cocoppang / shieldstore Goto Github PK

Hey,

I get this error when I try to compile your source using the provided instructions.

/linux-sgx/sdk/gperftools/gperftools-2.5/src/tcmalloc.cc:567: undefined reference to `operator delete(void*, unsigned long)'

I am using the Linux SDK v1.8 linked in your readme.

Can you please let me know what this issue could be about?

Thanks!
Adil

Hi,

I think you have a time of check to time of use bug.

in enclave_append and enclave_set you verify the existing integrity of the hash bin, before you update the list. And than you recalculate a new mac for the bin, with the changed list.

An attacker could insert or delete entries between the check and the recalculation of the hash.

Please correct me if I am wrong.

Thanks,
Maurice

Hi,
We found a buffer overflow and a infomation leak in Enclave/Enclave.cpp.
There is a global variable "Arg arg_enclave;" in enclave and it is initialized in ecall "enclave_init_values". However it value is copyed from "arg" which is untrusted.

We found a member variable in structure "Arg" called "int max_buf_size;". Then we search the code to find where "max_buf_size" is used. We found two patterns:
First is like this "memset(cipher, 0, arg_enclave.max_buf_size);". For example it is used in "enclave_get", while the parametre "cipher" refers to the buf in "enclave_process", and its size is a constant(4125). So, arg_enclave.max_buf_size can be larger than the buffer size.
Second pattern is "message_return(cipher, arg_enclave.max_buf_size, client_sock);". Function "message_return" is an ocall which writes cipher to client_sock.

In function "enclave_message_pass" cipher is introduced from data which is original from "HotCall* hotEcall". While "hotEcall" is transferd from untrusted part.

So, attacker can set cipher points to arbitrary address in encalve and set client_sock to sdtout that will leak information in encalve.

Thanks,
yudhui