Guard-en Party Summary

From March 26th through April 2nd 2022, the Data Platforms Engineering and Architecture (DPEA) team, Security Assurance and Research (DSAR) team collaborated with Intel Product Assurance and Security (IPAS), the Intel® SGX team, and an external vendor named Intigriti held the Guard-en Party under the umbrella of IPAS’ bug bounty program called Project Circuit Breaker. Intigriti continues to be a key partner in enabling Intel to connect with external researchers in the security community and provided logistical assistance for the event. There were two key objectives for Guard-en Party: identify qualified researchers for the Intel® TDX campaign and live-test our Intel® DevCloud infrastructure and support capabilities for use with external researchers. Project Circuit Breaker sought applications from the researcher community to participate in the Party. A total of 103 applied, 14 were selected, and 10 researchers participated in a training-style event. Participants worked directly with renowned security researchers and Intel experts to learn about Intel® SGX technology. This “capture the flag” type event included some hand-crafted vulnerable applications that participants were asked to exploit using the tools, techniques, and skills presented during the training sessions.

The Guard-en Party event was successfully completed. Two qualified security researchers were selected for the Intel® TDX campaign with an additional two on the waitlist. Intel® DevCloud infrastructure and support has been thoroughly exercised to ensure smooth execution of the Intel® TDX campaign.

Objectives & Goals

The key objectives & goals for the Guard-en Party bug bounty event were:

  • Develop a proof-of-concept event leveraging Intel® SGX technology in preparation for the Intel® TDX campaign.
  • Stress test Intel® DevCloud processes around using the environment, setup, support, and staffing.
  • Introduce Project Circuit Breaker to a new audience who had not engaged with the Intel® Bug Bounty Program before and develop a strong relationship with them.
  • Identify and recruit new researchers with the required skill set and form new relationships with members of the researcher community who specialize in techniques that are likely to find vulnerabilities in Intel® TDX.
  • Establish event execution plan for Intel specific training and development events.

Project Feedback

What things did you enjoy about the Guard-en Party?

“I really liked the event. The animation, the content, the swag, the participants. Everything was awesome!! This was a great learning experience!”

What things did you enjoy about the Guard-en Party?

“I really enjoyed the presentation, especially having a host like Teddy K. who sparked enthusiasm and good vibes. Loved the fun little things like the introduction icebreaker and the weird quiz.

Also was very nice to learn from two other researchers doing Show & Tell.

+1 for having a woman in this ‘man-dominated’ world!”

What things did you enjoy about the Guard-en Party?

“First of all, thank you for all the hard work you’ve put to make this incredible event happen. The amount of time you all must’ve put to make it all work is greatly appreciated. I’ve enjoyed many things, really.

The organization of the event, the swag 🙂 , the trivia, the icebreaker, the lecturers, the infrastructure, the technology itself is super cool, the level of support (thank you for the hints!), making sure throughout the event that everything runs smoothly, the amazing researchers that participated in this event. I mean, wow.

On top of that, I really enjoyed the Show & Tell part, especially seeing different approaches toward the research process. Learned a lot! Also the idea that ‘hacking is a team sport’ as Teddy said it, really resonates with me.“

What things did you not enjoy about the Guard-en Party?

“The Show & Tell part was good, and I think it’s very useful/important to see different researcher’s approaches to the same problems. However, it got a bit repetitive having two researchers go through it and then another walkthrough. Perhaps a slightly more curated approach could be taken – a walkthrough, and then more of a high-level summary of potential different approaches that researchers took.”

What things did you not enjoy about the Guard-en Party?

“Wish there was a live hacking component with a SGX application.“

What things did you not enjoy about the Guard-en Party?

“It ended too soon 🙁 I wish we had more rounds of POCs. Also personally I would’ve liked to reverse the order of the setup part, – first to receive the instructions in mail, go over them, and then to have a video about the setup.”

Is there any other feedback you would like to share with us?

“I think the difficulty of POC 1 and 2 was perfect as an introduction. Part of me wishes there was a more complex ‘POC 3’, so I could really flex my exploit dev skills – but perhaps that would have taken too much time to solve.”

Is there any other feedback you would like to share with us?

“I wish the development process given on day 1 was given on day 2 after we were given the POCs so we could examine the POC files while learning about the development process. Thank you for the videos, because I was able to go over the presentation again while poking around and making things click.”

Is there any other feedback you would like to share with us?

“Thanks for organizing this, first time I see a company going to this length to engage with the hacker community. Hope the industry follows.”

 

Outreach, Planning, & Programming

In early February, the Intigriti team worked with Project Circuit Breaker to promote the Guard-en Party event across multiple outreach channels. The response was excellent.  Overall, we received over 103 applications from across the world. Of the 103, 25 were deemed qualified for the event. The top 14 applicants were invited to the event and the other 11 were waitlisted. Selected participants were screened against sanctions and restricted party lists.

Upon receiving their invitations to the event, confirmed researchers were sent promotional packages from both Project Circuit Breaker and the Intigriti team. The event was divided across two weekends and one full week – March 26th through April 2nd.  This was a virtual event conducted over Zoom platform and all the sessions were recorded. Recordings were made available to event participants for the duration of the event only.

