potential security issue: ecall_SSL_read using [user_check]

Question

potential security issue: ecall_SSL_read using [user_check]

wyann22 opened this issue 5 years ago · comments

@similar to issue13, i think it is necessary to add a bound-checking function in ecall_SSL_read.
Image a TLS client which can fetch website contents of any server, we can transfer a pointer pointing to enclave memory like this:
bytes = SSL_read(ssl, (char*)(secret_addr), sizeof(buf));
So the secret memory will be overwritten to the website content like below:

Moreover, if the host is not google but controlled by attackers, the secret memory value can be overwritten to arbitrary value like below. (the left terminal is a server controlled by attacker)

Basically, attackers can modify to any memory in enclave to any value.
Thanks for guidance from @david-oswald
#18

David Oswald · Answer 1 · Thu Aug 29 2019 14:23:25 GMT+0800 (China Standard Time)

I think this issue should be merged with #18

plaublin · Answer 2 · Tue Sep 03 2019 08:23:51 GMT+0800 (China Standard Time)

Closed because duplicate of #18