AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
We constructed PoC exploits to confirm the severity of the vulnerability and perform control-flow hijacking allowing an attacker to subvert any confidentiality or integrity guarantees offered by the Software Guard Extensions enclaves

TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in {SGX} Enclaves

USENIX Security Symposium, pp.841-858, (2020)

被引用5|浏览35
EI
下载 PDF 全文
引用
微博一下

摘要

This paper is under embargo and will be released to the public on the first day of the symposium, August 12, 2020. Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspect...更多

代码

数据

0
简介
  • Intel recently introduced a sophisticated trusted execution environment (TEE) called Software Guard Extensions (SGX) [30, 37, 50].
  • SGX implements well-known Trusted Computing concepts such as data binding and sealing as well as remote attestation, i.e., ensuring the remote SGX enclave is in a trustworthy state
  • Putting all these features together, this allows a user to establish a secure channel directly to the SGX enclave and perform remote attestation to ensure the integrity of the remote SGX hardware and enclave.
  • SGX is a strong isolation mechanism for sensitive data as well as security-critical code
  • It found its way into commercial applications, e.g., fingerprint sensor software (Section 5), DRM protection [20], and privacy-preserving applications like Signal [48].
  • Many projects propose to utilize SGX for enhanced security guarantees, e.g., processing private data in public clouds [6, 55]
重点内容
  • Intel recently introduced a sophisticated trusted execution environment (TEE) called Software Guard Extensions (SGX) [30, 37, 50]
  • We introduce the first SGX vulnerability analysis framework, called TEEREX, to automatically analyze enclave binary code based on symbolic execution
  • We found that the automatically generated checks of the Intel SGX SDK are insufficient for non-trivial pointer-based data structures and a lack of proper manual validation of pointers or pointer-heavy data structures can lead to memory corruption vulnerabilities
  • To evaluate the effectiveness of TEEREX on real-world enclaves, we gathered a dataset consisting of open-source and proprietary public enclaves
  • As we show in this paper, very similar issues apply to SGX enclaves; especially when legacy code is retrofitted to run inside SGX enclaves
  • We constructed PoC exploits to confirm the severity of the vulnerability and perform control-flow hijacking allowing an attacker to subvert any confidentiality or integrity guarantees offered by the SGX enclaves
结果
  • To evaluate the effectiveness of TEEREX on real-world enclaves, the authors gathered a dataset consisting of open-source and proprietary public enclaves.
  • The authors' dataset contains enclaves developed by well-known companies such as Intel and Baidu.
  • The authors included SGX-protected fingerprint software that is utilized in Dell and Lenovo laptops.
  • Note that it was highly challenging finding projects utilizing the SGX technology.
  • The authors assume this is due to the fact that SGX is a rather new technology, hardware-support on client machines is still not widely available, and as such, SGX is primarily used in cloud settings where the enclave is not publicly available
结论
  • To overcome this limitation, the authors utilize symbol information to detect OCALL invocations in TEEREX.
  • The authors leave the development of a heuristic to detect OCALLs on a binary-level without symbols as future work.Intel SGX is a promising security technology to strongly isolate sensitive code and data into enclaves.
  • Addressing the findings is crucial to allow secure deployment of SGX enclaves
总结
  • Introduction:

    Intel recently introduced a sophisticated trusted execution environment (TEE) called Software Guard Extensions (SGX) [30, 37, 50].
  • SGX implements well-known Trusted Computing concepts such as data binding and sealing as well as remote attestation, i.e., ensuring the remote SGX enclave is in a trustworthy state
  • Putting all these features together, this allows a user to establish a secure channel directly to the SGX enclave and perform remote attestation to ensure the integrity of the remote SGX hardware and enclave.
  • SGX is a strong isolation mechanism for sensitive data as well as security-critical code
  • It found its way into commercial applications, e.g., fingerprint sensor software (Section 5), DRM protection [20], and privacy-preserving applications like Signal [48].
  • Many projects propose to utilize SGX for enhanced security guarantees, e.g., processing private data in public clouds [6, 55]
  • Objectives:

    In the PoC exploits, the authors aim to hijack the instruction pointer while the processor is in enclave mode.
  • Results:

