back to article If there's somethin' stored in a secure enclave, who ya gonna call? Membuster!

Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus. In a paper [PDF] titled, "An Off-Chip Attack on Hardware Enclaves via the Memory Bus," slated for inclusion in …

  1. IGotOut Silver badge


    to run this, you have to gain access to a DC, the to the rack, then to a server, shut it down, open it up, power it back up. And all this without anyone noticing?

    Right. Got it.

    1. This post has been deleted by its author

      1. Cronus

        Re: So...

        This probably has implications for DRM but I most certainly agree there's not much of a threat to servers and the like.

  2. tcmonkey

    Let me see if I understand; they're saying that by sniffing the system bus, you can see goings on in a secure enclave communicating over said bus. In other news: water wet, sky blue, all this and more tonight on 60 minutes!

    I thought that the whole point of a secure enclave is that it is usually on-die to prevent sensitive signals being routed over the PCB? This is essentially the mistake Microsoft made with the original Xbox many many years ago, it's nothing new.

  3. eldakka

    or an end-user could gather data from an enclaved application, to get secret data from the enclave owner, the app's developer.

    If it's running on my hardware, my phone, my desktop, then I am the secure enclave's owner, not the app's developer.

    1. diodesign (Written by Reg staff) Silver badge

      That's unfortunately not how secure enclaves are designed. They are supposed to allow application software to run code that not even the operating system, hypervisor, or administrator can access, using attestation to prove there has been no meddling.

      Said code is things like DRM (on client machines) or sensitive stuff on cloud machines (when you don't want the remote server host snooping on you.)


      1. Claptrap314 Silver badge

        You are technically correct

        But since the only purpose of such code seemed to be to deny the purchaser of a product its enjoyment at the whim of the producer, the moral argument above stands.

        1. Anonymous Coward
          Anonymous Coward

          Re: You are technically correct

          Depends on who is the purchaser in this case. It's a matter of perspective. Is it the owner of the hardware or the client who's renting time to do some time-sensitive number crunching on confidential data that can't be processed in-house?

  4. Anonymous Coward
    Anonymous Coward

    Doesn't seem like this attack would work on a phone

    If you need an interposer between the DIMM and the socket, given that today's premium phones stack the DRAM and SoC in a single package using TSVs. While I'm sure it is technically possible to take that apart and re-layer it with a custom designed interposer that matches the TSVs, that's probably nation state level capability.

    The technology to build those chip stacks that layered DRAM and SoCs was only developed this decade, and only practiced by a handful of companies. It would probably cost tens of millions if not more to develop this attack, be somewhat model-specific (you may need four different custom interposers for say Galaxy S10, iPhone XS, Pixel 4, iPhone 11) and wouldn't ever be anything you could do "out in the field" - you'd have to steal someone's phone and send it to a special facility.

    1. Jimmy2Cows Silver badge

      Re: Doesn't seem like this attack would work on a phone

      Seems like the only way it could work is to swap the target's phone with one that's already been 'customised'. Which presents its own set of problems (matching the condition (markings, dirt, smears etc.), cloning the contents, cloning the sim etc.) all in short enough order the target wouldn't have time to notice. And you'd do it not to gain access to what's currently on the phone necessarily (since you've already cloned its content), but future content or secure operations.

      So Holywood level of spying, makes for a reasonable plot line, but not real-life.

  5. Pascal Monett Silver badge
    Thumb Down

    "the attacker needs to install a custom-printed circuit board"

    I stopped reading there.

    Physical access and all that. Nothing to lose sleep over.

    1. JohnFen

      Re: "the attacker needs to install a custom-printed circuit board"

      I'm not losing sleep over it. In fact, I'm very pleased at this, because it's a possible means of increasing the security of my computer because it means that software won't be able to force my machine to keep secrets from me.

  6. Blackjack Silver badge


    I wonder how this will be used to hack software and games?

  7. JohnFen


    I'm always happy to have a means by which I can stop my machines from keeping secrets from me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like