Open cpriebe opened 5 years ago
The issue was described in the research paper A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes along with a few other issues. Thanks again to Jo Van Bulck, David Oswald and the other authors for notifying us regarding these issues, in particular those that had not been known yet.
The other issues mentioned in the paper have either been addressed already or are ongoing work. In particular, a number of the issues will no longer be relevant once the OE migration (see above) is done. Here is a list of those issues:
Ecall IDs and CSSA must be verified on enclave entry. This has been fixed in ff8a1a3db986a143ffdc1dd88e35873142befbee. In the future, the entry code will also be replaced by OE.
siginfo struct passed in via forward_signal ecall must be copied into the enclave and verified. This was fixed in 3a2ae6d987445f7311e707da32991e738863fa5c.
argv is passed to application without verification. When SGX-LKL is built in release mode, argv cannot be passed from the host but instead must be provided remotely via a secure channel. No fix needed.
Padding in structures passed to ocalls can expose sensitive data, examples are siginfo and sigaction structs.
This is correct. The sigaction
host call is only used in simulation mode, but siginfo
should be protected. This will be addressed as part of the OE migration after which all signal-related calls will be handled inside the enclave and the signal-related host calls will be removed.
Host return values are not verified, examples are mmap and write. This is correct. An mmap host call isn't strictly needed and can be replaced by pre-allocating memory. We have a proof of concept implementation for this which hopefully will make it into the public repository soon. For now I have added checks for write/read/mmap calls in cdeb8b660690a240fdf8aa9c9d362506d6dc72d5.
Issue reported by Jo Van Bulck, KU Leuven and David Oswald, University of Birmingham.
SGX does not scrub registers when an enclave is exited via the EEXIT instruction which is used in the
leave_enclave
andexit_enclave
functions which can leak sensitive information. Seehttps://github.com/lsds/sgx-lkl/blob/adc9f8933035c97d537e09e86210be0fce8ec663/src/sgx/sgx_enclave_config.c#L86
and
https://github.com/lsds/sgx-lkl/blob/adc9f8933035c97d537e09e86210be0fce8ec663/src/sgx/sgx_enclave_config.c#L106
Registers should be cleaned as e.g. done in the official SDK here:
https://github.com/intel/linux-sgx/blob/d166ff0c808e2f78d37eebf1ab614d944437eea3/sdk/trts/linux/trts_pic.S#L171
We are currently in the process of migrating to the OpenEnclave SDK which handles all enclave transitions and which will make the above code obsolete.