    To evaluate the effectiveness of TEEREX on real-world enclaves, the authors gathered a dataset consisting of open-source and proprietary public enclaves.
  • The authors' dataset contains enclaves developed by well-known companies such as Intel and Baidu.
  • The authors included SGX-protected fingerprint software that is utilized in Dell and Lenovo laptops.
  • Note that it was highly challenging finding projects utilizing the SGX technology.
  • The authors assume this is due to the fact that SGX is a rather new technology, hardware-support on client machines is still not widely available, and as such, SGX is primarily used in cloud settings where the enclave is not publicly available
  • Conclusion:

    To overcome this limitation, the authors utilize symbol information to detect OCALL invocations in TEEREX.
  • The authors leave the development of a heuristic to detect OCALLs on a binary-level without symbols as future work.Intel SGX is a promising security technology to strongly isolate sensitive code and data into enclaves.
  • Addressing the findings is crucial to allow secure deployment of SGX enclaves
表格
  • Table1: Dataset of public enclaves and their susceptibility to exploitation
  • Table2: Overview of results of our analysis of public enclave code. Some patterns are not applicable for every enclave, because the relevant code constructs are not used or the source is unavailable
Download tables as Excel
相关工作
  • The security research on privilege separation lead to system architectures that separate user from kernel space. However, several kernel vulnerabilities bypassed this separation simply because the kernel is not strictly separated from user space [14, 19, 25, 26, 41]. As a response, CPU vendors introduced hardware-based mitigation mechanisms, such as SMAP or SMEP [35], to enforce stricter separation. In fact, there are many parallels between the user/kernel space interface and the SGX host-to-enclave interface. That is, a higher privileged partition (the enclave) must carefully parse and validate any data that is written by the untrusted partition (the host application).

