DeepAI AI Chat
Log In Sign Up

TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

by   Tobias Cloosters, et al.

Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. In this paper, we show that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code. We develop TeeRex to automatically analyze enclave binary code for vulnerabilities introduced at the host-to-enclave boundary by means of symbolic execution. Our evaluation on public enclave binaries reveal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform arbitrary memory writes. As we will show, TeeRex features a specifically tailored framework for SGX enclaves that allows simple proof-of-concept exploit construction to assess the discovered vulnerabilities. Our findings reveal vulnerabilities in multiple enclaves, including enclaves developed by Intel, Baidu, and WolfSSL, as well as biometric fingerprint software deployed on popular laptop brands.


page 5

page 13


Execution at RISC: Stealth JOP Attacks on RISC-V Applications

RISC-V is a recently developed open instruction set architecture gaining...

Guardian: symbolic validation of orderliness in SGX enclaves

Modern processors can offer hardware primitives that allow a process to ...

Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake)

Microarchitectural Data Sampling (MDS) is a set of hardware vulnerabilit...

Static Detection of Uninitialized Stack Variables in Binary Code

More than two decades after the first stack smashing attacks, memory cor...

SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

SpecFuzz is the first tool that enables dynamic testing for speculative ...

Exposing and Addressing Security Vulnerabilities in Browser Text Input Fields

In this work, we perform a comprehensive analysis of the security of tex...


We describe our experience porting the Regensburg implementation of the ...