Table of Contents
Fetching ...

The Real Menace of Cloning Attacks on SGX Applications

Annika Wilde, Samira Briongos, Claudio Soriente, Ghassan Karame

TL;DR

The paper investigates cloning attacks on SGX applications, revealing that roughly 20% of 72 analyzed proposals are vulnerable to forking via enclave cloning. It introduces a three-category taxonomy of cloning attacks—FIm on in-memory KVS, ForKVS on persistent KVS, and BUG breaking proxy unlinkability—and demonstrates concrete attack scenarios across representative systems. Despite existing rollback mitigations like monotonic counters, cloning remains feasible on the same host due to shared sealing keys, and many designs lack proper cloning defenses or even adequate design documentation. The study highlights the practical risks to real-world SGX deployments, especially database-oriented services, and underscores the need for practical, scalable defenses such as detection mechanisms (e.g., CloneBuster) and architecture-level safeguards to prevent cloning-induced inconsistencies and privacy leaks.

Abstract

Trusted Execution Environments (TEEs) are gaining popularity as an effective means to provide confidentiality in the cloud. TEEs, such as Intel SGX, suffer from so-called rollback and cloning attacks (often referred to as forking attacks). Rollback attacks are enabled by the lack of freshness guarantees for sealed data; cloning attacks stem from the inability to determine if other instances of an enclave are running on the same platform. While rollback attacks have been extensively studied by the community, cloning attacks have been, unfortunately, less investigated. To address this gap, we extensively study and thoroughly analyze the susceptibility of 72 SGX-based proposals to cloning attacks. Our results show that roughly 20% of the analyzed proposals are insecure against cloning attacks-including those applications that rely on monotonic counters and are, therefore, secure against rollback attacks.

The Real Menace of Cloning Attacks on SGX Applications

TL;DR

The paper investigates cloning attacks on SGX applications, revealing that roughly 20% of 72 analyzed proposals are vulnerable to forking via enclave cloning. It introduces a three-category taxonomy of cloning attacks—FIm on in-memory KVS, ForKVS on persistent KVS, and BUG breaking proxy unlinkability—and demonstrates concrete attack scenarios across representative systems. Despite existing rollback mitigations like monotonic counters, cloning remains feasible on the same host due to shared sealing keys, and many designs lack proper cloning defenses or even adequate design documentation. The study highlights the practical risks to real-world SGX deployments, especially database-oriented services, and underscores the need for practical, scalable defenses such as detection mechanisms (e.g., CloneBuster) and architecture-level safeguards to prevent cloning-induced inconsistencies and privacy leaks.

Abstract

Trusted Execution Environments (TEEs) are gaining popularity as an effective means to provide confidentiality in the cloud. TEEs, such as Intel SGX, suffer from so-called rollback and cloning attacks (often referred to as forking attacks). Rollback attacks are enabled by the lack of freshness guarantees for sealed data; cloning attacks stem from the inability to determine if other instances of an enclave are running on the same platform. While rollback attacks have been extensively studied by the community, cloning attacks have been, unfortunately, less investigated. To address this gap, we extensively study and thoroughly analyze the susceptibility of 72 SGX-based proposals to cloning attacks. Our results show that roughly 20% of the analyzed proposals are insecure against cloning attacks-including those applications that rely on monotonic counters and are, therefore, secure against rollback attacks.
Paper Structure (19 sections, 12 figures, 1 table)

This paper contains 19 sections, 12 figures, 1 table.

Figures (12)

  • Figure 1: Overview of an SGX-backed in-memory key-value store if it operates in a benign setting.
  • Figure 2: Overview of a generic FIm attack on an SGX-backed in-memory key-value store.
  • Figure 3: Overview of the main functions exposed by the Aria enclave and its interactions with clients.
  • Figure 4: Overview of a cloning attack against Aria enclaves.
  • Figure 5: Overview of the interaction of a persistent key-value store with a client in a benign setting.
  • ...and 7 more figures