STELLA

This repo contains the toolkit and full results reported in the paper of STELLA.

Requirements

Our prototype is built for following system:

Ubuntu 20.04 LTS
Intel i7-9700T 4.30GHz 8-core CPU and 32G memory
Intel SGX SDK 2.15
LLVM/Clang v13
SVF

Note: A real SGX-enable CPU is optional.

Build

export PROJECT_ROOT=path_to_repository_head

Install Intel SGX SDK

Installation guide

Build LLVM Toolchain

Install required libraries

sudo apt-get install linux-headers-$(uname -r) csh gawk automake libtool bison flex libncurses5-dev
# Check 'makeinfo -v'. If 'makeinfo' does not exist
sudo apt-get install apt-file texinfo texi2html
sudo apt-file update
sudo apt-file search makeinfo

Download binutils source code

cd ~
git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils

Build binutils

mkdir build
cd build
../binutils/configure --enable-gold --enable-plugins --disable-werror
make

Build LLVM

cd $PROJECT_ROOT/src
wget https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-13.0.0.zip
unzip llvmorg-13.0.0.zip
mv llvmorg-13.0.0 llvm_src
cd llvm_src
mkdir build
cd build
# replace path_to_binutils to the actual path.
cmake -DLLVM_ENABLE_PROJECTS=clang -DLLVM_BINUTILS_INCDIR="path_to_binutils/include" -G "Unix Makefiles" ../llvm
make -j8

Backup ar, nm, ld and ranlib:

cd ~
mkdir backup
cd /usr/bin/
cp ar ~/backup/
cp nm ~/backup/
cp ld ~/backup/
cp ranlib ~/backup/

Replace ar, nm, ld and ranlib

cd /usr/bin/
sudo cp ~/build/binutils/ar ./
sudo rm nm
sudo cp ~/build/binutils/nm-new ./nm
sudo cp ~/build/binutils/ranlib ./
sudo cp ~/build/gold/ld-new ./ld

Install gold plugin

cd /usr/lib
sudo mkdir bfd-plugins
cd bfd-plugins
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/LLVMgold.so ./
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/libLTO.* ./

Build SVF

sudo apt install cmake gcc g++ libtinfo-dev libz-dev zip wget ##(If running on Ubuntu 20.04)
cd $PROJECT_ROOT/src/svf_src
source ./build.sh

Build Core

cd $PROJECT_ROOT/src/core_src
mkdir build
cd build
make ..

Configuration

Configuration the file keywords.txt to set sensitive identifiers.

Usage

Run STELLA on PoCs:

cd $PROJECT_ROOT/scripts/PoCs
./run.sh

Run STELLA on real-world enclaves:

cd $PROJECT_ROOT/scripts/real-world enclaves/BiORAM-SGX
./run.sh

Experimental Results

Bug Creteria

If two leakage reports have both different leakage points and leaked variables, we report them as two bugs.
If two leakage reports share either the same leakage point or leaked variable, we report them as one bug.
If the bug code snippet (function level) apears multiple times in different files, we only report them once.

Catergories of Bugs

P1: Ecall Out
P2: Ocall In
P3: Ecall User_Check
P4: Ocall Return
P5: Null Pointer

Justification of Sensitivity

For leakages of P1-P4, we check if the leaked variable names (value-flow) are sensitive based on a dictionary or serve as the arguments into a function with sensitive names.
For P5, we think any leakages are dangerous.

Bugs Found in Our Experiments

SGX Project:TACIoT
Leakage report:

Index	Leak Type	EDL field	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in (P2)	ocall_print_secret(secret)	ocall_print_secret()	g_secret	secret	Fixed	Confirmation: debugging code	Removed In Production

SGX Project:TaLoS
Leakage report:

Index	Leak Type	EDL field	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	ECALL user_check (P3)	ecall_SSL_get_privatekey(pkey)	memcpy	enclave_pkey	key	Confirmed	Confirmed:feature code
2	ECALL user_check (P3)	ecall_SSL_CTX_use_PrivateKey(ctx)	=	pkey	key	Confirmed	Confirmed:feature code	ecall_SSL_CTX_use_PrivateKey()->SSL_CTX_use_PrivateKey()->ssl_set_pkey()
3	Ocall Ret (P4)	ocall_malloc(ssl_session_outside)	memcpy()	ssl->session	ssl/session	Reported	Confirmed: feature code	ocall_malloc() arity

SGX Project:Town-Crier
Leakage report:

