COIN Attacks: on Insecurity of Enclave Untrusted Interfaces In
Total Page:16
File Type:pdf, Size:1020Kb
Session 11A: Enclaves and memory security — Who will guard the guards? COIN Attacks: On Insecurity of Enclave Untrusted Interfaces in SGX Mustakimur Rahman Khandaker Yueqiang Cheng [email protected] [email protected] Florida State University Baidu Security Zhi Wang Tao Wei [email protected] [email protected] Florida State University Baidu Security Abstract Keywords. Intel SGX; enclave; vulnerability detection Intel SGX is a hardware-based trusted execution environ- ACM Reference Format: ment (TEE), which enables an application to compute on Mustakimur Rahman Khandaker, Yueqiang Cheng , Zhi Wang, confidential data in a secure enclave. SGX assumes apow- and Tao Wei. 2020. COIN Attacks: On Insecurity of Enclave Un- erful threat model, in which only the CPU itself is trusted; trusted Interfaces in SGX. In Proceedings of the Twenty-Fifth In- anything else is untrusted, including the memory, firmware, ternational Conference on Architectural Support for Programming system software, etc. An enclave interacts with its host ap- Languages and Operating Systems (ASPLOS ’20), March 16–20, 2020, Lausanne, Switzerland. ACM, New York, NY, USA, 15 pages. https: plication through an exposed, enclave-specific, (usually) bi- //doi.org/10.1145/3373376.3378486 directional interface. This interface is the main attack surface of the enclave. The attacker can invoke the interface in any 1 Introduction order and inputs. It is thus imperative to secure it through careful design and defensive programming. Intel Software Guard Extensions (SGX) introduces a set of In this work, we systematically analyze the attack models ISA extensions to enable a trusted execution environment, against the enclave untrusted interfaces and summarized called enclave, for security-sensitive computations in user- them into the COIN attacks – Concurrent, Order, Inputs, and space processes. The enclave, for the most part, is strictly Nested. Together, these four models allow the attacker to in- protected from other parts of the system through memory voke the enclave interface in any order with arbitrary inputs, access control, memory encryption and integrity-check, at- including from multiple threads. We then build an extensi- testation, etc [9, 27]. By design, Intel SGX assumes a powerful ble framework to test an enclave in the presence of COIN attack model where only the CPU is trusted; everything else attacks with instruction emulation and concolic execution. could be compromised or malicious, including the firmware We evaluated ten popular open-source SGX projects using (i.e., BIOS), the VMM (virtual machine monitor), and the OS eight vulnerability detection policies that cover information (operating system) kernel. Because of this, Intel SGX becomes leaks, control-flow hijackings, and memory vulnerabilities. increasingly popular for security-sensitive applications, such We found 52 vulnerabilities. In one case, we discovered an as secure remote computation, authentication, and digital information leak that could reliably dump the entire enclave rights management. For example, enclaveDB is an SGX-based memory by manipulating the inputs. Our evaluation high- database engine that can guarantee confidentiality, integrity, lights the necessity of extensively testing an enclave before and freshness for data and queries [31]; CYCLOSA is a se- its deployment. cure, scalable, and accurate private web search system [30]; CCS Concepts. • Security and privacy → Trust frame- and IRON is a secure functional encryption system [12]. In works; Vulnerability scanners. addition, many popular libraries, such as mbed TLS and Tor, have been ported to run in the SGX enclave [11, 17, 43], and Permission to make digital or hard copies of all or part of this work for most major cloud providers also provide SGX-based remote personal or classroom use is granted without fee provided that copies confidential computing services [16, 29]. are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights Recent research on side-channel attacks has brought the for components of this work owned by others than the author(s) must security of SGX into question [7, 18, 38, 41]. For example, be honored. Abstracting with credit is permitted. To copy otherwise, or SgxPectre, the SGX-variant of Spectre [7], can read the se- republish, to post on servers or to redistribute to lists, requires prior specific cret keys of SGX by exploiting the race condition between permission and/or a fee. Request permissions from [email protected]. injected, speculatively executed memory references and the ASPLOS ’20, March 16–20, 2020, Lausanne, Switzerland latency of branch resolution. There is relatively little atten- © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. tion paid to the (in)security of the SGX interface [24, 42]. In ACM ISBN 978-1-4503-7102-5/20/03...