STELLA: Sparse Taint Analysis for Enclave Leakage Detection

TL;DR

This paper introduces STELLA, a static sparse taint analysis method to detect privacy leaks in Intel SGX enclave code, successfully identifying 78 previously unknown vulnerabilities across multiple projects.

Contribution

It presents a novel static analysis approach tailored for enclave leakage detection, addressing a gap in existing security assessment tools.

Findings

Detected 78 new vulnerabilities in open-source enclave programs

Identified five common leakage code patterns

Validated effectiveness on multiple real-world projects

Abstract

Intel SGX (Software Guard Extension) is a promising TEE (trusted execution environment) technique that can protect programs running in user space from being maliciously accessed by the host operating system. Although it provides hardware access control and memory encryption, the actual effectiveness also depends on the quality of the software. In particular, improper implementation of a code snippet running inside the enclave may still leak private data due to the invalid use of pointers. This paper serves as a first attempt to study the privacy leakage issues of enclave code and proposes a novel static sparse taint analysis approach to detect them. We first summarize five common patterns of leakage code. Based on these patterns, our approach performs forward analysis to recognize all taint sinks and then employs a backward approach to detect leakages. Finally, we have conducted experiments with several open-source enclave programs and found 78 vulnerabilities previously unknown in 13 projects.