Skip to content

uni-due-syssec/teerex-exploits

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

TeeRex SGX Exploits

This repository contains several exploits that we developed in the course of our research on memory corruption bugs in SGX enclaves. The full results of our research are published at USENIX Security 2020.

Project Vulnerable Version Exploit Comment
Intel GMP Demo 9533574 Intel SGX GMP Demo Exploit ✔️ Fixed
Rust SGX SDK TLSClient v1.0.9 Rust TLSClient Overlap Exploit ✔️ Fixed
WolfSSL d330c53 WolfSSL Exploit ✔️ Fixed
TaLoS all - TaLoS Exploit
- TaLoS Arbitrary Read
- TaLoS Arbitrary Write
Not fixed, Project not maintained: Issue
Synaptics SynaTEE Driver 5.2.3535.26 Exploit not public ✔️ Fixed (CVE-2019-18619)
Goodix Fingerprint Driver 2.1.32.200 Exploit not public ✔️ Fixed (DSA-2020-138)

Running the Exploits

Prerequisites

Install the Intel SGX driver and the Intel SGX SDK.

Build and Run

Note: The PoC exploits contain hard-coded addresses that depend on the compiled enclaves included in the repository.

The exploit code follows the make principles of the SGX SDK:

  • Use make in the respective directories to compile the exploit
  • Run the exploit using: ./app

All exploits overwrite the instruction pointer in the enclave, some also include follow up code to also control the stack pointer. Therefore there are different outputs when executing the exploits: Some will return a simple value to indicate the result, others just crash after the exploit hijacked the control flow and jumped to a bogus address. None of the PoC exploits will harm you or your setup in any way!

Exploit Concepts

Intel SGX GMP Demo Exploit

The Intel GMP Demo shows how to use the GMP library inside an SGX enclave. Insufficient input validation made it possible to read and write arbitrary memory including the secure region.

Rust TLSClient Overlap Exploit

The Rust SGX SDK provides a compatibility layer to enable enclave development using the memory-safe Rust-language. The demonstrative implementation of a TLS Client/Server application contained a design flaw that can be used to hijack the control flow.

WolfSSL Exploit

WolfSSL is a portable SSL/TLS library that can be used in an SGX enclave. The SGX layer contained a conceptual error that allowed an attacker to hijack the control flow.

TaLoS Exploits

⚠️ Warning: The project is unmaintained and is still vulnerable!

The TaLoS project provides TLS termination for nginx or apache inside an SGX enclave. We demonstrate:

Citing in Academic Work

These PoC exploits are part of the research that we present in our USENIX Security 2020 paper. If you want to refer to these exploits or our paper in academic work, please use the following BibTeX entry for citation:

@InProceedings{cloosters2020teerex,
  title        = "{TeeRex:} Discovery and Exploitation of Memory Corruption Vulnerabilities in {SGX} Enclaves",
  author       = "Tobias Cloosters and Michael Rodler and Lucas Davi",
  booktitle    = "29th {USENIX} Security Symposium ({USENIX} Security '20)",
  year         = "2020",
}