Intel SGX provides hardware support to protect sensitive data. Cloud vendors,
such as Microsoft Azure and Google Cloud, have developed SGX software frameworks,
such as Asylo and OpenEnclave, and offered Intel SGX-enabled virtual machines
for confidential computing.
We conduct an in-depth analysis of Microsoft OpenEnclave SDK (powered by Azure
CC) and Google Asylo SDK (powered by GCP), discovering 20+ vulnerabilities (14
CVEs assigned) in them. We show that these vulnerabilities allow an attacker to
read and write arbitrary enclave protected memory by exploiting the
vulnerability, which affects all SGX enclaves using the vendor-provided SDK.
Our attack is more realistic for exploitation than side-channel attacks and can
reliably retrieve and manipulate protected enclave data.
In this talk, we will go through the SGX enclave security model and analyze
attack surfaces. In this model, developers have to partition trusted components
of an application as TCB into the SGX enclave. After partitioning, any
out-enclave data flowing into these trusted components become untrusted and
require additional checks and sanitization. To reduce the attack surface,
developers declare enclave boundary interfaces with annotated parameters in an
EDL file and generate boilerplate code for marshaling the parameters. However,
this EDL approach is insufficient since it lacks checks for nested pointers,
context-aware data, shared memory, etc.
Also, we cover typical mistakes enclave developers made and share real-world
vulnerability cases we have discovered with our bug-finding tool, SGXRay. We
discuss attack scenarios and the consequences once successfully exploited by
attackers outside the enclave. This talk also includes demonstrations of our
enclave exploitation with arbitrary read and write capability to enclave memory
by leveraging the bugs found by us.
Watch
here.