Recently, we were notified of a re-entrancy vulnerability in the exception handling designs of some popular SGX SDKs (including Intel SGX SDK), resulting in arbitrary disclosure of enclave private memory and code-reuse attacks in SGX enclave.
The vulnerability is named as SmashEx [1]. The SmashEx attack affects several SGX runtimes with exception handling. For Intel SGX SDK, the assigned identifier is CVE-2021-0186 [2]. While the vulnerability itself is not a Teaclave flaw, we're taking proactive measures to explain and mitigate its impact on Teaclave users.
# Overview
Due to the lack of atomicity primitives in SGX enclaves, an SGX enclave can be interrupted and re-entered at any time, including when it is in a state unsafe for re-entry (i.e., when it is executing a critical section). The SmashEx attack exploits such unsafe enclave re-entries happening in the exception handling mechanism in the SGX runtime.
A malicious host can create an exception immediately after EENTER which causes
control to be transferred to the host before the enclave stack (RSP register)
has been properly set up. Then, a special ECALL (called ECMD_EXCEPT
) to
enclave will use the attacker-controlled RSP register to setup the context of
the exception handler function. At last, when the host transfers control back to the
enclave with ERESUME, it may execute with a stack that resides in host memory
thereby enabling ROP exploits.
This vulnerability can be fixed by adding extra checks on untrusted RSP when constructing the context of the exception handler.
# Affected Versions
For Intel SGX SDK, the vulnerability affects all projects using the following versions.
- Intel SGX SDK for Windows v2.12 and erlier
- Intel SGX SDK for Linux v2.13 and earlier
# Impacts on Teaclave
Teaclave SGX SDK wraps Intel SGX SDK and provides a Rust development environment. The affected Intel SGX SDK version was recommended in Rust SGX SDK v1.1.3 (which is a pre-Apache release). Therefore, people using Rust SGX SDK v1.1.3 with the vulnerable Intel SGX SDK (v2.13 and earlier) are also vulnerable. However, the current Teaclave SGX SDK is compatible with newer Intel SGX SDK versions. Therefore, we recommend all users to upgrade to the latest Intel SGX SDK.
For Teaclave (i.e., the Teaclave FaaS platform), it uses Teaclave SGX SDK to build a confidential computing platform. Therefore, the Teaclave v0.2.0 released in March used the vulnerable Intel SGX SDK version. However, the v0.3.0 released [3] in August has upgraded the Intel SGX SDK to v2.14 with the fix. Therefore, the latest release of Teaclave is not affected by this vulnerability.
# Patches & Mitigations
The vulnerability has been fixed in Intel SGX SDK in this patch:
Teaclave users can apply the following mitigations:
- Use Teacalve SGX SDK with Intel SGX SDK for Linux version 2.14 or later
- Upgrade to Teaclave 0.3.0 or later
# Acknowledgements
We would like to thank Jinhua Cui, National University of Defense Technology and National University of Singapore, Shweta Shinde, ETH Zurich , Zhijingcheng Yu, National University of Singapore, and Prateek Saxena, National University of Singapore for notifying us about this issue.
# References
- [1] https://jasonyu1996.github.io/SmashEx/
- [2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html
- [3] https://github.com/apache/incubator-teaclave/releases/tag/v0.3.0
- SmashEx: Smashing SGX Enclaves Using Exceptions
- Open Enclave SDK Elevation of Privilege Vulnerability