Abstract:Forking attacks against TEEs like Intel SGX can be carried out either by rolling back the application to a previous state, or by cloning the application and by partitioning its inputs across the cloned instances. Current solutions to forking attacks require Trusted Third Parties (TTP) that are hard to find in real-world deployments. In the absence of a TTP, many TEE applications rely on monotonic counters to mitigate forking attacks based on rollbacks; however, they have no protection mechanism against forking attack based on cloning. In this paper, we analyze 72 SGX applications and show that approximately 20% of those are vulnerable to forking attacks based on cloning - including those that rely on monotonic counters. To address this problem, we present CloneBuster, the first practical clone-detection mechanism for Intel SGX that does not rely on a TTP and, as such, can be used directly to protect existing applications. CloneBuster allows enclaves to (self-) detect whether another enclave with the same binary is running on the same platform. To do so, CloneBuster relies on a cache-based covert channel for enclaves to signal their presence to (and detect the presence of) clones on the same machine. We show that CloneBuster is robust despite a malicious OS, only incurs a marginal impact on the application performance, and adds approximately 800 LoC to the TCB. When used in conjunction with monotonic counters, CloneBuster allows applications to benefit from a comprehensive protection against forking attacks.

What problem does this paper attempt to address?

This paper primarily addresses the issue of clone attacks in the Intel SGX (Software Guard Extensions) environment. ### Problem the Paper Attempts to Solve The paper aims to solve the problem of **clone attacks** faced by Intel SGX applications. These attacks involve duplicating (cloning) an application instance and distributing inputs among these cloned instances, thereby posing a threat to the application's security. Current solutions often rely on a Trusted Third Party (TTP), but such entities are difficult to find in practical deployments. Additionally, while some applications use monotonic counters to resist rollback-based fork attacks, they remain vulnerable to clone-based fork attacks. ### Main Contributions 1. **Analysis and Findings**: The authors analyzed 72 SGX-based applications and found that approximately 20% of the applications are susceptible to clone-based fork attacks, including those that use monotonic counters to prevent rollback attacks. 2. **Proposal of CloneBuster**: To address this issue, the authors proposed CloneBuster—the first practical clone detection mechanism that does not rely on a Trusted Third Party. CloneBuster allows SGX enclaves to self-detect whether other enclaves with the same binary code are running on the same platform. It utilizes cache-based covert channel techniques for presence signaling and detection between enclaves. 3. **Security and Efficiency**: CloneBuster can effectively detect the presence of cloned enclaves in a malicious operating system environment with minimal impact on application performance, adding only about 800 lines to the Trusted Computing Base (TCB). When combined with monotonic counters, CloneBuster can provide comprehensive protection against all types of fork attacks. 4. **Case Study**: The paper also details how to implement a clone-based fork attack on BI-SGX, a production-grade SGX application, even though the application already uses monotonic counters to prevent rollback attacks. This further demonstrates that relying solely on monotonic counters is insufficient to fully defend against fork attacks. 5. **Prototype Implementation and Evaluation**: The authors implemented a prototype of CloneBuster and evaluated it under real workloads. The results show that CloneBuster can achieve a high detection rate (F1 score up to 0.999) with a maximum performance impact of only 4%. ### Conclusion This paper proposes CloneBuster, a detection mechanism that does not require the involvement of a Trusted Third Party, to address the issue of clone attacks in the Intel SGX environment. This mechanism is not only effective but also efficient, significantly enhancing the security of existing SGX applications, especially those that rely on monotonic counters to prevent rollback attacks.

No Forking Way: Detecting Cloning Attacks on Intel SGX Applications

SGXLock: Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX

See Through Walls: Detecting Malware in SGX Enclaves with SGX-Bouncer.

Designing a Provenance Analysis for SGX Enclaves

COIN Attacks

The Road to Trust: Building Enclaves within Confidential VMs

Informer: Protecting Intel SGX from Cross-Core Side Channel Threats

Efficiently Hardening SGX Enclaves against Memory Access Pattern Attacks via Dynamic Program Partitioning

The Heisenberg Defense: Proactively Defending SGX Enclaves against Page-Table-Based Side-Channel Attacks

Guardian: symbolic validation of orderliness in SGX enclaves

Detecting and Mitigating Cache Side Channel Threats on Intel SGX

Mind Your Enclave Pointers! Detecting Privacy Leaks for SGX Apps Via Sparse Taint Analysis

SmashEx: Smashing SGX Enclaves Using Exceptions

Interface-Based Side Channel Attack Against Intel SGX

QuanShield: Protecting against Side-Channels Attacks using Self-Destructing Enclaves

SGXKernel

SGX-LKL: Securing the Host OS Interface for Trusted Execution

Distributed Shielded Execution for Transmissible Cyber Threats Analysis

Preventing Your Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks

STELLA: Sparse Taint Analysis for Enclave Leakage Detection