jovanbulck / 0xbadc0de Goto Github PK

In line 22 of the keystone/struct-padding/keystone-struct-padding.diff file, there is +#include "../calc_msg.h". But I can't find this header file.

I tried to construct a simple data structure, calc_message_t, on my own from the output of the readme file. But it didn't work out.

Here is the simple data structure I constructed:

typedef struct calc_message
{
  unsigned short msg_type;
  unsigned long len;
  unsigned char msg[7];
}calc_message_t;

Can you provide calc_msg.h file? thank you.

Dear authors,

We'd like to thank you for this paper and the responsible disclosure to us back in April 2019.

I would like to post the current status of all vulnerabilities in the ECALL/OCALL interface of Graphene-SGX found by your team. This will hopefully help others in understanding the current state of Graphene-SGX. Also, we'd be happy if you audit our fixes/try your attacks on the newest version.

I would like to stress that Graphene-SGX is still a research project and is not used in production (to the best of our knowledge). We are actively working on making it more stable and secure.

TLDR: All discovered vulnerabilities were fixed in April-May 2019, at the time of responsible disclosure by the authors. The only exception is "sanitizing the AC flag" (part of attack vector #1) -- this will be promptly fixed by gramineproject/graphene#1150 in November 2019.

Attack Vector #1

1. Sanitizing the AC flag to prevent the controlled #AC side channel. We created a PR to clear the AC flag: gramineproject/graphene#1150. It will be reviewed and merged into mainline soon. (Kudos for this attack vector, it's a really interesting side channel!) UPDATE 11/19/2019: This fix was merged into mainline Graphene.

2. Sanitizing the DF flag: as mentioned in the paper, Graphene-SGX clears this flag and doesn't expose this attack vector. See https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/enclave_entry.S#L21 and other mentions in this file.

Attack Vector #2

First, I'd like to note that the text in https://github.com/jovanbulck/0xbadc0de/blob/master/graphene/entry-stack/README.md is from a very old issue gramineproject/graphene#28. This issue was fixed in 2017 and continuously improved upon afterwards. Could you please put a disclaimer at the top of this file, indicating that this was fixed?

As for the particular vulnerability with jumping to return_from_ocall, this was fixed by gramineproject/graphene#544 (in April 2019). The particular line of code is: https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/enclave_entry.S#L50 (and other code on SGX_OCALL_PREPARED manipulation).

Attack Vector #3

[ No instances of this vulnerability found in Graphene-SGX. ]

Attack Vector #4

1. Validating argv and envp arrays was fixed by gramineproject/graphene#590 (in April 2019). The particularly relevant code is here: https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/db_main.c#L150.

2. The enclave_ecall_thread_start() function was removed from enclave_ecalls.c (and thus fixed) in 2017, as part of the same issue gramineproject/graphene#28. I think this is an oversight that this part was not removed from your paper (or at least it should have been explicitly mentioned that this was reported way back in 2017 and fixed then).

Attack Vector #5

[ No instances of this vulnerability found in Graphene-SGX. ]

Attack Vector #6

Integer overflow vulnerabilities were fixed by gramineproject/graphene#544 (in April 2019). See e.g. https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/enclave_framework.c#L26.

Attack Vector #7

Partial overlaps of untrusted buffers with trusted memory region are closely related to attack vector #6. Fixed by the same PR.

Attack Vector #8

TOCTOU (or "double fetch") vulnerabilities were fixed by gramineproject/graphene#622 (in May 2019).

Attack Vector #9

Iago attacks. The particular Iago attack described in the paper (returned buffer length in POSIX readdir(), implemented via getdents() syscall) was closed by the same gramineproject/graphene#622 (in May 2019), among others.

Attack Vector #10

[ No instances of this vulnerability found in Graphene-SGX. ]