Saturday, March 26th

Intel® SGX Overview
Hacker Trivia
Intel® DevCloud Walkthrough and Setup

Sunday, March 27th

Researcher Introductions & Ice Breaker
Guest speaker – Jo Van Bulck – KU Leuven
Intel® SGX Proof of Concept (POC) Walkthroughs

Monday, March 28th – Friday, April 1st

Researchers found hypothetical vulnerabilities in the POCs and submitted reports via the Intigriti platform

Saturday, April 2nd

Show & Tell – The top two reports were selected by the Intel team and each researcher shared their strategies, techniques, and learnings with the group.
POC Walkthroughs – Intel engineers walked through each POC and the logic behind them and what they were looking for.
Event wrap-up

Technical Details

Researchers were provided with two proofs of concept applications to explore and exploit which were developed using known exploitable coding techniques.  Each POC consisted of a simple application and an Intel® SGX enclave with bugs. The objective for each researcher was to find and describe the bugs in the Intel® SGX enclave, mechanism to exploit the bugs, and develop functional exploits.

Researchers were provided with descriptions of the applications that included hints for each POC’s  hypothetical vulnerability(ies).

Proof-of-Concept 1

Intel® SGX enclaves are like two-way mirrors, enclave code can read and write memory outside the enclave (subject to normal IA access control) but code outside the enclave can neither read nor write memory inside the enclave. At the same time, for enclaves to be useful, they must be able to process inputs from outside the enclave and provide outputs to code outside the enclave. POC 1 is intended to make you think about exactly how this can be done and how it should be done across different types of inputs and outputs.

Proof-of-Concept 2

One lesson from POC 1 is that Intel® SGX does not cover up or automatically fix bugs. POC 2 is a bit more involved. This POC may or may not have followed secure coding guidelines with respect to compiler flags. A small script may be useful to facilitate exploitation. The vulnerable enclave app has four mutually exclusive command line arguments. Of these, prioritize the analysis of -in_vt_stack.

Platform (Coyote Pass, Ice Lake)

CPU: Xeon Gold 6336Y
BIOS settings to enable Intel® SGX:
Advanced -> Memory configuration -> Memory RAS and Performance Configuration -> UMA clustering -> disable
Advanced -> Processor Config -> TME -> enable
Advanced -> Processor Config -> Intel® SGX -> enable
Advanced -> Processor Config -> PRMRR -> 64GB
Numa optimized -> enabled (grey)
SNC -> disable
Operating System: CentOS Stream 8
Kernel version: 4.18.0-373.el8.x86_64
BIOS ID: SE5C6200.86B.0022.D64.2105220049
Intel® SGX SDK: sgx_linux_x64_sdk_2.15.101.1.bin

Management

Intel® DevCloud systems were reserved by Intel employees; Access instructions were forwarded to external researchers. External researchers were granted bare metal root access to the systems and reminded not to tinker with BIOS settings as they may damage the Intel® SGX configuration. The Bug Bounty team managed ownership of the DPG Intel® DevCloud systems, this enabled the team to quickly reclaim and re-construct any broken configurations.

Support Model

Intel® DevCloud support staff supported help requests from researchers outside of normal hours (24×7)  for one week of the event only; future events should consider the time requirement and communicate expectations with Intel® DevCloud support and external researchers ahead of time. Intel, External Researchers, and Intigriti staff used a private Slack workspace to communicate about the event and Intel® DevCloud support requests.

 

Lessons Learned

Overall, the event was a success, and all objectives and goals were met.  Lessons learned for future events include, but are not limited to:

Organization & Planning
  • Develop and share tools and templates for continued collaboration.
  • Get agendas and bounty tables at least one week in advance, so that participants can be more prepared and understand expectations and time commitments.
  • It took us a considerable amount of time to define the nature of Intel® SGX We came to a point where it was about to be abandoned. Organizers need to make sure we define scope much faster.
  • Develop long term documents that can be used regularly for each Project Circuit Breaker event. This includes shared secure folders and storage.
  • We would have liked the POCs and hints to be ready earlier to ensure time for internal review and testing, ideally 2-6 weeks.
Execution & Engagement
  • Social activities go a long way for relationship building – icebreakers and non-technical activities should continue to grow, especially for virtual events.
  • For future training events, consider extending them longer than one week as some researchers have requested more time to work on the exercises.
  • Show & Tell continues to thrive as a key component for events – virtual or in person.
Post-Event Activities
  • As new vulnerabilities are submitted, consider if they could be turned into a CTF-style challenge that can be packaged and re-used in a future training-style event. This will require significant engineering effort with appropriate planning.
  • Add writeups from researchers, interviews/video content, recordings of anything we can share, descriptions of the challenges, etc. to the Project Circuit Breaker website so other people can participate on their own outside of the event.

Results Achieved

Live test of Intel® DevCloud infrastructure and support capabilities for use with external researchers

Success with improvement opportunities

Identify qualifies researchers for Intel® TDX bug bounty on Eagle Stream

Success – 4 individuals identified (2 invited, 2 waitlisted)

Identify areas of improvement to prepare for Intel® TDX campaign

Achieved – details captured in see Lessons Learned section