NEWS: Our paper "SmashEx: Smashing SGX Enclaves Using Exceptions" has been accepted by ACM CCS' 21. This research paper introduces a powerful attack that exploits the OS-enclave interface for asynchronous exceptions in Intel SGX (Software Guard eXtensions). The full paper can be found on arXiv and ACM Digital Library.
NOTE: More information and other PoCs of SGX frameworks based on Open Enclave SDK can be found at here.
SmashEx is a new, powerful attack which exploits the OS-enclave interface for asynchronous exceptions in SGX. It demonstrates the importance of a fundamental property of safe atomic execution that is required on this interface. In the absence of atomicity, we show that asynchronous exception handling in SGX enclaves is complicated and prone to re-entrancy vulnerabilities. Our attacks do not assume any memory errors in the enclave code, side channels, or application-specific logic flaws. We concretely demonstrate exploits that cause arbitrary disclosure of enclave private memory and code-reuse (ROP) attacks in the enclave. We show reliable exploits on two widely-used SGX runtimes, Intel SGX SDK and Microsoft Open Enclave, running OpenSSL and cURL libraries respectively. We tested a total of 14 frameworks, including Intel SGX SDK and Microsoft Open Enclave, 10 of which are vulnerable such as Google Asylo, Apache Teaclave, Rust SGX SDK, Edgeless RT, and so on. We discuss how the vulnerability manifests on both SGX1-based and SGX2-based platforms. We present potential mitigation and long-term defenses for SmashEx. We responsibly disclosed our findings to the affected frameworks and were assigned two CVEs (CVE-2021-0186 and CVE-2021-33767), leading to advisories and patches in the Intel SGX SDK and Microsoft Open Enclave.
We only provide an entry of the PoC exploits in this repository. If you might need the source code for educational or research purposes, you can obtain them here. Please contact us at here if you have further problems.
NOTE: After acquiring the PoC(s), one could check the README file under the root directory, in which we show a step-by-step guide to reproduce the SmashEx attacks.
@inproceedings{smashex-ccs21,
title={SmashEx: Smashing SGX Enclaves Using Exceptions},
author={Cui, Jinhua and Yu, Jason Zhijingcheng and Shinde, Shweta and Saxena, Prateek and Cai, Zhiping},
booktitle={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
pages={779--793},
year={2021}
}
For any questions or bugs, please send an email to jhcui.gid@gmail.com, or post your issues on the GitHub repository.