Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

29th USENIX Security Symposium August 12, 2020

TEEREX: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

Tobias Cloosters, Michael Rodler, Lucas Davi

Secure Software Systems University of Duisburg-Essen, Germany Find memory corruption vulnerabilities specific to SGX enclaves

SGX Enclave TEEREX ECALL Symbolic Execution

↯ Successfully exploited: • Code from Intel, Baidu/Apache, WolfSSL • Fingerprint Drivers • Synaptics (Lenovo/HP): CVE-2019-18619 • Goodix (Dell): CVE-2020-11667 2 Motivation: Why SGX?

• How to reliably protect sensitive data and code from disclosure and modification? ****

Passwords Intellectual Property Medical records System Model of SGX

Critical point Trust Boundary

Untrusted data Enclave

Secure storage Host for secrets application Results Processing untrusted data and secrets

4 SGX – Application Layout

Application CFG Memory start

SGX Secure Memory

5 SGX – Trusted Runtime

SGX Enclave trts Memory EENTER

--- init --- INT ORET ECALL Secure Memory

EEXIT

6 SGX – ECALL

*args

secure copy of *args SDK custom ECALL logic

custom SDK copy output

7 Large attack surface

Reserved (NULL) • Trust input data: exploitable • Trust system calls: exploitable Host Application • Use NULL-pointer: exploitable Enclave • One corruptible byte: exploitable • Trust pointers to enclave memory: exploitable

System Memory System OS

8 Symbolic Execution Vulnerability Detection a b c

*c= *0

a • Controlled Jump =*b • Controlled Memory Access • NULL-pointer Dereference

9 TeeRex Architecture

Preprocessor TEEREX Symbolic Execution (Static Analysis) Vulnerability Detection Vulnerability Report

Identify Controlled Jumps Vulnerability Class ECALLs Controlled Write Emulation Vuln. Instruction of Special Symbolic Hooks Instructions NULL dereference for common Controlled Pointer Functions Symbolic Execution Trace Enclave Pointer Loader Tracking Symbolic Enclave Explorer Binary (ANGR)

Exploit

10 Exploits in Public Enclaves found with TEEREX

Source Project Exploit Fixed Target Code Intel SGX GMP Example ✓ ✓ ✓ Linux amd64 Baidu Rust SGX SDK “tlsclient” ✓ ✓ ✓ Linux amd64 TaLoS ✓ Not planned ✓ Linux amd64 WolfSSL Example Enclave ✓ ✓ ✓ Linux amd64 Synaptics Fingerprint Driver ✓ ✓ × Windows amd64CVE-2019-18619 Goodix Fingerprint Driver ✓ ✓ × Windows amd64CVE-2020-11667 SignalApp Contact Discovery × - ✓ Linux amd64

Exploit Source Code: https://github.com/uni-due-syssec/teerex-exploits

11 Baidu/Apache Rust SDK: tlsclient Pointers to overlapping memory

APP

Enclave Code

if sgx_is_outside_enclave(ssl) return new SSLSession return ERROR; // use ssl session

SSL object is not strictly outside ORET Primitive vtable pointer in object (outside enclave) Arbitrary code execution

SSL vptr SSL SSL Memory Enclave Memory Enclave

12 int global_mem = 0; Limited Exploit Primitives int* global_addr; void arbitrary_write(int* a, int b) void no_user_input() { { *a = b; global_mem = 42; } }

Controlled Address Controlled Value void limited_value(int* a) void fixed_address(int b) { { OR: *a = 42; global_mem = b; *a = global_mem; } } void limited_address(int b) void limited_size(int* a, char b) { { *global_addr = b; *(char*)a = b; } } 13 Exploiting using Multiple Limited Primitives: • ecall_process trusts data Obj* data; • In secure memory void ecall_initCorrupted() { to point outside • Never leaves enclave data = new Obj(); enclave memory • NULL checked }

• Attacker can corrupt data void ecall_process(int arg) { • ecall_vuln writes a small constant to if (data) an unchecked address data->foo(arg); • Changing one byte moves data to } Enclave loads code pointer unsecure memory void ecall_vuln(Barfrom* p) host{ -memory • Combined the attacker can if (...) execute arbitrary code p->return_value = ERROR; } Store byte ERROR = -5 at 14 return_value Conclusions

•Enclave boundary is a highly critical attack surface •Current development practices do not consider such vulnerabilities • Increase awareness • Automatic analysis tools needed •TeeRex can automatically detect vulnerabilities!

15 29th USENIX Security Symposium August 12, 2020

Secure Software Systems https://www.syssec.wiwi.uni-due.de/

Tobias Cloosters, Michael Rodler, Lucas Davi [email protected], [email protected], [email protected]

TEEREX: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves Exploit Source Code: https://github.com/uni-due-syssec/teerex-exploits