Skip to content
/ STELLA Public
forked from jmp0x7c00/STELLA

STELLA source code and exprimental results

License

GPL-3.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Artisan-Lab/STELLA

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

124 Commits
PoCs
PoCs
 
 
scripts
scripts
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

STELLA

This repo contains the toolkit and full results reported in the paper of STELLA.

Requirements

Our prototype is built for following system:

  • Ubuntu 20.04 LTS
  • Intel i7-9700T 4.30GHz 8-core CPU and 32G memory
  • Intel SGX SDK 2.15
  • LLVM/Clang v13
  • SVF

Note: A real SGX-enable CPU is optional.

Build

export PROJECT_ROOT=path_to_repository_head

Install Intel SGX SDK

Installation guide

Build LLVM Toolchain

  1. Install required libraries
sudo apt-get install linux-headers-$(uname -r) csh gawk automake libtool bison flex libncurses5-dev
# Check 'makeinfo -v'. If 'makeinfo' does not exist
sudo apt-get install apt-file texinfo texi2html
sudo apt-file update
sudo apt-file search makeinfo
  1. Download binutils source code
cd ~
git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils
  1. Build binutils
mkdir build
cd build
../binutils/configure --enable-gold --enable-plugins --disable-werror
make
  1. Build LLVM
cd $PROJECT_ROOT/src
wget https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-13.0.0.zip
unzip llvmorg-13.0.0.zip
mv llvmorg-13.0.0 llvm_src
cd llvm_src
mkdir build
cd build
# replace path_to_binutils to the actual path.
cmake -DLLVM_ENABLE_PROJECTS=clang -DLLVM_BINUTILS_INCDIR="path_to_binutils/include" -G "Unix Makefiles" ../llvm
make -j8
  1. Backup ar, nm, ld and ranlib:
cd ~
mkdir backup
cd /usr/bin/
cp ar ~/backup/
cp nm ~/backup/
cp ld ~/backup/
cp ranlib ~/backup/
  1. Replace ar, nm, ld and ranlib
cd /usr/bin/
sudo cp ~/build/binutils/ar ./
sudo rm nm
sudo cp ~/build/binutils/nm-new ./nm
sudo cp ~/build/binutils/ranlib ./
sudo cp ~/build/gold/ld-new ./ld
  1. Install gold plugin
cd /usr/lib
sudo mkdir bfd-plugins
cd bfd-plugins
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/LLVMgold.so ./
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/libLTO.* ./

Build SVF

sudo apt install cmake gcc g++ libtinfo-dev libz-dev zip wget ##(If running on Ubuntu 20.04)
cd $PROJECT_ROOT/src/svf_src
source ./build.sh

Build Core

cd $PROJECT_ROOT/src/core_src
mkdir build
cd build
make ..

Configuration

Configuration the file keywords.txt to set sensitive identifiers.

Usage

Run STELLA on PoCs:

cd $PROJECT_ROOT/scripts/PoCs
./run.sh

Run STELLA on real-world enclaves:

cd $PROJECT_ROOT/scripts/real-world enclaves/BiORAM-SGX
./run.sh

Experimental Results

Bug Creteria

  • If two leakage reports have both different leakage points and leaked variables, we report them as two bugs.
  • If two leakage reports share either the same leakage point or leaked variable, we report them as one bug.
  • If the bug code snippet (function level) apears multiple times in different files, we only report them once.

Catergories of Bugs

  • P1: Ecall Out
  • P2: Ocall In
  • P3: Ecall User_Check
  • P4: Ocall Return
  • P5: Null Pointer

Justification of Sensitivity

  • For leakages of P1-P4, we check if the leaked variable names (value-flow) are sensitive based on a dictionary or serve as the arguments into a function with sensitive names.
  • For P5, we think any leakages are dangerous.

