Analysis of TEE Software

Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. Our research shows that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code.

SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing

We present SGXFuzz, a coverage-guided fuzzer that introduces a novel binary input structure synthesis method to expose enclave vulnerabilities even without source-code access. To obtain code coverage feedback from enclaves, we show how to extract enclave code from distribution formats. We also present an enclave runner that allows execution of the extracted enclave code as a user-space application at native speed, while emulating all relevant environment interactions of the enclave. We use this setup to fuzz enclaves using a state-of-the-art snapshot fuzzing engine that deploys our novel structure synthesis stage. This stage synthesizes multi-layer pointer structures and size fields incrementally on-the-fly based on fault signals. Furthermore, it matches the expected input format of the enclave without any prior knowledge. We evaluate our approach on 30 open- and closed-source enclaves and found a total of 79 new bugs and vulnerabilities.

SGXFuzz Publication

A pre-print of our USENIX Security 2022 paper can be found here: pre-print pdf.

The source code of SGXFuzz is published at GitHub: uni-due-syssec/sgxfuzz.

TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

We developed TeeRex to automatically analyze enclave binary code for vulnerabilities introduced at the host-to-enclave boundary by means of symbolic execution. Our evaluation on public enclave binaries reveal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform arbitrary memory writes. TeeRex features a specifically tailored framework for SGX enclaves that allows simple proof-of-concept exploit construction to assess the discovered vulnerabilities. In the course of our research we revealed vulnerabilities in multiple enclaves, including enclaves developed by Intel, Baidu, and WolfSSL, as well as biometric fingerprint software deployed on popular laptop brands.

Our paper on TeeRex was published at the 29th USENIX Security Symposium 2020 and was awarded with the German IT-Security Prize 2020.

For more information on this research project contact Tobias Cloosters.

TeeRex Paper Pre-Print

After disclosure of all vulnerabilities discovered with TeeRex we release a pre-print of the full version of the paper, which describes details on the vulnerabilities we found in various enclaves, including fingerprint drivers developed by Synaptics (used by Lenovo, HP) and Goodix (used by Dell). Furthermore, our paper discusses the details of our symbolic execution based approach to identfying memory corruption vulnerabilities on the enclave-host boundary.

A pre-print of our USENIX Security 2020 paper can be found here: pre-print pdf.

TeeRex Proof-of-Concept Exploits

In the course of our research on analyzing the current state of SGX enclaves we encountered several vulnerable example enclaves, which are part of various SGX projects. For those enclaves, we worked with the affected vendors to fix the vulnerabilities in the enclave software. To foster open science and to encourage SGX developers learning about vulnerabilities in SGX software, we published a list of the affected enclaves along with the vulnerable and fixed versions of the the enclave code and our proof-of-concept (PoC) exploits.

Security Advisories

We discovered several vulnerabilities in the SGX components of fingerprint drivers developed by Synaptics and Goodix. The affected fingerprint drivers are utilized in diverse products, e.g., Lenovo, HP and Dell laptops.

The fixed versions of the fingerprint drivers are available via Windows Update and from the vendors. The following CVE numbers and advisories can be used to identify vulnerable and patched versions: