Light

iaik / sgxrop Goto Github PK

View Code? Open in Web Editor NEW

183.0 17.0 31.0 109 KB

The code to the SGX-ROP paper

Makefile 3.77% C 96.23%

sgxrop's Introduction

SGX-ROP: Practical Enclave Malware with Intel SGX

This repository contains the implementations of the DIMVA 2019 paper

Practical Enclave Malware with Intel SGX by Schwarz, Weiser, and Gruss

The repository consists of three parts: tap_claw, demo, and egghunter.

TAP + CLAW

Contains the Intel TSX-based primitives to check whether a page is mapped and writable without using syscalls.

Demo

Uses TAP + CLAW inside a (malicious) SGX enclave to break ASLR of the host application, create a ROP payload and mount a simple PoC attack (i.e., create a file in the current directory).

Egg Hunter

Shows how to use TAP as egg hunter for classical exploits.

Note on Broken Microcode

Intel released a document Performance Monitoring Impact of Intel Transactional Synchronization Extension Memory describing that certain microcode updates disable the usage of TSX within SGX. This inadvertently also breaks SGX ROP in the current form. In case you have such a microcode update, you have the following possibilities:

Disable the Microcode Update

For demo/testing purposes, it is the easiest to simply disable the microcode update. This can be done using the boot parameter disable_ucode_ldr.

Replace TSX with DataBounce or EchoLoad

In case you cannot disable the microcode update, or TSX is disabled, e.g., due to security reasons, you can replace TSX with a different primitive. Possible alternatives based on transient-execution attacks that have been shown to works are DataBounce as described in

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs by Schwarz, Canella, Giner, and Gruss

and EchoLoad, which also works on CPUs where DataBounce is mitigated, as described in

KASLR: Break It, Fix It, Repeat by Canella, Schwarz, Haubenwallner, Schwarzl, and Gruss.

License

All code is licensed under the MIT license.

sgxrop's People

Contributors

Stargazers

Watchers

sgxrop's Issues

Missing file

Configuration file "Enclave/Enclave.config.xml" is not found.

Execution the code

May I know what is the main file to run here? And how can plot figure from the code

first_ssa_gpr stack location

May I know what it means by regs[18] and regs[19] ? Does 296 carry any physical meaning ?

    size_t* stack = (size_t*)regs[18];
    printf("Saved RSP: %zx", regs[18]);
    printf("Saved RBP: %zx", regs[19]);

    size_t ptr = (size_t)regs[19] + 296;

Would anyone be able to describe how the following stack location brute-force finding code works in more details ?

    printf("Searching for stack frame...");
    for(int i = 8; i < 8000; i += 16) {
        if(!is_mapped((void*)(regs[19] + i + 8))) break;
        size_t v1 = *(size_t*)(regs[19] + i);
        size_t v2 = *(size_t*)(regs[19] + i + 8);
        if(!is_mapped((void*)v1) || !is_mapped((void*)v2)) continue;
        if(v1 > 0x400000 /* looks like code */
            && v2 > 0x700000000000ull  /* looks like stack */
            && v2 > v1 + 4 * 1024 * 1024 /* code before stack */
            && v2 > regs[19] - 4 * 1024 * 1024 && v2 < regs[19] + 4 * 1024 * 1024 /* stack max approx 4mb */
            && *(size_t*)v2 > v2 /* rbp chain? */
        ) {
            printf("Stack frame @ %d: %zx / %zx (%zx / %zx)", i, v1, v2, *(size_t*)v1, *(size_t*)v2);
            ptr = (size_t)regs[19] + i;
//            break;
        }
    }
    
    int pos = 0;
    size_t* rip = (size_t*)ptr;
    size_t* rbp = (size_t*)(ptr - 8);
    printf("RIP @ %p", rip);
    printf("RBP @ %p", rbp);

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.