Fingerprint Scanner

(c) ar130405/ Pixabay

Danger to Sensitive Data

Security experts from paluno – The Ruhr Institute for Software Technology at the University of Duisburg-Essen revealed multiple vulnerabilities in security-critical software running in protected memory areas of modern Intel processors. In the worst-case scenario, harmful actions could be infiltrated into sensitive programs, e.g. into the software of fingerprint scanners. With the help of the researchers many vendors already patched their software.

In Intel’s latest processors, application developers can create specially protected memory areas, so-called enclaves by using the “Intel Software Guard Extensions (Intel SGX)”. SGX provides hardware-based encryption to shield selected memory contents from the rest of the system. Even if espionage software were to infect a system, an attacker would in principle not be able to access the data or code in the enclave. SGX technology is therefore very well suited for creating a trustworthy execution environment in a cloud or, for example, to process biometric data on a computer. However, SGX must be used properly.

In almost all publicly available enclaves, the paluno team of Professor Lucas Davi was able to discover vulnerabilities and construct proof-of-concept exploits. The scientists have identified errors in sample codes from Intel and Baidu/Apache, which should actually help in programming secure enclaves. Security gaps were also uncovered in two SGX-protected fingerprint drivers from Synaptics (CVE-2019-18619) and Goodix (CVE-2020-11667). This is particularly security-critical as they are used on new notebooks from Lenovo, Dell and HP to process biometric data securely. The enclave of the messenger service Signal, however, was immune to the attacks of the scientists.

The results were communicated to the affected vendors in November last year. By now, they have fixed the errors in the enclave code and closed the gaps in the fingerprint scanners with the latest Windows updates. The scientists from paluno will present the technical details of the proof-of-concept exploits on August 12, 2020 at the security conference USENIX Security 2020.

How did the scientists discover the vulnerabilities?

The German security experts have developed a tool called TeeRex, which provides a framework to analyze SGX enclaves for identifying security vulnerabilities and constructing proof-of-concept exploits. This framework automatically analyzes the binary code of SGX enclaves at the interface between the enclave and the rest of the system by means of symbolic execution. The analyses with TeeRex have shown that many enclaves have runtime errors that allow an attacker to corrupt function pointers or perform arbitrary memory operations. An attacker could thus gain complete control of the enclaves.

Further Information

The paper will be published at the 29th USENIX Security Symposium (until 12th of August only abstract):

https://www.usenix.org/conference/usenixsecurity20/presentation/cloosters

More information on the research (Pre-Print, PoC Exploits): https://www.syssec.wiwi.uni-due.de/en/research/research-projects/

Dell Security Advisory: https://www.dell.com/support/article/SLN321807

HP Security Advisory: https://support.hp.com/hk-en/document/c06696568

Synaptics Security Advisory: https://www.synaptics.com/sites/default/files/fingerprint-driver-SGX-security-brief-2020-07-14.pdf

Contact

Prof. Dr. Lucas Davi, E-Mail: lucas.davi(at)uni-due.de, Tel.: +49 201 18-36445