Mind Your Enclave Pointers! Detecting Privacy Leakage for SGX Applications via Sparse Taint Analysis
Our paper is the first to reveal a pointer misuse problem in SGX software that leads to privacy leakage, and we summarize five pointer-misuse patterns:
- write private data to OCALL out pointers
- write private data to OCALL in pointers
- write private data to ECALL user_check pointers
- write private data to OCALL return pointers
- write private data to Null pointers
We have implemented a prototype to detect enclave leakage bugs related to these patterns.
Our prototype is built for following system:
- Ubuntu 20.04 LTS
- Intel i7-9700T 4.30GHz 8-core CPU and 32G memory
- Intel SGX SDK 2.15
- LLVM/Clang v13
- SVF
Note: A real SGX-enable CPU is optional.
STELLA
|
|-- src
|-- core
|-- ELA.cpp
|
|-- edl_extractor
|- Extractor.ml
|- CodeGen.ml
|
|-- llvm_src
|
|-- svf_src
|
|-- PoCs
|-- ECALL_out_leak
|
|-- ECALL_user_check_leak
|
|-- Null_pointer_leak
|
|-- OCALL_in_leak
|
|-- OCALL_return_leak
|
|-- scripts
|-- PoCs
|
|-- real-world enclaves
export PROJECT_ROOT=path_to_repository_head
- Install required libraries
sudo apt-get install linux-headers-$(uname -r) csh gawk automake libtool bison flex libncurses5-dev
# Check 'makeinfo -v'. If 'makeinfo' does not exist
sudo apt-get install apt-file texinfo texi2html
sudo apt-file update
sudo apt-file search makeinfo
- Download binutils source code
cd ~
git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils
- Build binutils
mkdir build
cd build
../binutils/configure --enable-gold --enable-plugins --disable-werror
make
- Build LLVM
cd $PROJECT_ROOT/src
wget https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-13.0.0.zip
unzip llvmorg-13.0.0.zip
mv llvmorg-13.0.0 llvm_src
cd llvm_src
mkdir build
cd build
# replace path_to_binutils to the actual path.
cmake -DLLVM_ENABLE_PROJECTS=clang -DLLVM_BINUTILS_INCDIR="path_to_binutils/include" -G "Unix Makefiles" ../llvm
make -j8
- Backup ar, nm, ld and ranlib:
cd ~
mkdir backup
cd /usr/bin/
cp ar ~/backup/
cp nm ~/backup/
cp ld ~/backup/
cp ranlib ~/backup/
- Replace ar, nm, ld and ranlib
cd /usr/bin/
sudo cp ~/build/binutils/ar ./
sudo rm nm
sudo cp ~/build/binutils/nm-new ./nm
sudo cp ~/build/binutils/ranlib ./
sudo cp ~/build/gold/ld-new ./ld
- Install gold plugin
cd /usr/lib
sudo mkdir bfd-plugins
cd bfd-plugins
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/LLVMgold.so ./
sudo cp $PROJECT_ROOT/src/llvm_src/build/lib/libLTO.* ./
sudo apt install cmake gcc g++ libtinfo-dev libz-dev zip wget ##(If running on Ubuntu 20.04)
cd $PROJECT_ROOT/src/svf_src
source ./build.sh
cd $PROJECT_ROOT/src/core_src
mkdir build
cd build
make ..
Run STELLA on PoCs:
cd $PROJECT_ROOT/scripts/PoCs
./run.sh
Run STELLA on real-world enclaves:
cd $PROJECT_ROOT/scripts/real-world enclaves/BiORAM-SGX
./run.sh
- Currently, 21 bugs are confirmed and 4 bugs are fixed.