$15.00 particular, AsyncShock proposes a method to exploit known https://doi.org/10.1145/3373376.3378486 synchronization bugs in the SGX by manipulating the thread 971 Session 11A: Enclaves and memory ASPLOS’20, March 16–20, 2020, Lausanne, Switzerland security — Who will guard the guards? scheduler [42]; while Lee et al. exploit uninitialized structure (e.g., use-after-frees, heap/stack overflows). Other types of padding to leak enclave data [24]. vulnerabilities can be readily added to the framework with Securing the enclave interface demands more than simple additional policies. We applied the prototype to evaluate ten sanitization of inputs: an enclave is an isolated execution popular open-source SGX projects on the GitHub, including environment in the user-space. It, therefore, relies on the Intel SSL, SQLite3, mbedTLS, etc. We found 52 vulnerabilities untrusted supporting system to interact with the external in them, including double-frees, use-after-frees, heap and environment. Such interaction is bi-directional. Specifically, stack overflows, null-pointer de-references, heap and stack an SGX application (i.e., the application whose address space memory leaks, etc. In one case, we can reliably dump the hosts the enclave) can call an enclave function using an entire memory of the mbedTLS-SGX enclave by manipulat- ECALL, an RPC-like mechanism. Vice versa, the enclave can ing the untrusted inputs. Each attack model contributed to use an OCALL to temporarily exit the enclave and call an the discovery of these vulnerabilities, with input manipula- untrusted function to access OS services. For example, an tion being the most effective (42 vulnerabilities). We have SGX-based SQLite engine can use OCALLs to open an (en- reported all these vulnerabilities to the affected projects and crypted) database file and read its content to serve a query provide bug fixes for some. These results demonstrate the from the host application (ECALL). This design makes the need for automated vulnerability detection tools that are enclave rather challenging to secure because the enclave specifically designed to handle the complexity of the SGX interface can be called in arbitrary order and with any in- programming and trust model. puts, yet the enclave has little control over it besides input This paper makes the following contributions: sanitization. • We introduced the COIN attacks, a systematic analysis In this paper, we first systematically study the attack sur- of the SGX interface attack surface. COIN attacks consist face of the enclave interface, and then propose an extensible of concurrency, order, input, and nested call attacks. framework to automatically analyze enclave libraries for • We proposed the design of an extensible framework tar- common vulnerabilities. Specifically, we categorize the en- geting the COIN attacks and implemented the design clave attack surface into four models: input manipulation, with eight detection policies that cover many common call permutation, concurrent ECALLs, and nested calls. The vulnerabilities. first model consists of attacks that manipulate the inputsto • We evaluated our system with ten open-source SGX projects enclave calls to check whether sufficient sensitization of the and found (and reported) 52 vulnerabilities in them, in- inputs has been applied; The second one consists of attacks cluding a whole SGX memory leak. that make arbitrary calls to the ECALL interface from the untrusted code. Libraries often assume their API functions The rest of the paper is organized as follows. We first de- are called in certain orders. For example, a database engine scribe the SGX programming model in Section 2. We then ex- (reasonably) assumes a database is opened before any queries plain the COIN attacks in Section 3. Next, Section 4 presents are executed. However, SGX itself does not impose any re- the system design and Section 5 evaluates the system. Later, strictions on the invocation of ECALLS. This model thus we discuss the related works in Section 6. Finally, we con- check the enclave code when these assumptions do not hold; clude the paper in Section 7. The third model tests the enclave code for concurrency bugs by invoking the ECALL interface from multiple threads; Fi- 2 Background nally, the last model checks the enclave code when ECALLs In this section, we introduce background information about are nested, i.e., a second ECALL is made while the enclave is the SGX programming model to help understand the COIN executing an OCALL in response to the first ECALL. These attack models. four models are collectively called the COIN attacks, which stands for Concurrency, Order, Inputs, and Nested, each cor- 2.1 SGX Programming Model responding to one attack model. In this paper, we focus on An SGX enclave is an isolated execution unit in the user the first three models and leave the nested model as future address space of its host process. It relies on the host process work. We include the nested mode for completeness. as a proxy to interact with the environment, for example, to Given these attack methods, we designed an extensible access database files. The way this works is similar toRPC framework to systematically study the (in)security of enclave (remote procedure call): the host process calls an enclave libraries.