SmashEx: Smashing SGX Enclaves Using Exceptions

10/13/2021
by   Jinhua Cui, et al.
0

Exceptions are a commodity hardware functionality which is central to multi-tasking OSes as well as event-driven user applications. Normally, the OS assists the user application by lifting the semantics of exceptions received from hardware to program-friendly user signals and exception handling interfaces. However, can exception handlers work securely in user enclaves, such as those enabled by Intel SGX, where the OS is not trusted by the enclave code? In this paper, we introduce a new attack called SmashEx which exploits the OS-enclave interface for asynchronous exceptions in SGX. It demonstrates the importance of a fundamental property of safe atomic execution that is required on this interface. In the absence of atomicity, we show that asynchronous exception handling in SGX enclaves is complicated and prone to re-entrancy vulnerabilities. Our attacks do not assume any memory errors in the enclave code, side channels, or application-specific logic flaws. We concretely demonstrate exploits that cause arbitrary disclosure of enclave private memory and code-reuse (ROP) attacks in the enclave. We show reliable exploits on two widely-used SGX runtimes, Intel SGX SDK and Microsoft Open Enclave, running OpenSSL and cURL libraries respectively. We tested a total of 14 frameworks, including Intel SGX SDK and Microsoft Open Enclave, 10 of which are vulnerable. We discuss how the vulnerability manifests on both SGX1-based and SGX2-based platforms. We present potential mitigation and long-term defenses for SmashEx.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
10/08/2018

Interface-Based Side Channel Attack Against Intel SGX

Intel has introduced a trusted computing technology, Intel Software Guar...
research
06/24/2020

A Survey of Published Attacks on Intel SGX

Intel Software Guard Extensions (SGX) provides a trusted execution envir...
research
07/02/2018

BesFS: Mechanized Proof of an Iago-Safe Filesystem for Enclaves

New trusted computing primitives such as Intel SGX have shown the feasib...
research
07/20/2018

Spectre Returns! Speculation Attacks using the Return Stack Buffer

The recent Spectre attacks exploit speculative execution, a pervasively ...
research
03/30/2022

Enhanced Grey Box Fuzzing For Intel Media Driver

Grey box fuzzing is one of the most successful methods for automatic vul...
research
05/12/2021

Guardian: symbolic validation of orderliness in SGX enclaves

Modern processors can offer hardware primitives that allow a process to ...
research
08/09/2022

STELLA: Sparse Taint Analysis for Enclave Leakage Detection

Intel SGX (Software Guard Extension) is a promising TEE (trusted executi...

Please sign up or login with your details

Forgot password? Click here to reset