potential security issue: ecall_SSL_read using [user_check]
wyann22 opened this issue · comments
@similar to issue13, i think it is necessary to add a bound-checking function in ecall_SSL_read.
Image a TLS client which can fetch website contents of any server, we can transfer a pointer pointing to enclave memory like this:
bytes = SSL_read(ssl, (char*)(secret_addr), sizeof(buf));
So the secret memory will be overwritten to the website content like below:
Moreover, if the host is not google but controlled by attackers, the secret memory value can be overwritten to arbitrary value like below. (the left terminal is a server controlled by attacker)
Basically, attackers can modify to any memory in enclave to any value.
Thanks for guidance from @david-oswald
#18
I think this issue should be merged with #18