Analysis of TEE Software
TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves
Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. Our research shows that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code.
We developed TeeRex to automatically analyze enclave binary code for vulnerabilities introduced at the host-to-enclave boundary by means of symbolic execution. Our evaluation on public enclave binaries reveal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform arbitrary memory writes. TeeRex features a specifically tailored framework for SGX enclaves that allows simple proof-of-concept exploit construction to assess the discovered vulnerabilities. In the course of our research we revealed vulnerabilities in multiple enclaves, including enclaves developed by Intel, Baidu, and WolfSSL, as well as biometric fingerprint software deployed on popular laptop brands.
For more information on this research project contact Tobias Cloosters.
TeeRex Paper Pre-Print
After disclosure of all vulnerabilities discovered with TeeRex we release a pre-print of the full version of the paper, which describes details on the vulnerabilities we found in various enclaves, including fingerprint drivers developed by Synaptics (used by Lenovo, HP) and Goodix (used by Dell). Furthermore, our paper discusses the details of our symbolic execution based approach to identfying memory corruption vulnerabilities on the enclave-host boundary.
A pre-print of our upcoming USENIX Security 2020 paper can be found here: pre-print pdf.
TeeRex Proof-of-Concept Exploits
In the course of our research on analyzing the current state of SGX enclaves we encountered several vulnerable example enclaves, which are part of various SGX projects. For those enclaves, we worked with the affected vendors to fix the vulnerabilities in the enclave software. To foster open science and to encourage SGX developers learning about vulnerabilities in SGX software, we published a list of the affected enclaves along with the vulnerable and fixed versions of the the enclave code and our proof-of-concept (PoC) exploits.
We discovered several vulnerabilities in the SGX components of fingerprint drivers developed by Synaptics and Goodix. The affected fingerprint drivers are utilized in diverse products, e.g., Lenovo, HP and Dell laptops.
The fixed versions of the fingerprint drivers are available via Windows Update and from the vendors. The following CVE numbers and advisories can be used to identify vulnerable and patched versions:
- Synaptics' Advisory: https://www.synaptics.com/sites/default/files/fingerprint-driver-SGX-security-brief-2020-07-14.pdf
- Lenovo's Advisory: https://support.lenovo.com/us/en/product_security/LEN-31372
- HP's Advisory: https://support.hp.com/hk-en/document/c06696568
- Dell's Advisory: https://www.dell.com/support/article/SLN321807