SmashEx: Smashing SGX Enclaves Using Exceptions

TL;DR

This paper uncovers a new attack called SmashEx that exploits asynchronous exception handling in Intel SGX enclaves, leading to memory disclosure and code-reuse vulnerabilities without relying on memory errors or side channels.

Contribution

It introduces SmashEx, a novel attack exploiting OS-enclave exception interface flaws in SGX, demonstrating practical vulnerabilities in widely-used SGX runtimes and proposing potential defenses.

Findings

10 out of 14 frameworks are vulnerable

Successful exploits cause memory disclosure and ROP attacks

Vulnerabilities exist on both SGX1 and SGX2 platforms

Abstract

Exceptions are a commodity hardware functionality which is central to multi-tasking OSes as well as event-driven user applications. Normally, the OS assists the user application by lifting the semantics of exceptions received from hardware to program-friendly user signals and exception handling interfaces. However, can exception handlers work securely in user enclaves, such as those enabled by Intel SGX, where the OS is not trusted by the enclave code? In this paper, we introduce a new attack called SmashEx which exploits the OS-enclave interface for asynchronous exceptions in SGX. It demonstrates the importance of a fundamental property of safe atomic execution that is required on this interface. In the absence of atomicity, we show that asynchronous exception handling in SGX enclaves is complicated and prone to re-entrancy vulnerabilities. Our attacks do not assume any memory errors in the enclave code, side channels, or application-specific logic flaws. We concretely demonstrate exploits that cause arbitrary disclosure of enclave private memory and code-reuse (ROP) attacks in the enclave. We show reliable exploits on two widely-used SGX runtimes, Intel SGX SDK and Microsoft Open Enclave, running OpenSSL and cURL libraries respectively. We tested a total of 14 frameworks, including Intel SGX SDK and Microsoft Open Enclave, 10 of which are vulnerable. We discuss how the vulnerability manifests on both SGX1-based and SGX2-based platforms. We present potential mitigation and long-term defenses for SmashEx.