    Prior work in this area introduced mechanism allowing a user space program to reliably execute in the presence of a compromised operating system [16, 45, 49, 54]. However, Checkoway et al [13] have shown that existing legacy software cannot be simply retrofitted to such environments mainly because many kernel and operating system APIs implicitly assume that the kernel is the most trusted part of the system, e.g., in the threat model of a traditional Unix-like system the kernel is assumed to have full control over the code and data areas of any user space process. As such, existing software, such as most implementations of the C standard library, lack any validation of data passed from the kernel. So-called Iago attacks exploit this fact and show that a malicious kernel can easily corrupt memory of a user space process by returning bogus arguments from system calls. As we show in this paper, very similar issues apply to SGX enclaves; especially when legacy code is retrofitted to run inside SGX enclaves.
引用论文
  • Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. “Control-flow integrity principles, implementations, and applications”. In: ACM Trans. Inf. Syst. Secur. 13.1 (2009). DOI: 10.1145/1609956. 1609960.
    Locate open access versionFindings
  • Pierre-Louis Aublin, Florian Kelbert, Dan O’Keeffe, Divya Muthukumaran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer, David Eyers, and Peter Pietzuch. TaLoS: Secure and Transparent TLS Termination inside SGX Enclaves. en. Tech. rep. 2017/5. Imperial College London, Mar. 2017. URL: https://www.doc.ic.ac.uk/research/technicalreports/2017/DTRS17-5.pdf.
    Findings
  • Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. “AEG: Automatic Exploit Generation”. In: Proceedings of the Network and Distributed System Security Symposium, NDSS. 2011. URL: https://www.ndss-symposium.org/ndss2011/aegautomatic-exploit-generation.
    Locate open access versionFindings
  • Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. “Enhancing symbolic execution with veritesting”. In: Commun. ACM 59.6 (2016), pp. 93–100. DOI: 10.1145/2927924.
    Locate open access versionFindings
  • Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. “A Survey of Symbolic Execution Techniques”. In: ACM Comput. Surv. 51.3 (May 2018). ISSN: 0360-0300. DOI: 10.1145/3182657.
    Locate open access versionFindings
  • Andrew Baumann, Marcus Peinado, and Galen C. Hunt. “Shielding Applications from an Untrusted Cloud with Haven”. In: 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI. 2014. URL: https://www.usenix.org/conference/osdi14/technical-sessions/presentation/baumann.
    Locate open access versionFindings
  • Andrea Biondo, Mauro Conti, Lucas Davi, Tommaso Frassetto, and Ahmad-Reza Sadeghi. “The Guard’s Dilemma: Efficient Code-Reuse Attacks Against Intel SGX”. In: 27th USENIX Security Symposium, USENIX Security. 2018. URL: https://www.usenix.org/conference/usenixsecurity18/presentation/biondo.
    Locate open access versionFindings
  • Robert S Boyer, Bernard Elspas, and Karl N Levitt. “SELECT— a formal system for testing and debugging programs by symbolic execution”. In: ACM SigPlan Notices 10.6 (1975). URL: https://dl.acm.org/citation.cfm?id=808445.
    Locate open access versionFindings
  • Bryan Buck and Jeffrey K Hollingsworth. “An API for Runtime Code Patching”. In: Int. J. High Perform. Comput. Appl. 14.4 (Nov. 2000). ISSN: 1094-3420. DOI: 10.1177/109434200001400404.
    Locate open access versionFindings
  • Cristian Cadar, Daniel Dunbar, and Dawson R Engler. “KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs”. In: 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI. 2008. URL: http://www.usenix.org/events/osdi08/tech/full%5C_papers/cadar/cadar.pdf.
    Locate open access versionFindings
  • Nicholas Carlini and David Wagner. “ROP is Still Dangerous: Breaking Modern Defenses”. In: 23rd USENIX Security Symposium, USENIX Security. 2014. URL: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/carlini.
    Locate open access versionFindings
  • Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. “Unleashing Mayhem on Binary Code”. In: 2012 IEEE Symposium on Security and Privacy. IEEE, May 20DOI: 10. 1109/SP.2012.31.
    Locate open access versionFindings
  • Stephen Checkoway and Hovav Shacham. “Iago attacks: why the system call API is a bad untrusted RPC interface”. In: ASPLOS. Vol. 2013. DOI: 10.1145/2499368.2451145.
    Findings
  • Haogang Chen, Yandong Mao, Xi Wang, Dong Zhou, Nickolai Zeldovich, and M Frans Kaashoek. “Linux Kernel Vulnerabilities: Stateof-the-art Defenses and Open Problems”. In: Proceedings of the Second Asia-Pacific Workshop on Systems. APSys ’11. ACM, 2011. DOI: 10.1145/2103799.2103805.
