Our team and colleagues from the DFG Cluster of Excellence CASA have developed a new technique that, for the first time, enables fuzz testing of protected memory areas in modern processors. Our method revealed many vulnerabilities in security-critical software.

Intel’s “Software Guard Extension” (SGX) is a widely used technology to protect sensitive data from misuse. It helps developers in shielding a certain memory area from the rest of a computer. For example, a password manager can be executed safely in such an enclave, even if the rest of the system is corrupted by malware.

However, it is quite common that enclave software suffers from vulnerabilities. Already in 2020, our team discovered and published several vulnerabilities of SGX enclaves (Article: Danger to sensitive Data). Now, together with partners form the Cluster of Excellence CASA, we achieved another breakthrough in the analysis technique: our latest development enables fuzz testing of enclaves, which is much more effective than the previously used symbolic execution technique. The idea behind fuzz testing is to feed a large number of inputs into a program in order to gain insights into the structure of the code. “As enclaves are meant to be non-introspectable, fuzzing cannot easily be applied to them,” as Tobias Clooster (research assistant and PhD student in our group) explains the challenge. “Moreover, fuzzing requires nested data structures, which we dynamically reconstruct from the enclave code.” His research partner Johannes Willbold from the research college SecHuman from the Ruhr-Universität Bochum adds: “This way, the shielded regions can be analyzed without accessing the source code.”

Thanks to modern fuzzing technology, we were able to detect many previously unknown security problems. All tested fingerprint drivers as well as wallets for storing cryptocurrency were affected. Hackers could exploit these vulnerabilities to read biometric data or steal the entire balance of the stored cryptocurrency. All companies were informed; the SKALE Network even showed its appreciation with a “bug bounty” of their cryptocurrency. Three vulnerabilities have been added to the publicly available CVE directory**.

Weitere Infos

CVE stands for Common Vulnerabilities and Exposures and lists major, publicly known vulnerabilities. The vulnerabilities referenced have the CVE entriesCVE-2021-3675 (Synaptics Fingerprint Driver), CVE-2021-36218 (SKALE sgxwallet ) and CVE-2021-36219 (SKALE sgxwallet)

Publication: Cloosters, Tobias; Willbold, Johannes; Holz, Thorsten; Davi, Lucas Vincenzo: SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing. In: Proc. of 31st USENIX Security Symposium. 2022. Pre-Print: SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing

TEE project webpage: Analysis of TEE Software 

DFG Cluster of Excellence CASA: CASA Homepage