Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/cimcs/poc-exploits-of-smashex

SmashEx Webpage
https://github.com/cimcs/poc-exploits-of-smashex

Last synced: 8 days ago
JSON representation

SmashEx Webpage

Lists

README 

        
![SmashEx Logo](smashex.png)



***SmashEx*** PoC Exploits for Intel SGX Frameworks based on Intel SGX SDK

==============================================================

**NEWS**: Our paper "SmashEx: Smashing SGX Enclaves Using Exceptions" has been accepted by ACM CCS' 21. This research paper introduces a powerful attack that exploits the OS-enclave interface for asynchronous exceptions in Intel SGX (Software Guard eXtensions). The full paper can be found on [arXiv](https://arxiv.org/abs/2110.06657) and [ACM Digital Library](https://doi.org/10.1145/3460120.3484821).



**NOTE**: More information and other PoCs of SGX frameworks based on Open Enclave SDK can be found at [here](https://jasonyu1996.github.io/SmashEx/index.html).



## What is SmashEx?

***SmashEx*** is a new, powerful attack which exploits the OS-enclave interface for asynchronous exceptions in SGX. It demonstrates the importance of a fundamental property of safe atomic execution that is required on this interface. In the absence of atomicity, we show that asynchronous exception handling in SGX enclaves is complicated and prone to re-entrancy vulnerabilities. Our attacks do not assume any memory errors in the enclave code, side channels, or application-specific logic flaws. We concretely demonstrate exploits that cause arbitrary disclosure of enclave private memory and code-reuse (ROP) attacks in the enclave. We show reliable exploits on two widely-used SGX runtimes, Intel SGX SDK and Microsoft Open Enclave, running OpenSSL and cURL libraries respectively. We tested a total of 14 frameworks, including Intel SGX SDK and Microsoft Open Enclave, 10 of which are vulnerable such as Google Asylo, Apache Teaclave, Rust SGX SDK, Edgeless RT, and so on. We discuss how the vulnerability manifests on both SGX1-based and SGX2-based platforms. We present potential mitigation and long-term defenses for SmashEx. We responsibly disclosed our findings to the affected frameworks and were assigned two CVEs ([CVE-2021-0186](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0186) and [CVE-2021-33767](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33767)), leading to advisories and patches in the [Intel SGX SDK](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html) and [Microsoft Open Enclave](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33767).



## How to Acquire the Source Code of the PoC Exploits?

We only provide an entry of the PoC exploits in this repository. If you might need the source code for educational or research purposes, you can obtain them [here](https://forms.gle/655tGHPJrYxWawm56). Please contact us at [here]([email protected]) if you have further problems.



**NOTE**: After acquiring the PoC(s), one could check the ***README*** file under the root directory, in which we show a step-by-step guide to reproduce the ***SmashEx*** attacks.



## BibTeX

```shell

@inproceedings{smashex-ccs21,

  title={SmashEx: Smashing SGX Enclaves Using Exceptions},

  author={Cui, Jinhua and Yu, Jason Zhijingcheng and Shinde, Shweta and Saxena, Prateek and Cai, Zhiping},

  booktitle={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},

  pages={779--793},

  year={2021}

}

```



## Getting help

For any questions or bugs, please send an email to [email protected], or post your issues on the GitHub repository.