    Locate open access versionFindings
  • Shuo Chen, Jun Xu, and Emre Can Sezer. “Non-Control-Data Attacks Are Realistic Threats”. In: Proceedings of the 14th USENIX Security Symposium. 2005. URL: https://www.usenix.org/conference/14th-usenix-security-symposium/non-control-data attacks-are-realistic-threats.
    Locate open access versionFindings
  • Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey S. Dwoskin, and Dan R. K. Ports. “Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems”. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS. 2008. DOI: 10.1145/1346281.1346284.
    Locate open access versionFindings
  • James A. Clause, Wanchun Li, and Alessandro Orso. “Dytan: a generic dynamic taint analysis framework”. In: Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA. 2007. DOI: 10.1145/1273463.1273490.
    Locate open access versionFindings
  • Victor Costan and Srinivas Devadas. “Intel SGX Explained”. In: (2016). URL: https://eprint.iacr.org/2016/086.
    Findings
  • Mark Cox. Red Hat’s Top 11 Most Serious Flaw Types for 2009. Feb. 2010. URL: https://awe.com/mark/blog/20100216.html.
    Findings
  • CyberLink. PowerDVD Ultra Requirements. URL: https://www.cyberlink.com/products/powerdvd-ultra/spec_en_US.html (visited on 11/14/2019).
    Findings
  • Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. “Stitching the Gadgets: On the Ineffectiveness of CoarseGrained Control-Flow Integrity Protection”. In: Proceedings of the 23rd USENIX Security Symposium, USENIX Security. 2014. URL: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/davi.
    Locate open access versionFindings
  • Ran Duan, Long Li, Shi Jia, Yu Ding, Yulong Zhang, Yueqiang Cheng, Lenx Wei, and Tanghui Chen. Apache Teaclave Rust-SGX SDK Samplecode “tls/tlsclient”. URL: https://github.com/apache/incubator-teaclave-sgx-sdk/tree/master/samplecode/tls/tlsclient (visited on 02/28/2020).
    Findings
  • Tyler Durden. “Bypassing PaX ASLR protection”. In: Phrack Magazine 59.9 (2002). URL: http://phrack.org/issues/59/9.html.
    Findings
  • Efficient TLS termination inside Intel SGX enclaves for existing applications: lsds/TaLoS. Aug. 7, 2019. URL: https://github.com/lsds/TaLoS (visited on 08/27/2019).
    Findings
  • Przemyslaw Frasunek. Full Disclosure Mailing List Archives: FreeBSD 7.0 - 7.2 pseudofs null pointer dereference. Sept. 2010. URL: https://seclists.org/fulldisclosure/2010/Sep/107 (visited on 11/13/2019).
    Findings
  • David Gens, Simon Schmitt, Lucas Davi, and Ahmad-Reza Sadeghi. “K-Miner: Uncovering Memory Corruption in Linux”. In: Proceedings 2018 Network and Distributed System Security Symposium, NDSS. 2018. DOI: 10.14722/ndss.2018.23326.
    Locate open access versionFindings
  • Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. “Out of Control: Overcoming Control-Flow Integrity”. In: 2014 IEEE Symposium on Security and Privacy, S&P. 2014. DOI: 10.1109/SP.2014.43.
    Locate open access versionFindings
  • Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, Michael Grace, Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, Hayawardh Vijayakumar, et al. “PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation”. In: Proceedings of the 29th USENIX Security Symposium (USENIX Security 2020) (To Appear). 2020. URL: https://www.usenix.org/conference/usenixsecurity20/presentation/harrison.
    Locate open access versionFindings
  • Sean Heelan, Tom Melham, and Daniel Kroening. “Gollum: Modular and Greybox Exploit Generation for Heap Overflows in Interpreters”. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS. 2019. DOI: 10.1145/3319535. 3354224.
    Locate open access versionFindings
  • Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan del Cuvillo. “Using innovative instructions to create trustworthy software solutions”. In: The Second Workshop on Hardware and Architectural Support for Security and Privacy, HASP. 2013. DOI: 10.1145/2487726.2488370.
    Findings
  • Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. “Automatic Generation of Data-Oriented Exploits”. In: 24th USENIX Security Symposium, USENIX Security. 2015. URL: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu.
    Locate open access versionFindings
  • Hong Hu, Zheng Leong Chua, Zhenkai Liang, and Prateek Saxena. “Identifying Arbitrary Memory Access Vulnerabilities in PrivilegeSeparated Software”. In: Computer Security - 20th European Symposium on Research in Computer Security, Proceedings, Part II, ESORICS. 2015. DOI: 10.1007/978-3-319-24177-7_16.
    Locate open access versionFindings
  • Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. “Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks”. In: IEEE Symposium on Security and Privacy, S&P. 2016. DOI: 10.1109/SP.2016. 62.
