jovanbulck / 0xbadc0de Goto Github PK
View Code? Open in Web Editor NEWA Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes
A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes
In line 22 of the keystone/struct-padding/keystone-struct-padding.diff file, there is +#include "../calc_msg.h"
. But I can't find this header file.
I tried to construct a simple data structure, calc_message_t, on my own from the output of the readme file. But it didn't work out.
Here is the simple data structure I constructed:
typedef struct calc_message
{
unsigned short msg_type;
unsigned long len;
unsigned char msg[7];
}calc_message_t;
Can you provide calc_msg.h
file? thank you.
Dear authors,
We'd like to thank you for this paper and the responsible disclosure to us back in April 2019.
I would like to post the current status of all vulnerabilities in the ECALL/OCALL interface of Graphene-SGX found by your team. This will hopefully help others in understanding the current state of Graphene-SGX. Also, we'd be happy if you audit our fixes/try your attacks on the newest version.
I would like to stress that Graphene-SGX is still a research project and is not used in production (to the best of our knowledge). We are actively working on making it more stable and secure.
TLDR: All discovered vulnerabilities were fixed in April-May 2019, at the time of responsible disclosure by the authors. The only exception is "sanitizing the AC flag" (part of attack vector #1) -- this will be promptly fixed by gramineproject/graphene#1150 in November 2019.
Sanitizing the AC flag to prevent the controlled #AC side channel. We created a PR to clear the AC flag: gramineproject/graphene#1150. It will be reviewed and merged into mainline soon. (Kudos for this attack vector, it's a really interesting side channel!) UPDATE 11/19/2019: This fix was merged into mainline Graphene.
Sanitizing the DF flag: as mentioned in the paper, Graphene-SGX clears this flag and doesn't expose this attack vector. See https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/enclave_entry.S#L21 and other mentions in this file.
First, I'd like to note that the text in https://github.com/jovanbulck/0xbadc0de/blob/master/graphene/entry-stack/README.md is from a very old issue gramineproject/graphene#28. This issue was fixed in 2017 and continuously improved upon afterwards. Could you please put a disclaimer at the top of this file, indicating that this was fixed?
As for the particular vulnerability with jumping to return_from_ocall
, this was fixed by gramineproject/graphene#544 (in April 2019). The particular line of code is: https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/enclave_entry.S#L50 (and other code on SGX_OCALL_PREPARED
manipulation).
[ No instances of this vulnerability found in Graphene-SGX. ]
Validating argv
and envp
arrays was fixed by gramineproject/graphene#590 (in April 2019). The particularly relevant code is here: https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/db_main.c#L150.
The enclave_ecall_thread_start()
function was removed from enclave_ecalls.c
(and thus fixed) in 2017, as part of the same issue gramineproject/graphene#28. I think this is an oversight that this part was not removed from your paper (or at least it should have been explicitly mentioned that this was reported way back in 2017 and fixed then).
[ No instances of this vulnerability found in Graphene-SGX. ]
Integer overflow vulnerabilities were fixed by gramineproject/graphene#544 (in April 2019). See e.g. https://github.com/oscarlab/graphene/blob/098e2edf44035eb4d3e1db9a4f2054ade571eb6e/Pal/src/host/Linux-SGX/enclave_framework.c#L26.
Partial overlaps of untrusted buffers with trusted memory region are closely related to attack vector #6. Fixed by the same PR.
TOCTOU (or "double fetch") vulnerabilities were fixed by gramineproject/graphene#622 (in May 2019).
Iago attacks. The particular Iago attack described in the paper (returned buffer length in POSIX readdir()
, implemented via getdents()
syscall) was closed by the same gramineproject/graphene#622 (in May 2019), among others.
[ No instances of this vulnerability found in Graphene-SGX. ]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.