Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/uni-due-syssec/teerex-exploits

PoC exploits against various SGX enclaves
https://github.com/uni-due-syssec/teerex-exploits

exploit memory-corruption poc sgx

Last synced: about 20 hours ago
JSON representation

PoC exploits against various SGX enclaves

Lists

README 

        
# TeeRex SGX Exploits



This repository contains several exploits that we developed in the course of our research on memory corruption bugs in SGX enclaves.

The full results of our research are published at [USENIX Security 2020](https://www.usenix.org/conference/usenixsecurity20/presentation/cloosters).



| Project | Vulnerable Version | Exploit | Comment |

|--|--|--|--|

| [Intel GMP Demo](https://github.com/intel/sgx-gmp-demo) | [9533574](https://github.com/intel/sgx-gmp-demo/tree/9533574f95b97ea08adb6724d8be797c53119dac) | [Intel SGX GMP Demo Exploit](./Intel-SGX-GMP-Demo-exploit) | ✔️ [Fixed](https://github.com/intel/sgx-gmp-demo/commit/0491317b4112b06e16b3f3b1c07b06e400b32391) |

| [Rust SGX SDK TLSClient](https://github.com/apache/incubator-teaclave-sgx-sdk) | [v1.0.9](https://github.com/apache/incubator-teaclave-sgx-sdk/tree/v1.0.9) | [Rust TLSClient Overlap Exploit](./Rust-TLSClient-overlap-exploit) | ✔️ [Fixed](https://github.com/apache/incubator-teaclave-sgx-sdk/commit/f975a19982740d5d2e878b595c1be5d1a1a31ecb) |

| [WolfSSL](https://github.com/wolfSSL/wolfssl-examples) | [d330c53](https://github.com/wolfSSL/wolfssl-examples/tree/d330c53baff52fdf4338619cd4f82ae25c1bc294) | [WolfSSL Exploit](./WolfSSL-exploit) | ✔️ [Fixed](https://github.com/wolfSSL/wolfssl-examples/commit/1862c108d7e3be47a3d6fe18f406df444ae36e6e#diff-f23aff9e4544c233135f934bc7478f11) |

| [TaLoS](https://github.com/lsds/TaLoS) | all | - [TaLoS Exploit](./TaLoS-exploit)
- [TaLoS Arbitrary Read](./TaLoS-exploit-race-arbitrary-read)
- [TaLoS Arbitrary Write](./TaLoS-exploit-race-arbitrary-write) | ❌ Not fixed, Project not maintained: [Issue](https://github.com/lsds/TaLoS/issues/18) |

| Synaptics SynaTEE Driver | 5.2.3535.26 | Exploit not public | ✔️ Fixed ([CVE-2019-18619](https://www.cve.org/CVERecord?id=CVE-2019-18619)) |

| Goodix Fingerprint Driver | 2.1.32.200 | Exploit not public | ✔️ Fixed ([DSA-2020-138](https://www.dell.com/support/kbdoc/de-de/000131724/dsa-2020-138-dell-client-platform-security-update-for-goodix-fingerprint-sensor-driver-vulnerability)) |



## Running the Exploits

### Prerequisites

Install the [Intel SGX driver](https://github.com/intel/linux-sgx-driver/) and the [Intel SGX SDK](https://github.com/intel/linux-sgx/).



### Build and Run

Note: The PoC exploits contain hard-coded addresses that depend on the compiled enclaves included in the repository.



The exploit code follows the make principles of the SGX SDK:



* Use `make` in the respective directories to compile the exploit

* Run the exploit using: `./app`



All exploits overwrite the instruction pointer in the enclave, some also include follow up code to also control the stack pointer. Therefore there are different outputs when executing the exploits: Some will return a simple value to indicate the result, others just crash after the exploit hijacked the control flow and jumped to a bogus address. *None of the PoC exploits will harm you or your setup in any way!*



## Exploit Concepts

### [Intel SGX GMP Demo Exploit](./Intel-SGX-GMP-Demo-exploit)

The [Intel GMP Demo](https://github.com/intel/sgx-gmp-demo) shows how to use the GMP library inside an SGX enclave.

Insufficient input validation made it possible to read and write arbitrary memory including the secure region.



### [Rust TLSClient Overlap Exploit](./Rust-TLSClient-overlap-exploit)

The [Rust SGX SDK](https://github.com/apache/incubator-teaclave-sgx-sdk) provides a compatibility layer to enable enclave development using the memory-safe Rust-language. The demonstrative implementation of a [TLS Client/Server application](https://github.com/apache/incubator-teaclave-sgx-sdk/tree/master/samplecode/tls/tlsclient) contained a design flaw that can be used to hijack the control flow.



### [WolfSSL Exploit](./WolfSSL-exploit)

[WolfSSL](https://github.com/wolfSSL/wolfssl-examples) is a portable SSL/TLS library that can be used in an SGX enclave. The SGX layer contained a conceptual error that allowed an attacker to hijack the control flow.



### TaLoS Exploits

⚠️ `Warning: The project is unmaintained and is still vulnerable!`



The [TaLoS project](https://github.com/lsds/TaLoS) provides TLS termination for nginx or apache inside an SGX enclave. We demonstrate:



* **[Control Flow Hijacking](./TaLoS-exploit)** using an insufficiently validated pointer,

* **[Arbitrary Read](./TaLoS-exploit-race-arbitrary-read)** using a NULL-pointer dereference,

* **[Arbitrary Write](./TaLoS-exploit-race-arbitrary-write)** using a race condition.



# Citing in Academic Work



These PoC exploits are part of the research that we present in our [USENIX Security 2020 paper](https://www.usenix.org/conference/usenixsecurity20/presentation/cloosters).

If you want to refer to these exploits or our paper in academic work, please use the following BibTeX entry for citation:



```bibtex

@InProceedings{cloosters2020teerex,

  title        = "{TeeRex:} Discovery and Exploitation of Memory Corruption Vulnerabilities in {SGX} Enclaves",

  author       = "Tobias Cloosters and Michael Rodler and Lucas Davi",

  booktitle    = "29th {USENIX} Security Symposium ({USENIX} Security '20)",

  year         = "2020",

}

```