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in (P2)	ocall_print_string(str)	ocall_print_string()	cipher<=cleartext	cipher	Confirmed	Confirmed:debug code	decrypt_query()->hexdump()->printf_sgx()->ocall_print_string() via indexed ocall
2	OCALL in (P2)	ocall_print_string(str)	mbedtls_printf()	ssl)	ssl	Confirmed	Confirmed: debug code	mbedtls_printf()->printf()->ocall_print_string()
-	str				buf		False Positive Case	due to debug
3	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
4	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
5	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
6	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
7	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
8	Null ptr (P5)	buf	get_page_on_ssl()	-	-	Confirmed	Confirmed: bug
9	Null ptr (P5)	resp	memcpy()	-	-	Confirmed	Confirmed: bug
10	Null ptr (P5)	in	memcpy()	-	-	Confirmed	Confirmed: bug
11	Null ptr (P5)	buf	memcpy()	-	-	Confirmed	Confirmed: bug
12	Null ptr (P5)	buf	dump_buf()	-	-	Confirmed	Confirmed: bug
13	Null ptr (P5)	resp	memcpy()	-	-	Confirmed	Confirmed: bug
14	Null ptr (P5)	buf	memcpy()	-	-	Reported	Confirmed: bug

SGX Project:PrivacyGuard
Leakage report:

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_DC	secret	Fixed	Confirmed: debug code	Call Chain: printf()->OCALL_print_string()
2	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_iDA	secret	Fixed	Confirmed:debug code	Call Chain: printf()->OCALL_print_string()
-	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_DC	secret	Same as 1	Same as 1	printf()->OCALL_print_string()
-	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_iDA	secret	Same as 2	Same as 2	printf()->OCALL_print_string()
-	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_DC	secret	Same as 1	Same as 1	printf()->OCALL_print_string()
3	OCALL in	OCALL_print_string(str)	OCALL_print_string	DO_data_key	key	Confirmed	Confirmed:debug code	printf()->OCALL_print_string()
4	OCALL in	OCALL_print_string(str)	OCALL_print_string	g_secret_DO	secret	Confirmed	Confirmed:debug code	printf()->OCALL_print_string()
5	Null Ptr	sk_key_DO	sgx_ra_get_keys()	-	-	Confirmed	Confirmed: bug	sgx_ra_get_keys is an SGX API
6	Null Ptr	DO_data_key	sgx_read_rand()	-	-	Confirmed	Confirmed: bug	sgx_read_rand is an SGX API
7	Null Ptr	DO_data_key_assigned	=	-	-	Confirmed	Confirmed: bug	Leak 1 bit
8	Null Ptr	DO_data_key	sgx_rijndael128GCM_decrypt()	-	-	Confirmed	Confirmed: bug	4th parameter of sgx_rijndael128GCM_decrypt() is the dest ptr
9	Null Ptr	weighted_C	=	-	-	Confirmed	Confirmed: bug
10	Null Ptr	model	=	-	-	Confirmed	Confirmed: bug

SGX Project:BiORAM-SGX
Leakage report: No response of bug reports. last update time: 3 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	OCALL_SaveFile(data)	OCALL_SaveFile()	AES_SK	AES	Reported	Confirmed: feature code	should be encrypted before saving
2	OCALL in	OCALL_SaveFile(data)	OCALL_SaveFile()	AES_TAG	AES	Reported	Confirmed: feature code	should be encrypted before saving

SGX Project:Fidelius
Leakage report: No response of bug reports. last update time: 4 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	ocall_print_string(str)	ocall_print_string()	Call Chain	data_to_store	data	Reported	Confirmed: debug code
2	Null Ptr	ad	memcpy()	-	-	Reported	Confirmed
3	Null Ptr	data_to_store	memcpy()	-	-	Reported	Confirmed: bug
4	Null Ptr	data	rgb_to_rgba()	-	-	Reported	Confirmed: bug
5	Null Ptr	ad	memcpy()	-	-	Reported	Confirmed: bug	multiple sink points
6	Null Ptr	ii	hci_inquiry()	-	-	Reported	Confirmed: bug	null pointer should be checked before pass into hci_inquiry()

SGX Project:password-manager
Leakage report: No response of bug reports. last update time: 3 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	ocall_print(str)	ocall_print()	password	password	Reported	Confirmed: debug code
2	Null Ptr	decrypted_output	sgx_rijndael128GCM_decrypt()	-	-	Reported	Confirmed: bug

SGX Project:SGX_SQLite
Leakage report: No response of bug reports. last update time: 4 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	ocall_stat(buf)	ocall_stat()		buf/path, statbuf	buf	Reported	Confirmed: bug (leak uninit mem)

SGX Project:SGX-Tor
Leakage report: No response of bug reports. last update time: 4 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL ret	tor_malloc()	memcpy()	client->client_key<-buf	key	Reported	Confirmed: feature code, multiple leakage points	crypto_pk_write_private_key_to_string()=>crypto_pk_write_key_to_string_impl()=>tor_malloc()=>tor_malloc_()=>sgx_malloc()=>ocall_sgx_malloc()
2	OCALL ret	tor_malloc()	vsnprintf()	client->client_key	key	Reported	Confirmed: feature code	tor_asprintf()=>tor_vasprintf()=>vsnprintf()=>
3	OCALL in	ocall_print_string(str)	printf()	dest_url	url	Reported	Confirmed:debug code	printf()=>ocall_print_string()
4	Null Ptr	content	memcpy()	-	-	Reported	Confirmed: bug
5	Null Ptr	torrc	memcpy()	-	-	Reported	Confirmed: bug
-	Null Ptr	torrc	memcpy()	-	-	Reported	same as 5
6	Null Ptr	torrc	memcpy()	-	-	Reported	Confirmed: bug
7	Null Ptr	accept_ip	memcpy()	-	-	Reported	Confirmed: bug
8	Null Ptr	out	memcpy()	-	-	Reported	Confirmed: bug
9	Null Ptr	content	memcpy()	-	-	Reported	Confirmed: bug

SGX Project:sgx-aes-gcm
Leakage report: No response of bug reports. last update time: 4 years ago.