    Locate open access versionFindings
  • Intel. Demo Programs for the GNU* Multiple Precision Arithmetic Library* for Intel R Software Guard Extensions. URL: https://github.com/intel/sgx-gmp-demo/ (visited on 10/10/2019).
    Findings
  • Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Combined Volumes 3 (3A, 3B, and 3C): System Programming Guide. 2019. URL: https://software.intel.com/sites/default/files/managed/a4/60/325384-sdm-vol-3abcd.pdf.
    Locate open access versionFindings
  • Intel. Intel R Software Guard Extensions SDK for Linux*. URL: https://01.org/intel-software-guard-extensions (visited on 08/20/2019).
    Findings
  • Intel R 64 and IA-32 Architectures Software Developer’s Manual, Volume 3D: System Programming Guide, Part 4. Order Number 332831-065US. Intel. Dec. 2017.
    Google ScholarLocate open access versionFindings
  • Kyriakos K. Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. “Block Oriented Programming: Automating Data-Only Attacks”. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS. 2018. DOI: 10.1145/ 3243734.3243739.
    Locate open access versionFindings
  • Todd Jackson, Babak Salamat, Andrei Homescu, Karthikeyan Manivannan, Gregor Wagner, Andreas Gal, Stefan Brunthaler, Christian Wimmer, and Michael Franz. “Compiler-Generated Software Diversity”. In: Moving Target Defense. Vol. 54. Advances in Information Security. 2011. DOI: 10.1007/978-1-4614-0977-9_4.
    Locate open access versionFindings
  • Simon Johnson. Intel R SGX and Side-Channels. Feb. 2018. URL: https://software.intel.com/en-us/articles/intel-sgxand-side-channels (visited on 10/10/2019).
    Findings
  • Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. “kGuard: Lightweight Kernel Protection against Returnto-User Attacks”. In: Proceedings of the 21th USENIX Security Symposium. 2012. URL: https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/kemerlis.
    Locate open access versionFindings
  • James C King. “Symbolic execution and program testing”. In: Commun. ACM 19.7 (July 1976). ISSN: 0001-0782. DOI: 10. 1145 / 360248.360252.
    Google ScholarLocate open access versionFindings
  • Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. “SoK: Automated Software Diversity”. In: Proceedings of the 35th IEEE Symposium on Security and Privacy. 2014. DOI: 10.1109/SP. 2014.25.
    Locate open access versionFindings
  • Jae-Hyuk Lee, Jin Soo Jang, Yeongjin Jang, Nohyun Kwak, Yeseul Choi, Changho Choi, Taesoo Kim, Marcus Peinado, and Brent ByungHoon Kang. “Hacking in Darkness: Return-oriented Programming against Secure Enclaves”. In: 26th USENIX Security Symposium, USENIX Security. 2017. URL: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lee-jaehyuk.
    Locate open access versionFindings
  • David Lie, Chandramohan A. Thekkath, and Mark Horowitz. “Implementing an untrusted operating system on trusted hardware”. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles 2003, SOSP. 2003. DOI: 10.1145/945445.945463.
    Locate open access versionFindings
  • Chi-Keung Luk, Robert S. Cohn, Robert Muth, Harish Patil, Artur Klauser, P. Geoffrey Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim M. Hazelwood. “Pin: building customized program analysis tools with dynamic instrumentation”. In: Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation. 2005. DOI: 10.1145/1065010.1065034.
    Locate open access versionFindings
  • Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. “BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments”. In: 24th Annual Network and Distributed System Security Symposium, NDSS. 2017. DOI: 10.14722/ndss.2017.23227.
    Locate open access versionFindings
  • Moxie Marlinspike. Technology preview: Private contact discovery for Signal. Sept. 26, 2017. URL: https://signal.org/blog/private-contact-discovery/ (visited on 10/10/2019).
    Findings
  • Jonathan M McCune, Bryan J Parno, Adrian Perrig, Michael K Reiter, and Hiroshi Isozaki. “Flicker: An execution infrastructure for TCB minimization”. In: ACM SIGOPS Operating Systems Review. Vol. 42.
    Google ScholarLocate open access versionFindings
  • 4. ACM. 2008. DOI: 10.1145/1357010.1352625.
    Findings
  • [50] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. “Innovative instructions and software model for isolated execution”. In: The Second Workshop on Hardware and Architectural Support for Security and Privacy, HASP. 2013. DOI: 10.1145/2487726.2488368.
    Findings
  • [51] Microsoft. Data Execution Prevention (DEP). 2006. URL: http://support.microsoft.com/kb/875352/EN-US/.
    Findings
  • [52] PaX Team. PaX: PAGEEXEC Design. URL: https://pax.grsecurity.net/docs/pageexec.txt (visited on 08/23/2019).
