Comments (1)
hi kmarzouq,
Nice to hear you are studying Intel SGX more, replies to your questions below:
1.I have been tweaking and studying Intel SGX more and I was wondering why unmap_alias() isn't done right before transient_access() in 'foreshadow_round()' and instead run right before enclave_reload() and foreshadow()?
Mainly because you only need to do this once(!) The whole point of the "alias" mapping is to make sure that you have one virtual address mapping that is mapped properly to the physical enclave secret (used by the enclave to populate L1) and one that has the P-bit cleared (used by the attacker to trigger the Foreshadow transient-forwarding effect to leak the secret). See the paper for more details on the idea of the remapping (figure 3).
Do you have any idea what the unmap_alias() is translated to assembly?
It shouldn't matter as this is executed before the attack (in the attacker setup phase). If you want, you can easily check w objdump. In any case, it'll be translated to an mprotect
libc (system call) function and a simple memory write (after SGX-Step has aquired a user-space virtual address to write to the alias PTE earlier). See the C code.
I am successfully leaking data at a low 0.16% rate from an SGX protected enclave, but I am also getting unsuccessful data leaks that are not 0x00 or 0xff. Do you have any guess as to what the incorrectly extracted data is?
Note that the PoC Foreshadow implementation provided here is highly optimized and deliberately weakened (ie non-weaponized). So my guess is that:
- you're probably using the unoptimized non-TSX PoC implementation which has more noise. Consider using TSX or another exception suppression mechanism (eg like an RSB approach)
- your Flush+Reload threshold is producing false alarms and thus noisy results, ie making it seem like you're leaking incorrect data. Consider using a better, more stable Flush+Reload implementation, e.g., included in cacheutils.h)
- ultimately, depending on your CPU model and ucode version and experimental setup, it might be that you're inadvertently seeing a Microarchitectural Data Sampling (ie ZombieLoad, RIDL, Fallout) effect here and actually see stale data from the current or sibling CPU core
Hope this helps! As this is a question, and no obvious problems that need fixing in the code, I'll be closing this issue for now. Though feel free to reply for further guidance (or ack if it works) as needed (though I'll be off and unavailable to answer in the next 2 weeks)!
from sgx-step.
Related Issues (20)
- kernel panics when single-stepping [SOLVED: KPTI #PF for kernel IRQ] HOT 12
- error when running bench: [file.c] assertion '(f = fopen(path, "w"))' failed: No such file or directory HOT 6
- Work-in-progress Gramine port HOT 17
- Could add some explanation for each test application under app/ to README? HOT 1
- /dev/sgx-step would be uninstalled after os reboot HOT 2
- foreshadow/lvi building error , memcmp running error HOT 2
- os would always hang after running cpl/idt/memcmp HOT 8
- Refactor: page-fault abstraction in libsgxstep HOT 2
- Could sgx-step support SGX in-kernel/dcap driver? HOT 2
- victim.base && "no enclave found in /proc/self/maps HOT 4
- Support multithreaded enclaves
- ./install_SGX_SDK.sh can't find python2 HOT 3
- Trying to run app/memcmp but gives assertion error HOT 5
- Questions regarding the use of unmap_alias and sim_reload HOT 3
- Questions regarding fs_reload_threshold in foreshadow HOT 1
- Refactor build system
- Compatibility with Linux 6.5 and later HOT 5
- [load_qe ../qe_logic.cpp:697] Error, call sgx_create_enclave QE fail [load_ Failed to load QE3: 0x4004 HOT 1
- Add x2APIC support HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sgx-step.