Index	Leak Type	EDL field	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	ECALL out	decryptMessage(decMessageOut)	memcpy	p_dst	sgx_rijndael128GCM_decrypt()	Reported	Confirmed: feature code
2	OCALL in	emit_debug(str)	emit_debug	p_dst	sgx_rijndael128GCM_decrypt()	Reported	Confirmed: debug code

SGX Project:sgx-based-mix-networks
Leakage report: No response of bug reports. last update time: 1 year ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Report Link	Confirmation	More Info
1	ECALL out	dispatch(result)	std::copy()	message	message	Reported	Confirmed: feature code
2	Null Ptr	message	std::copy()	-	-	Reported	Confirmed: bug

SGX Project:sgx_wechat_app
Leakage report: No response of bug reports. last update time: 1 year ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	str	ocall_eprint_string()	ra_key	key	Reported	Confirmed: debug code	ecall_decrypt_secret()->feprintf()->ocall_eprint_string()

SGX Project:sgx-dnet
Leakage report: No response of bug reports. last update time: 2 years ago.

Index	Leak Type	EDL field/Null Ptr	Sink Point	Leaked Variable	Sensitive Hit	Bug Status	Peer Confirmation	More Info
1	OCALL in	ocall_fwrite(ptr)	ocall_fwrite()	net<=l.outputs	net	Reported	Confirmed: debug code	save_weights_upto()=>fwrite()=>ocall_fwrite()
2	OCALL in	ocall_print_string(ptr)	ocall_print_string()	net	net	Reported	Confirmed:debug code	save_weights_upto()=>printf()=>ocall_print_string()
3	Null Ptr	l.output_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
4	Null Ptr	l.input_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
5	Null Ptr	l.wo	=	-	-	Reported	Confirmed: bug	multiple sinks
6	Null Ptr	l.wg	=	-	-	Reported	Confirmed: bug	multiple sinks
7	Null Ptr	l.uo	=	-	-	Reported	Confirmed: bug	multiple sinks
8	Null Ptr	l.input_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
9	Null Ptr	l.self_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
10	Null Ptr	l.ui	=	-	-	Reported	Confirmed: bug	multiple sinks
11	Null Ptr	p	=	-	-	Reported	Confirmed: bug	multiple sinks
12	Null Ptr	l.uz	=	-	-	Reported	Confirmed: bug	multiple sinks
13	Null Ptr	l.wf	=	-	-	Reported	Confirmed: bug	multiple sinks
14	Null Ptr	l.output_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
15	Null Ptr	l.wz	=	-	-	Reported	Confirmed: bug	multiple sinks
16	Null Ptr	l.uf	=	-	-	Reported	Confirmed: bug	multiple sinks
17	Null Ptr	l.ur	=	-	-	Reported	Confirmed: bug	multiple sinks
18	Null Ptr	l.wi	=	-	-	Reported	Confirmed: bug	multiple sinks
19	Null Ptr	l.wr	=	-	-	Reported	Confirmed: bug	multiple sinks
20	Null Ptr	l.ug	=	-	-	Reported	Confirmed: bug	multiple sinks
21	Null Ptr	l.uh	=	-	-	Reported	Confirmed: bug	multiple sinks
22	Null Ptr	l.self_layer	=	-	-	Reported	Confirmed: bug	multiple sinks
23	Null Ptr	l.wh	=	-	-	Reported	Confirmed: bug	multiple sinks
24	Null Ptr	l.weights	=	-	-	Reported	Confirmed: bug
25	Null Ptr	l.weights	=	-	-	Reported	Confirmed: bug
26	Null Ptr	l.weights	=	-	-	Reported	Confirmed: bug
27	Null Ptr	l.weights	=	-	-	Reported	Confirmed: bug

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

STELLA

Requirements

Build

Install Intel SGX SDK

Build LLVM Toolchain

Build SVF

Build Core

Configuration

Usage

Experimental Results

Bug Creteria

Catergories of Bugs

Justification of Sensitivity

Bugs Found in Our Experiments

Files

README.md

Latest commit

History

README.md

File metadata and controls

STELLA

Requirements

Build

Install Intel SGX SDK

Build LLVM Toolchain

Build SVF

Build Core

Configuration

Usage

Experimental Results

Bug Creteria

Catergories of Bugs

Justification of Sensitivity

Bugs Found in Our Experiments