    Findings
  • [53] Jannik Pewny, Philipp Koppe, and Thorsten Holz. “STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming”. In: IEEE European Symposium on Security and Privacy, EuroS&P. 2019. DOI: 10.1109/EuroSP.2019.00018.
    Locate open access versionFindings
  • [54] Dan R. K. Ports and Tal Garfinkel. “Towards Application Security on Untrusted Operating Systems”. In: 3rd USENIX Workshop on Hot Topics in Security, HotSec. 2008. URL: http://www.usenix.org/events/hotsec08/tech/full%5C_papers/ports/ports.pdf.
    Locate open access versionFindings
  • [55] Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. “VC3: Trustworthy Data Analytics in the Cloud Using SGX”. In: 2015 IEEE Symposium on Security and Privacy, S&P. 2015. DOI: 10.1109/SP. 2015.10.
    Locate open access versionFindings
  • [56] Jaebaek Seo, Byoungyoung Lee, Seong Min Kim, Ming-Wei Shih, Insik Shin, Dongsu Han, and Taesoo Kim. “SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs”. In: 24th Annual Network and Distributed System Security Symposium, NDSS. 2017. DOI: 10.14722/ndss.2017.23037.
    Locate open access versionFindings
  • [57] Hovav Shacham. “The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86)”. In: Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS. 2007. DOI: 10.1145/1315245.1315313.
    Locate open access versionFindings
  • [58] Yan Shoshitaishvili et al. “SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis”. In: IEEE Symposium on Security and Privacy, S&P. 2016. DOI: 10.1109/SP.2016.17.
    Locate open access versionFindings
  • [59] Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, S&P. 2013. DOI: 10.1109/SP.2013.45.
    Locate open access versionFindings
  • [60] Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. “SoK: Eternal War in Memory”. In: 2013 IEEE Symposium on Security and Privacy, S&P. 2013. DOI: 10.1109/SP.2013.13.
    Locate open access versionFindings
  • [61] Chia-che Tsai, Donald E. Porter, and Mona Vij. “Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX”. In: 2017 USENIX Annual Technical Conference, USENIX ATC. 2017. URL: https://www.usenix.org/conference/atc17/technical sessions/presentation/tsai.
    Locate open access versionFindings
  • [62] Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. “Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution”. In: 27th USENIX Security Symposium, USENIX Security. 2018. URL: https://www.usenix.org /conference/usenixsecurity18/presentation/bulck.
    Locate open access versionFindings
  • [63] Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D Garcia, and Frank Piessens. “A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes”. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS. 2019. DOI: 10.1145/3319535.3363206.
    Locate open access versionFindings
  • [64] Jo Van Bulck, Frank Piessens, and Raoul Strackx. “SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control”. In: Proceedings of the 2Nd Workshop on System Software for Trusted Execution, SysTEX. 2017. DOI: 10.1145/3152701.3152706.
    Locate open access versionFindings
  • [65] Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and Raoul Strackx. “Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution”. In: 26th USENIX Security Symposium, USENIX Security. 2017. URL: https://www.usenix.org/conference/usenixsecurity17/technicalsessions/presentation/van-bulck.
    Locate open access versionFindings
  • [66] Victor van der Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, and Cristiano Giuffrida. “The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later”. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS. 2017. DOI: 10.1145/3133956.3134026.
    Locate open access versionFindings
  • [67] Huibo Wang, Pei Wang, Yu Ding, Mingshen Sun, Yiming Jing, Ran Duan, Long Li, Yulong Zhang, Tao Wei, and Zhiqiang Lin. “Towards Memory Safe Enclave Programming with Rust-SGX”. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS. 2019. DOI: 10.1145/3319535.3354241.
    Locate open access versionFindings
  • wolfSSL: a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. Oct. 10, 2019. URL: https://github.com/wolfSSL/wolfssl (visited on 08/27/2019).
    Findings
  • Yuanzhong Xu, Weidong Cui, and Marcus Peinado. “ControlledChannel Attacks: Deterministic Side Channels for Untrusted Operating Systems”. In: 2015 IEEE Symposium on Security and Privacy, S&P. 2015. DOI: 10.1109/SP.2015.45.
    Locate open access versionFindings
  • Michal Zalewski. American Fuzzing Lop (AFL). 2019. URL: http://lcamtuf.coredump.cx/afl/ (visited on 11/13/2019).
    Findings
作者
Tobias Cloosters
Tobias Cloosters
您的评分 :
0

 

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科