TY - GEN
T1 - Fuzzing SGX Enclaves via Host Program Mutations
AU - Khan, Arslan
AU - Zou, Muqi
AU - Kim, Kyungtae
AU - Xu, Dongyan
AU - Bianchi, Antonio
AU - Tian, Dave Jing
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Intel Software Guard eXtension (SGX) is the cornerstone of Confidential Computing, enabling runtime code and data integrity and confidentiality via enclaves. Unfortunately, memory-unsafe and type-unsafe programming languages, such as C/C++, are commonly used to develop enclave implementations. As a result, a memory corruption or a data race within enclaves could lead to different attacks against the enclaves, such as Return-Of-Programming (ROP) and data leakage, breaking the hardware security guarantee provided by SGX. To automatically identify these issues in existing enclave implementations, in this paper, we propose FuzzSGX, an input and program mutation-based fuzzer for Intel SGX enclave implementations. FuzzSGX provides an enclave fuzzing runtime, FuzzSGX Runtime, a drop-in library for Intel SGX SDK, enabling code coverage and sanitization within enclaves. To explore the host app-enclave boundary, FuzzSGX conducts static analysis and symbolic execution on existing host apps and enclave implementations to generate promising fuzzing programs, fuzzing both ECALLs and OCALLs. We evaluate FuzzSGX using 30 popular SGX applications and enclave implementations and find 93 bugs among these SGX projects, including data races, null pointer dereferences, out-of-bound accesses, division-by-zero, etc. FuzzSGX achieves 3.2x higher code coverage and finds 48.2% more bugs by directly targeting the host appenclave boundary by using program mutations, compared to state-of-the-art fuzzers.
AB - Intel Software Guard eXtension (SGX) is the cornerstone of Confidential Computing, enabling runtime code and data integrity and confidentiality via enclaves. Unfortunately, memory-unsafe and type-unsafe programming languages, such as C/C++, are commonly used to develop enclave implementations. As a result, a memory corruption or a data race within enclaves could lead to different attacks against the enclaves, such as Return-Of-Programming (ROP) and data leakage, breaking the hardware security guarantee provided by SGX. To automatically identify these issues in existing enclave implementations, in this paper, we propose FuzzSGX, an input and program mutation-based fuzzer for Intel SGX enclave implementations. FuzzSGX provides an enclave fuzzing runtime, FuzzSGX Runtime, a drop-in library for Intel SGX SDK, enabling code coverage and sanitization within enclaves. To explore the host app-enclave boundary, FuzzSGX conducts static analysis and symbolic execution on existing host apps and enclave implementations to generate promising fuzzing programs, fuzzing both ECALLs and OCALLs. We evaluate FuzzSGX using 30 popular SGX applications and enclave implementations and find 93 bugs among these SGX projects, including data races, null pointer dereferences, out-of-bound accesses, division-by-zero, etc. FuzzSGX achieves 3.2x higher code coverage and finds 48.2% more bugs by directly targeting the host appenclave boundary by using program mutations, compared to state-of-the-art fuzzers.
UR - http://www.scopus.com/inward/record.url?scp=85168087721&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85168087721&partnerID=8YFLogxK
U2 - 10.1109/EuroSP57164.2023.00035
DO - 10.1109/EuroSP57164.2023.00035
M3 - Conference contribution
AN - SCOPUS:85168087721
T3 - Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
SP - 472
EP - 488
BT - Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
Y2 - 3 July 2023 through 7 July 2023
ER -