Google Asylo介绍
Asylo 是一个开源框架,助力开发人员以RPC的风格开发Enclave应用程序。
Asylo 能够帮助Enclave开发者使用一系列新兴的可信执行环境 (TEE),包括采用软件和硬件隔离技术实现的TEE,更具体来说包括如Intel SGX、ARM TrustZone提供的Enclave。
⋆ \star ⋆ Google Asylo大量运用了ABSL库。
Google Asylo与Intel SGX PSW&SDK的关系
Google Asylo和linux-sgx(linux平台下的SGX软件栈,介绍也可以参考here)的区别如下图
以目前分析情况来看,针对使用SGX特性而言(Google Asylo也旨在兼容其他Enclave软件栈),Google Asylo是基于Intel SGX PSW&SDK封装形成的新的抽象。从源码可以看到Google Asylo在切换Enclave Mode和Normal Mode时,仍然使用了Intel SGX软件栈,包括由EDL文件形成的Trusted/Untrusted Stub。也就是说Google Asylo位于Intel SGX PSW&SDK的上层。
Google Asylo ECALL流程
以先后调用顺序描述ECALL(GenericEnclaveClient::EnterAndRun)流程
不可信部分(Google Asylo提供)
GenericEnclaveClient::EnterAndRun
→
\rightarrow
→ GenericEnclaveClient::Run
→
\rightarrow
→ Client::EnclaveCall
→
\rightarrow
→ SgxEnclaveClient::EnclaveCallInternal
不可信Stub(SGX原生软件栈生成)
→
\rightarrow
→ ecall_dispatch_trusted_call (Note: Untrusted Stub Generated by SGX EDGER8R According to "bridge.edl")
SGX uRTS(SGX原生软件栈提供)
→
\rightarrow
→ SGX uRTS
EENTER(SGX硬件提供)
→
\rightarrow
→ ENCLU.(EAX=02H) (也就是EENTER)
SGX tRTS(SGX原生软件栈提供)
→
\rightarrow
→ SGX tRTS
可信Stub(SGX原生软件栈生成)
→
\rightarrow
→ ecall_dispatch_trusted_call (Note: Trusted Stub)
可信部分(Google Asylo提供)
→
\rightarrow
→ asylo_enclave_call
→
\rightarrow
→ InvokeEntryHandler
→
\rightarrow
→ enclave_state.entry_table[selector]
→
\rightarrow
→ 真正的ECALL
Asylo相关CVE
用Scrapy构建NVDSpider从NVD官网爬取。
列表如下,基本上是在对跨越Enclave-Host边界的数据检查不到位。
| current_description | cve_id | cvss2_score | cwe | paper | project | result | reference |
|---|---|---|---|---|---|---|---|
| An arbitrary memory write vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to ecall_restore using the attribute output which fails to check the range of a pointer. An attacker can use this pointer to write to arbitrary memory addresses including those within the secure enclave We recommend upgrading past commit 382da2b8b09cbf928668a2445efb778f76bd9c8a | CVE-2020-8944 | 5.3 MEDIUM | CWE-787 Out-of-bounds Write,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存写 | https://github.com/google/asylo/commit/382da2b8b09cbf928668a2445efb778f76bd9c8a (Exploit, Third Party Advisory); |
| An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_recvfrom whose return size was not validated against the requested size. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading past commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f | CVE-2020-8943 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存读 | https://github.com/google/asylo/commit/6e158d558abd3c29a0208e30c97c9a8c5bd4230f (Patch, Third Party Advisory); |
| An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_read whose return size was not validated against the requrested size. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading past commit b1d120a2c7d7446d2cc58d517e20a1b184b82200 | CVE-2020-8942 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存读 | https://github.com/google/asylo/commit/b1d120a2c7d7446d2cc58d517e20a1b184b82200 (Patch, Third Party Advisory); |
| An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_inet_pton using an attacker controlled klinux_addr_buffer parameter. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading past commit 8fed5e334131abaf9c5e17307642fbf6ce4a57ec | CVE-2020-8941 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存读 | https://github.com/google/asylo/commit/8fed5e334131abaf9c5e17307642fbf6ce4a57ec (Patch, Third Party Advisory, US Government Resource); |
| An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_recvmsg using an attacker controlled result parameter. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading or past commit fa6485c5d16a7355eab047d4a44345a73bc9131e | CVE-2020-8940 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存读 | https://github.com/google/asylo/commit/fa6485c5d16a7355eab047d4a44345a73bc9131e (Patch, Third Party Advisory); |
