Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security]information leakage in enclave code #69

Open
jmp0x7c00 opened this issue Mar 22, 2022 · 2 comments
Open

[security]information leakage in enclave code #69

jmp0x7c00 opened this issue Mar 22, 2022 · 2 comments

Comments

@jmp0x7c00
Copy link

hi,sir,

Town-Crier is an awesome project, I love it.but I think there maybe a security issue here , in file Enclave/SSLClient.c :

len = sizeof( buf ) - 1;
        memset( buf, 0, sizeof( buf ) );

        do ret = mbedtls_ssl_read( &ssl, buf, len );
        while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
               ret == MBEDTLS_ERR_SSL_WANT_WRITE );

        if( ret <= 0 )
        {
            switch( ret )
            {
                case MBEDTLS_ERR_SSL_TIMEOUT:
                    mbedtls_printf( " timeout\n" );
                    if( retry_left-- > 0 )
                        goto send_request;
                    goto exit;

                case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
                    mbedtls_printf( " connection was closed gracefully\n" );
                    ret = 0;
                    goto close_notify;

                default:
                    mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n", -ret );
                    goto exit;
            }
        }

        len = ret;
        buf[len] = '\0';
// ===========================> leak here
        mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf );
        ret = 0;

Intel SGX can protect our sensitve data in enclave, however, we have to write our code carefully in case of leaking them by invoking ocall. I think we have to comment these lines before we use Town-Crier in release mode.

I think one solution is that we can define a DEBUG macro to decide wether to print them.
@bl4ck5un
Copy link
Owner

Hi @jmp0x7c00 , thanks for the note! The code is meant to be a research prototype for evaluation purposes so debugging statements like this is probably all over the place. Don't use this code in production!

That said, we do have logging level support in https://github.com/bl4ck5un/Town-Crier/blob/master/src/Enclave/log.h so you can modify logging to suite your needs.

mbedtls logging can be configured by

Town-Crier/src/Enclave/tls_client.cpp

Line 214 in 33471ff

mbedtls_debug_set_threshold(0);

@jmp0x7c00
Copy link
Author

ok, I see. Thanks for your quick replay.!:)
If we use Town-Crier in product environment, we have to modify its code a little.
here is an another leak-causing code, the decrypted message will be hexdumped outside enclave.

const string decrypt_query(const uint8_t* data, size_t data_len) {
  HybridEncryption dec_ctx;
  ECPointBuffer tc_pubkey;
  dec_ctx.queryPubkey(tc_pubkey);

  string cipher_b64(string(data, data + data_len).c_str());
  hexdump("encrypted query: ", data, data_len);

  try {
    HybridCiphertext cipher = dec_ctx.decode(cipher_b64);
    vector<uint8_t> cleartext;
    dec_ctx.hybridDecrypt(cipher, cleartext);
   
   // !!!===================> leak
    hexdump("decrypted message", &cleartext[0], cleartext.size());

    // decrypted message is the base64 encoded data
    string encoded_message(cleartext.begin(), cleartext.end());
    return encoded_message;
  }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bl4ck5un @jmp0x7c00