You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2021/11/01 23:07:20 UTC
[incubator-teaclave-website] branch master updated: Add blog of
SmashEx advisory
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-website.git
The following commit(s) were added to refs/heads/master by this push:
new e64ca49 Add blog of SmashEx advisory
e64ca49 is described below
commit e64ca49ffdbdf6ff09a027d386f328307514f461
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Mon Nov 1 16:07:14 2021 -0700
Add blog of SmashEx advisory
---
...curity-advisory-of-smashex-and-cve-2021-0186.md | 86 ++++++++++++++++++++++
1 file changed, 86 insertions(+)
diff --git a/site/blog/2021-11-01-security-advisory-of-smashex-and-cve-2021-0186.md b/site/blog/2021-11-01-security-advisory-of-smashex-and-cve-2021-0186.md
new file mode 100644
index 0000000..153d295
--- /dev/null
+++ b/site/blog/2021-11-01-security-advisory-of-smashex-and-cve-2021-0186.md
@@ -0,0 +1,86 @@
+---
+title: Security Advisory of SmashEx and CVE-2021-0186
+date: 2021-10-25
+author: Mingshen Sun
+---
+
+Recently, we were notified of a re-entrancy vulnerability in the exception
+handling designs of some popular SGX SDKs (including Intel SGX SDK), resulting in
+arbitrary disclosure of enclave private memory and code-reuse attacks in SGX
+enclave.
+
+The vulnerability is named as [SmashEx](https://jasonyu1996.github.io/SmashEx/)
+[1]. The SmashEx attack affects several SGX runtimes with exception handling.
+For Intel SGX SDK, the assigned identifier is
+[CVE-2021-0186](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html) [2].
+While the vulnerability itself is not a Teaclave flaw, we're taking proactive
+measures to explain and mitigate its impact on Teaclave users.
+
+## Overview
+
+Due to the lack of atomicity primitives in SGX enclaves, an SGX enclave can be
+interrupted and re-entered at any time, including when it is in a state unsafe
+for re-entry (i.e., when it is executing a critical section). The SmashEx attack
+exploits such unsafe enclave re-entries happening in the exception handling
+mechanism in the SGX runtime.
+
+A malicious host can create an exception immediately after EENTER which causes
+control to be transferred to the host before the enclave stack (RSP register)
+has been properly set up. Then, a special ECALL (called `ECMD_EXCEPT`) to
+enclave will use the attacker-controlled RSP register to setup the context of
+the exception handler function. At last, when the host transfers control back to the
+enclave with ERESUME, it may execute with a stack that resides in host memory
+thereby enabling ROP exploits.
+
+This vulnerability can be fixed by adding extra checks on untrusted RSP when
+constructing the context of the exception handler.
+
+## Affected Versions
+
+For Intel SGX SDK, the vulnerability affects all projects using the following
+versions.
+
+- Intel SGX SDK for Windows v2.12 and erlier
+- Intel SGX SDK for Linux v2.13 and earlier
+
+## Impacts on Teaclave
+
+Teaclave SGX SDK wraps Intel SGX SDK and provides a Rust development
+environment. The affected Intel SGX SDK version was recommended in Rust SGX SDK
+v1.1.3 (which is a pre-Apache release). Therefore, people using Rust SGX SDK
+v1.1.3 with the vulnerable Intel SGX SDK (v2.13 and earlier) are also
+vulnerable. *However, the current Teaclave SGX SDK is compatible with newer Intel SGX
+SDK versions. Therefore, we recommend all users to upgrade to the latest Intel
+SGX SDK.*
+
+For Teaclave (i.e., the Teaclave FaaS platform), it uses Teaclave SGX SDK to
+build a confidential computing platform. Therefore, the Teaclave v0.2.0 released
+in March used the vulnerable Intel SGX SDK version.
+*However, the [v0.3.0 released](https://github.com/apache/incubator-teaclave/releases/tag/v0.3.0) [3]
+in August has upgraded the Intel SGX SDK to v2.14 with the fix. Therefore,
+the latest release of Teaclave is not affected by this vulnerability.*
+
+## Patches & Mitigations
+
+The vulnerability has been fixed in Intel SGX SDK in this patch:
+ - Patch: <https://github.com/intel/linux-sgx/commit/edfe42a517b3e4b1d81204c3cdef6da6cb35fefc>
+
+Teaclave users can apply the following mitigations:
+
+- Use Teacalve SGX SDK with Intel SGX SDK for Linux version 2.14 or later
+- Upgrade to Teaclave 0.3.0 or later
+
+## Acknowledgements
+
+We would like to thank Jinhua Cui, National University of Defense Technology and
+National University of Singapore, Shweta Shinde, ETH Zurich , Zhijingcheng Yu,
+National University of Singapore, and Prateek Saxena, National University of
+Singapore for notifying us about this issue.
+
+## References
+
+- [1] <https://jasonyu1996.github.io/SmashEx/>
+- [2] <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html>
+- [3] <https://github.com/apache/incubator-teaclave/releases/tag/v0.3.0>
+- [SmashEx: Smashing SGX Enclaves Using Exceptions](https://arxiv.org/abs/2110.06657)
+- [Open Enclave SDK Elevation of Privilege Vulnerability](https://github.com/openenclave/openenclave/security/advisories/GHSA-mj87-466f-jq42)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org