Tristan Hornetz, Michael Schwarz

PortPrint: Identifying Inaccessible Code with Port Contention

Introduction

Portprint: identifying inaccessible code with port contention. PortPrint uses CPU port contention side-channels to identify inaccessible code, software versions, and vulnerabilities. Bypasses XOM, TEE, and SGX, revealing crypto details despite strong hardware protection.

Abstract

In many real-world scenarios, being able to infer specific software versions or variations of cryptographic libraries is critical to mounting targeted exploits. For this, traditional version-detection approaches often rely on direct inspection of programs. However, modern computing platforms frequently employ protection for code, e.g., using execute-only memory (XOM) or trusted execution environments (TEE) to safeguard sensitive code from disclosure and reverse engineering. This paper demonstrates how side-channel measurements via CPU port contention reveal distinctive execution signatures, even when code is inaccessible for inspection. Our proof-of-concept implementation PortPrint identifies cryptographic functions, reveals library versions, and even uncovers whether a WolfSSL build is vulnerable to CVE-2024-1544 or if Spectre mitigations are active in Xen. We verify that PortPrint works despite state-of-the-art code protection mechanisms, such as memory protection keys, hypervisor-based XOM, Intel SGX, Intel TDX, and AMD SEV. We also report a negative result for leaking code protected with these techniques using Meltdown and Foreshadow, providing valuable insights into the limitations of these attacks. Our results show that hardware-based isolation is insufficient to conceal instruction streams.

Review

This paper, titled "PortPrint: Identifying Inaccessible Code with Port Contention," addresses a critical challenge in security research: inferring specific software versions and variations, particularly of cryptographic libraries, for the purpose of targeted exploitation. Traditional methods often rely on direct program inspection, which is increasingly thwarted by modern protection mechanisms such as execute-only memory (XOM) and trusted execution environments (TEE) designed to safeguard sensitive code from disclosure and reverse engineering. The authors effectively set up the problem space, highlighting the limitations of existing approaches and establishing the need for novel techniques to circumvent these sophisticated code protections. The core contribution of "PortPrint" lies in its innovative methodology, which leverages side-channel measurements derived from CPU port contention to reveal distinctive execution signatures. This technique proves effective even when the underlying code remains inaccessible for direct inspection. The paper presents a robust proof-of-concept implementation, PortPrint, which demonstrates its capability to precisely identify cryptographic functions, determine library versions, and even detect specific vulnerabilities (e.g., WolfSSL CVE-2024-1544) or the active status of mitigations (e.g., Spectre mitigations in Xen). This practical demonstration underscores the power and versatility of port contention as a side channel. A significant strength of the work is its rigorous verification against state-of-the-art code protection mechanisms, including memory protection keys, hypervisor-based XOM, Intel SGX, Intel TDX, and AMD SEV. PortPrint is shown to consistently bypass these defenses, proving the inadequacy of hardware-based isolation in concealing instruction streams. Furthermore, the paper provides valuable "negative results" by reporting the limitations of Meltdown and Foreshadow attacks in leaking code protected with these same techniques, offering crucial insights into the evolving landscape of side-channel attacks and their countermeasures. The overarching conclusion—that hardware-based isolation alone is insufficient to protect instruction streams—has profound implications for the design and evaluation of secure computing platforms.

Full Text

Comments

You need to be logged in to post a comment.