Bugs Found in Our Experiments

  • SGX Project:TACIoT
  • Leakage report:
Index Leak Type EDL field Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in (P2) ocall_print_secret(secret) ocall_print_secret() g_secret secret Fixed Confirmation: debugging code Removed In Production
  • SGX Project:TaLoS
  • Leakage report:
Index Leak Type EDL field Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 ECALL user_check (P3) ecall_SSL_get_privatekey(pkey) memcpy enclave_pkey key Confirmed Confirmed:feature code
2 ECALL user_check (P3) ecall_SSL_CTX_use_PrivateKey(ctx) = pkey key Confirmed Confirmed:feature code ecall_SSL_CTX_use_PrivateKey()->SSL_CTX_use_PrivateKey()->ssl_set_pkey()
3 Ocall Ret (P4) ocall_malloc(ssl_session_outside) memcpy() ssl->session ssl/session Reported Confirmed: feature code ocall_malloc() arity
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in (P2) ocall_print_string(str) ocall_print_string() cipher<=cleartext cipher Confirmed Confirmed:debug code decrypt_query()->hexdump()->printf_sgx()->ocall_print_string() via indexed ocall
2 OCALL in (P2) ocall_print_string(str) mbedtls_printf() ssl) ssl Confirmed Confirmed: debug code mbedtls_printf()->printf()->ocall_print_string()
- str buf False Positive Case due to debug
3 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
4 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
5 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
6 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
7 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
8 Null ptr (P5) buf get_page_on_ssl() - - Confirmed Confirmed: bug
9 Null ptr (P5) resp memcpy() - - Confirmed Confirmed: bug
10 Null ptr (P5) in memcpy() - - Confirmed Confirmed: bug
11 Null ptr (P5) buf memcpy() - - Confirmed Confirmed: bug
12 Null ptr (P5) buf dump_buf() - - Confirmed Confirmed: bug
13 Null ptr (P5) resp memcpy() - - Confirmed Confirmed: bug
14 Null ptr (P5) buf memcpy() - - Reported Confirmed: bug
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in OCALL_print_string(str) OCALL_print_string g_secret_DC secret Fixed Confirmed: debug code Call Chain: printf()->OCALL_print_string()
2 OCALL in OCALL_print_string(str) OCALL_print_string g_secret_iDA secret Fixed Confirmed:debug code Call Chain: printf()->OCALL_print_string()
- OCALL in OCALL_print_string(str) OCALL_print_string g_secret_DC secret Same as 1 Same as 1 printf()->OCALL_print_string()
- OCALL in OCALL_print_string(str) OCALL_print_string g_secret_iDA secret Same as 2 Same as 2 printf()->OCALL_print_string()
- OCALL in OCALL_print_string(str) OCALL_print_string g_secret_DC secret Same as 1 Same as 1 printf()->OCALL_print_string()
3 OCALL in OCALL_print_string(str) OCALL_print_string DO_data_key key Confirmed Confirmed:debug code printf()->OCALL_print_string()
4 OCALL in OCALL_print_string(str) OCALL_print_string g_secret_DO secret Confirmed Confirmed:debug code printf()->OCALL_print_string()
5 Null Ptr sk_key_DO sgx_ra_get_keys() - - Confirmed Confirmed: bug sgx_ra_get_keys is an SGX API
6 Null Ptr DO_data_key sgx_read_rand() - - Confirmed Confirmed: bug sgx_read_rand is an SGX API
7 Null Ptr DO_data_key_assigned = - - Confirmed Confirmed: bug Leak 1 bit
8 Null Ptr DO_data_key sgx_rijndael128GCM_decrypt() - - Confirmed Confirmed: bug 4th parameter of sgx_rijndael128GCM_decrypt() is the dest ptr
9 Null Ptr weighted_C = - - Confirmed Confirmed: bug
10 Null Ptr model = - - Confirmed Confirmed: bug
  • SGX Project:BiORAM-SGX
  • Leakage report: No response of bug reports. last update time: 3 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in OCALL_SaveFile(data) OCALL_SaveFile() AES_SK AES Reported Confirmed: feature code should be encrypted before saving
2 OCALL in OCALL_SaveFile(data) OCALL_SaveFile() AES_TAG AES Reported Confirmed: feature code should be encrypted before saving
  • SGX Project:Fidelius
  • Leakage report: No response of bug reports. last update time: 4 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in ocall_print_string(str) ocall_print_string() Call Chain data_to_store data Reported Confirmed: debug code
2 Null Ptr ad memcpy() - - Reported Confirmed
3 Null Ptr data_to_store memcpy() - - Reported Confirmed: bug
4 Null Ptr data rgb_to_rgba() - - Reported Confirmed: bug
5 Null Ptr ad memcpy() - - Reported Confirmed: bug multiple sink points
6 Null Ptr ii hci_inquiry() - - Reported Confirmed: bug null pointer should be checked before pass into hci_inquiry()
  • SGX Project:password-manager
  • Leakage report: No response of bug reports. last update time: 3 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in ocall_print(str) ocall_print() password password Reported Confirmed: debug code
