how an overfit-malware using SGX weakens malware’s existing abilities. We find the differences by comparing SGX assistance for malware with non-SGX malware (i.e., malware in the wild in our paper). We conclude that the use of hardware enclaves does not increase the preexisting attack surface, enables no new infection vector, and does not contribute any new methods to the stealthiness of malware.

Publication status:: Published

Peer review status:: Peer reviewed

Actions

Email

Email this record

Send the bibliographic details of this record to your email address.

Your Email
Please enter the email address that the record information will be sent to.

-
Your message (optional)
Please add any additional information to be included within the email.
Cite

Cite this record

APA Style

Kucuk, K. A., Moyle, S., Martin, A., Mereacre, A., & Allott, N. (2023). SoK: How not to architect your next-generation TEE malware? HASP '22: Proceedings of the 11th International Workshop on Hardware and Architectural Support for Security and Privacy, 35–44.

MLA Style

Kucuk, K. A., et al. “SoK: How Not to Architect Your next-Generation TEE Malware?” HASP '22: Proceedings of the 11th International Workshop on Hardware and Architectural Support for Security and Privacy, Association for Computing Machinery, 2023, pp. 35–44.

Chicago Style

Kucuk, KA, S Moyle, A Martin, A Mereacre, and N Allott. 2023. “SoK: How Not to Architect Your next-Generation TEE Malware?” In HASP '22: Proceedings of the 11th International Workshop on Hardware and Architectural Support for Security and Privacy, 35–44. Association for Computing Machinery.
Share
Print

Access Document

Files:: Kucuk_et_al_2022_SoK_How_not.pdf

(Preview, Accepted manuscript, pdf, 561.8KB, Terms of use)

Publisher copy:: 10.1145/3569562.3569568

Authors

+ Kucuk, KA More by this author

Institution:: University of Oxford
Division:: MPLS
Department:: Computer Science
Oxford college:: Kellogg College
Role:: Author
ORCID:: 0000-0001-5484-7096

+ Moyle, S More by this author

Institution:: University of Oxford
Division:: MPLS
Department:: Computer Science
Role:: Author

+ Martin, A More by this author

Institution:: University of Oxford
Division:: MPLS
Department:: Computer Science
Role:: Author

+ Mereacre, A More by this author

Role:: Author

+ Allott, N More by this author

Role:: Author

+ InnovateUK More from this funder

Publisher:: Association for Computing Machinery
Host title:: HASP '22: Proceedings of the 11th International Workshop on Hardware and Architectural Support for Security and Privacy
Pages:: 35–44
Publication date:: 2023-09-21
Acceptance date:: 2022-09-20
Event title:: Hardware and Architectural Support for Security and Privacy (HASP 2022)
Event location:: Chicago, Illinois, USA
Event website:: https://haspworkshop.org/2022/program.html
Event start date:: 2022-10-01
Event end date:: 2022-10-01
DOI:: 10.1145/3569562.3569568
ISBN:: 978-1-4503-9871-8

Language:: English
Keywords:: malware in commodity systems

trusted execution environments (TEE)

FFR

software guard eXtensions (SGX)

malware in enclave

Evil Light Bulb (ELB) in IoT
Pubs id:: 1282780
Local pid:: pubs:1282780
Deposit date:: 2022-10-13

Terms of use

Copyright holder:: Association for Computing Machinery
Notes:: This paper was presented at the Hardware and Architectural Support for Security and Privacy (HASP 2022). 1st October 2022, Chicago, Illinois, USA. This is the accepted manuscript version of the paper. The final version is available online from Association for Computing Machinery at https://doi.org/10.1145/3569562.3569568

Licence:: Terms and Conditions of Use for Oxford University Research Archive

Views and Downloads

About views and downloads

If you are the owner of this record, you can report an update to it here: Report update to this record

Conference item

SoK: How not to architect your next-generation TEE malware?

Actions

Access Document

Authors

Terms of use

Views and Downloads

Altmetrics

Dimensions

Conference item

SoK: How not to architect your next-generation TEE malware?

Actions

Access Document

Authors

Funding

Bibliographic Details

Item Description

Terms of use

Metrics

Views and Downloads

Altmetrics

Dimensions