We found several security vulnerabilities in the enclave.
First, the g_environment pointer can be null while being dereferenced.
Since it contains nested pointers, i.e., the std::map, an attacker can gain arbitrary read/write by mapping the null page.
In addition, there are stack-based buffer overflow vulnerabilities in ecdsa_keygen_unseal, tc_provision_ecdsa_key, ecdsa_keygen_unseal, and tc_provision_hybrid_key.
We found several security vulnerabilities in the enclave. First, the
g_environmentpointer can be null while being dereferenced. Since it contains nested pointers, i.e., thestd::map, an attacker can gain arbitrary read/write by mapping the null page.In addition, there are stack-based buffer overflow vulnerabilities in
ecdsa_keygen_unseal,tc_provision_ecdsa_key,ecdsa_keygen_unseal, andtc_provision_hybrid_key.