search

lsds / sgx-lkl

SGX-LKL Library OS for running Linux applications inside of Intel SGX enclaves
MIT License
255 stars 89 forks source link

Registers are not scrubbed on enclave exits #79

Open cpriebe opened 4 years ago

cpriebe commented 4 years ago

Issue reported by Jo Van Bulck, KU Leuven and David Oswald, University of Birmingham.

SGX does not scrub registers when an enclave is exited via the EEXIT instruction which is used in the leave_enclave and exit_enclave functions which can leak sensitive information. See

https://github.com/lsds/sgx-lkl/blob/adc9f8933035c97d537e09e86210be0fce8ec663/src/sgx/sgx_enclave_config.c#L86

and

https://github.com/lsds/sgx-lkl/blob/adc9f8933035c97d537e09e86210be0fce8ec663/src/sgx/sgx_enclave_config.c#L106

Registers should be cleaned as e.g. done in the official SDK here:

https://github.com/intel/linux-sgx/blob/d166ff0c808e2f78d37eebf1ab614d944437eea3/sdk/trts/linux/trts_pic.S#L171

We are currently in the process of migrating to the OpenEnclave SDK which handles all enclave transitions and which will make the above code obsolete.

cpriebe commented 4 years ago

The issue was described in the research paper A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes along with a few other issues. Thanks again to Jo Van Bulck, David Oswald and the other authors for notifying us regarding these issues, in particular those that had not been known yet.

The other issues mentioned in the paper have either been addressed already or are ongoing work. In particular, a number of the issues will no longer be relevant once the OE migration (see above) is done. Here is a list of those issues:

  1. Ecall IDs and CSSA must be verified on enclave entry. This has been fixed in ff8a1a3db986a143ffdc1dd88e35873142befbee. In the future, the entry code will also be replaced by OE.

  2. siginfo struct passed in via forward_signal ecall must be copied into the enclave and verified. This was fixed in 3a2ae6d987445f7311e707da32991e738863fa5c.

  3. argv is passed to application without verification. When SGX-LKL is built in release mode, argv cannot be passed from the host but instead must be provided remotely via a secure channel. No fix needed.

  4. Padding in structures passed to ocalls can expose sensitive data, examples are siginfo and sigaction structs. This is correct. The sigaction host call is only used in simulation mode, but siginfo should be protected. This will be addressed as part of the OE migration after which all signal-related calls will be handled inside the enclave and the signal-related host calls will be removed.

  5. Host return values are not verified, examples are mmap and write. This is correct. An mmap host call isn't strictly needed and can be replaced by pre-allocating memory. We have a proof of concept implementation for this which hopefully will make it into the public repository soon. For now I have added checks for write/read/mmap calls in cdeb8b660690a240fdf8aa9c9d362506d6dc72d5.