| An out of bounds read on the enc_untrusted_inet_ntop function allows an attack to extend the result size that is used by memcpy() to read memory from within the enclave heap. We recommend upgrading past commit 6ff3b77ffe110a33a2f93848a6333f33616f02c4 | CVE-2020-8939 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read | None | Google Asylo | 越界读 | https://github.com/google/asylo/commit/6ff3b77ffe110a33a2f93848a6333f33616f02c4 (Patch, Third Party Advisory); |
| An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to FromkLinuxSockAddr with attacker controlled content and size of klinux_addr which allows an attacker to write memory values from within the enclave. We recommend upgrading past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02 | CVE-2020-8938 | 5.3 MEDIUM | CWE-787 Out-of-bounds Write | None | Google Asylo | 任意内存覆写 | https://github.com/google/asylo/commit/bda9772e7872b0d2b9bee32930cf7a4983837b39 (Patch, Third Party Advisory); |
| An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to enc_untrusted_create_wait_queue that uses a pointer queue that relies on UntrustedLocalMemcpy, which fails to validate where the pointer is located. This allows an attacker to write memory values from within the enclave. We recommend upgrading past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02 | CVE-2020-8937 | 5.3 MEDIUM | CWE-787 Out-of-bounds Write,CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 任意内存覆写 | https://github.com/google/asylo/commit/a37fb6a0e7daf30134dbbf357c9a518a1026aa02 (Patch, Third Party Advisory); |
| An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to UntrustedCall. UntrustedCall failed to validate the buffer range within sgx_params and allowed the host to return a pointer that was an address within the enclave memory. This allowed an attacker to read memory values from within the enclave. | CVE-2020-8936 | 5.3 MEDIUM | CWE-125 Out-of-bounds Read | None | Google Asylo | 攻击者读取Enclave内容 | https://github.com/google/asylo/commit/83036fd841d33baa7e039f842d131aa7881fdcc2 (Patch, Third Party Advisory); |
| An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allow an attacker to make an Ecall_restore function call to reallocate untrusted code and overwrite sections of the Enclave memory address. We recommend updating your library. | CVE-2020-8935 | 5.3 MEDIUM | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | None | Google Asylo | 任意内存覆写 | https://github.com/google/asylo/commit/ed0926bff0e423cd122a18b3d2fc772817f66825 (Patch, Third Party Advisory); |
| A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The ‘enc_untrusted_recvfrom’ function generates a return value which is deserialized by ‘MessageReader’, and copied into three different ‘extents’. The length of the third ‘extents’ is controlled by the outside world, and not verified on copy, allowing the attacker to force Asylo to copy trusted memory data into an untrusted buffer of significantly small length… We recommend updating Asylo to version 0.6.0 or later. | CVE-2020-8905 | 2.8 LOW | CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | None | Google Asylo | 信息泄露 | https://github.com/google/asylo/commit/299f804acbb95a612ab7c504d25ab908aa59ae93 (Patch, Third Party Advisory); |
| An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later. | CVE-2020-8904 | 6.4 MEDIUM | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer,CWE-823 Use of Out-of-range Pointer Offset | All 3 versions | Google Asylo | 任意内存覆写 | https://github.com/google/asylo/commit/e582f36ac49ee11a21d23ad6a30c333092e0a94e (Patch, Third Party Advisory); |
298
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
