SmashEx: Smashing SGX Enclaves Using Exceptions

Cui, Jinhua; Zhijingcheng, Yu, Jason; Shinde, Shweta; Saxena, Prateek; Cai, Zhiping

doi:10.1145/3460120.3484821

Cited by 21 publications

(6 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [23], the authors injected the ROP payload using the re-entry vulnerability of AEX. When an exception occurs in the enclave, the SGX enabled processor exits the enclave by using Asynchronous Enclave Exit (AEX).…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory

Yoon

Lee

2022

Applied Sciences

View full text Add to dashboard Cite

Intel SGX (Software Guard Extensions) is a hardware-based security solution that provides a trusted computing environment. SGX creates an isolated memory area called enclave and prevents any illegal access from outside of the enclave. SGX only allows executables already linked statically to the enclave when compiling executables to access its memory, so code injection attacks to SGX are not effective. However, as a previous study has demonstrated, Return-Oriented Programming (ROP) attacks can overcome this defense mechanism by injecting a series of addresses of executable codes inside the enclave. In this study, we propose a novel ROP attack, called SGXDump, which can repeat the attack payload. SGXDump consists only of gadgets in the enclave and unlike previous ROP attacks, the SGXDump attack can repeat the attack payload, communicate with other channels, and implement conditional statements. We successfully attacked two well-known SGX projects, mbedTLS-SGX and Graphene-SGX. Based on our attack experiences, it seems highly probable that an SGXDump attack can leak the entire enclave memory if there is an exploitable memory corruption vulnerability in the target SGX application.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Refs. [14,[20][21][22][23] took the control flow of the process within enclaves by using the ROP. However, the methods proposed in previous studies require detailed analysis of the enclave software because it is essential to know how the software processes the protected data.…”

Section: Introductionmentioning

confidence: 99%

SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory

Yoon

Lee

2022

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…SGX has been widely used in many applications [10,15,66,[73][74][75]. Recent works have intensively studied side-channel vulnerabilities in SGX [2,8,12,14,16,34,43,49,53,58,72,77,79], while memory attacks have also received increasing attention [11,46,65,71]. ASLRbased memory protection methods also appeared for SGX [54,64,80].…”

Section: Related Workmentioning

confidence: 99%

SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications via Static Symbolic Execution

Wang,

Zhang,

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Intel Security Guard Extensions (SGX) have shown effectiveness in critical data protection. Recent symbolic execution-based techniques reveal that SGX applications are susceptible to memory corruption vulnerabilities. While existing approaches focus on conventional memory corruption in ECalls of SGX applications, they overlook an important type of SGX dedicated vulnerability: cross-boundary pointer vulnerabilities. This vulnerability is critical for SGX applications since they heavily utilize pointers to exchange data between secure enclaves and untrusted environments. Unfortunately, none of the existing symbolic execution approaches can effectively detect cross-boundary pointer vulnerabilities due to the lack of an SGX-specific analysis model that properly handles three unique features of SGX applications: Multi-entry Arbitrary-order Execution, Stateful Execution, and Context-aware Pointers. To address such problems, we propose a new analysis model named Global State Transition Graph with Context Aware

show abstract

“…The safety of trust-bft protocols is based on the assumption that trusted components cannot be compromised. However, recent works have illustrated several attacks on trusted components, such as SmashEx [15], time synchronization bugs [56], and so on [5,8].…”

Section: Excessive Trust For Safetymentioning

confidence: 99%

Dissecting BFT Consensus: In Trusted Components we Trust!

Gupta¹,

Rahnama²,

Pandey³

et al. 2022

Preprint

View full text Add to dashboard Cite

The growing interest in secure multi-party database applications has led to the widespread adoption of Byzantine Fault-Tolerant (bft) consensus protocols that can handle malicious attacks from byzantine replicas. Existing bft protocols permit byzantine replicas to equivocate their messages. As a result, they need f more replicas than Paxos-style protocols to prevent safety violations due to equivocation. This led to the design of trust-bft protocols, which require each replica to host an independent, trusted component.In this work, we analyze the design of existing trust-bft and make the following observations regarding these protocols: (i) they adopt weaker quorums, which prevents them from providing service in scenarios supported by their bft counterparts, (ii) they rely on the data persistence of trusted components at byzantine replicas, and (iii) they enforce sequential ordering of client requests.To resolve these challenges, we present solutions that facilitate the recovery of trust-bft protocols despite their weak quorums or data persistence dependence. Further, we present the design of lightweight, fast, and flexible protocols (FlexiTrust), which achieve up to 100% more throughput than their trust-bft counterparts.

show abstract

SmashEx: Smashing SGX Enclaves Using Exceptions

Cited by 21 publications

References 33 publications

SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory

SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory

SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications via Static Symbolic Execution

Dissecting BFT Consensus: In Trusted Components we Trust!

Contact Info

Product

Resources

About