2 Null Ptr decrypted_output sgx_rijndael128GCM_decrypt() - - Reported Confirmed: bug
  • SGX Project:SGX_SQLite
  • Leakage report: No response of bug reports. last update time: 4 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in ocall_stat(buf) ocall_stat() buf/path, statbuf buf Reported Confirmed: bug (leak uninit mem)
  • SGX Project:SGX-Tor
  • Leakage report: No response of bug reports. last update time: 4 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL ret tor_malloc() memcpy() client->client_key<-buf key Reported Confirmed: feature code, multiple leakage points crypto_pk_write_private_key_to_string()=>crypto_pk_write_key_to_string_impl()=>tor_malloc()=>tor_malloc_()=>sgx_malloc()=>ocall_sgx_malloc()
2 OCALL ret tor_malloc() vsnprintf() client->client_key key Reported Confirmed: feature code tor_asprintf()=>tor_vasprintf()=>vsnprintf()=>
3 OCALL in ocall_print_string(str) printf() dest_url url Reported Confirmed:debug code printf()=>ocall_print_string()
4 Null Ptr content memcpy() - - Reported Confirmed: bug
5 Null Ptr torrc memcpy() - - Reported Confirmed: bug
- Null Ptr torrc memcpy() - - Reported same as 5
6 Null Ptr torrc memcpy() - - Reported Confirmed: bug
7 Null Ptr accept_ip memcpy() - - Reported Confirmed: bug
8 Null Ptr out memcpy() - - Reported Confirmed: bug
9 Null Ptr content memcpy() - - Reported Confirmed: bug
  • SGX Project:sgx-aes-gcm
  • Leakage report: No response of bug reports. last update time: 4 years ago.
Index Leak Type EDL field Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 ECALL out decryptMessage(decMessageOut) memcpy p_dst sgx_rijndael128GCM_decrypt() Reported Confirmed: feature code
2 OCALL in emit_debug(str) emit_debug p_dst sgx_rijndael128GCM_decrypt() Reported Confirmed: debug code
  • SGX Project:sgx-based-mix-networks
  • Leakage report: No response of bug reports. last update time: 1 year ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Report Link Confirmation More Info
1 ECALL out dispatch(result) std::copy() message message Reported Confirmed: feature code
2 Null Ptr message std::copy() - - Reported Confirmed: bug
  • SGX Project:sgx_wechat_app
  • Leakage report: No response of bug reports. last update time: 1 year ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in str ocall_eprint_string() ra_key key Reported Confirmed: debug code ecall_decrypt_secret()->feprintf()->ocall_eprint_string()
  • SGX Project:sgx-dnet
  • Leakage report: No response of bug reports. last update time: 2 years ago.
Index Leak Type EDL field/Null Ptr Sink Point Leaked Variable Sensitive Hit Bug Status Peer Confirmation More Info
1 OCALL in ocall_fwrite(ptr) ocall_fwrite() net<=l.outputs net Reported Confirmed: debug code save_weights_upto()=>fwrite()=>ocall_fwrite()
2 OCALL in ocall_print_string(ptr) ocall_print_string() net net Reported Confirmed:debug code save_weights_upto()=>printf()=>ocall_print_string()
3 Null Ptr l.output_layer = - - Reported Confirmed: bug multiple sinks
4 Null Ptr l.input_layer = - - Reported Confirmed: bug multiple sinks
5 Null Ptr l.wo = - - Reported Confirmed: bug multiple sinks
6 Null Ptr l.wg = - - Reported Confirmed: bug multiple sinks
7 Null Ptr l.uo = - - Reported Confirmed: bug multiple sinks
8 Null Ptr l.input_layer = - - Reported Confirmed: bug multiple sinks
9 Null Ptr l.self_layer = - - Reported Confirmed: bug multiple sinks
10 Null Ptr l.ui = - - Reported Confirmed: bug multiple sinks
11 Null Ptr p = - - Reported Confirmed: bug multiple sinks
12 Null Ptr l.uz = - - Reported Confirmed: bug multiple sinks
13 Null Ptr l.wf = - - Reported Confirmed: bug multiple sinks
14 Null Ptr l.output_layer = - - Reported Confirmed: bug multiple sinks
15 Null Ptr l.wz = - - Reported Confirmed: bug multiple sinks
16 Null Ptr l.uf = - - Reported Confirmed: bug multiple sinks
17 Null Ptr l.ur = - - Reported Confirmed: bug multiple sinks
18 Null Ptr l.wi = - - Reported Confirmed: bug multiple sinks
19 Null Ptr l.wr = - - Reported Confirmed: bug multiple sinks
20 Null Ptr l.ug = - - Reported Confirmed: bug multiple sinks
21 Null Ptr l.uh = - - Reported Confirmed: bug multiple sinks
22 Null Ptr l.self_layer = - - Reported Confirmed: bug multiple sinks
23 Null Ptr l.wh = - - Reported Confirmed: bug multiple sinks
24 Null Ptr l.weights = - - Reported Confirmed: bug
25 Null Ptr l.weights = - - Reported Confirmed: bug
26 Null Ptr l.weights = - - Reported Confirmed: bug
27 Null Ptr l.weights = - - Reported Confirmed: bug

About

STELLA source code and exprimental results

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 64.3%
  • C 27.4%
  • OCaml 3.8%
  • Makefile 2.8%
  • M4 0.5%
  • Python 0.3%
  • Other 0.9%