app/memcmp: Improve documentation

Add illustrations based on existing material from the paper and previous talks: https://jovanbulck.github.io/files/usenix23-aexnotify-slides.pdf https://jovanbulck.github.io/files/phd-thesis-slides.pdf https://jovanbulck.github.io/files/circuit22.pdf
jovanbulck · Sep 2, 2023 · bc1e1ca · bc1e1ca
1 parent 16887fa
commit bc1e1ca
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,15 @@ up-to-date list of known projects using SGX-Step is included at the
 }
 ```
 
+**Demo.** The [app/memcmp](app/memcmp) directory contains a small demo application that
+illustrates the power of SGX-Step attacks by single-stepping a sample enclave
+that contains subtle, non-constant-time `memcmp` password comparison logic.
+As opposed to traditional, notoriously noisy timing attacks, SGX-Step can
+deterministically brute-force the password character-per-character in _linear_
+time:
+
+![sgxstep-memcmp-demo](app/memcmp/sgxstep-memcmp-demo.gif)
+
 ## Overview
 
 Crucial to the design of SGX-Step, as opposed to previous enclave preemption
@@ -73,11 +82,11 @@ interrupting and resuming an SGX enclave through our framework.
    custom AEP stub. Furthermore, to enable precise evaluation of our approach on
    attacker-controlled benchmark debug enclaves, SGX-Step can _optionally_ be
    instrumented to retrieve the stored instruction pointer from the interrupted
-   enclave’s SSA frame. For this, our `/dev/sgx-step` driver offers an optional
-   IOCTL call for the privileged `EDBGRD` instruction.
+   enclave's SSA frame (using Linux's `/proc/self/mem` interface and the
+   `EDBGRD` instruction).
 5. Thereafter, we configure the local APIC timer for the next interrupt
-   by writing into the initial-count MMIO register, just before executing (6)
-   `ERESUME`.
+   by writing into the initial-count memory-mapped I/O register, just before
+   executing (6) `ERESUME`.
 
 ## Source code overview
 
@@ -96,6 +105,16 @@ This repository is organized as follows:
 └── sdk        -- Bindings to use SGX-Step with different SGX SDKs and libOSs.
 ```
 
+## Framework features and applications
+
+SGX-Step is a universal execution control framework that enables the precise
+interleaving of victim enclave instructions with _arbitrary_ attacker code.
+Some of the main use cases of the SGX-Step framework are summarized in the
+figure below (see also the [bottom](#bottom) of this README for an up-to-date
+list of publications using SGX-Step).
+
+![SGX-Step attacks overview](doc/attacks-overview.png)
+
 ## Building and running
 
 ### 0. System requirements
@@ -217,6 +236,8 @@ User-space applications can link to the `libsgxstep` library to make use of
 SGX-Step's single-stepping and page table manipulation features. Have a look at
 the example applications in the "app" directory.
 
+![interrupt abstract box](doc/irq_box.png)
+
 First, check the APIC and interrupt-descriptor table setup:
 
 ```bash
@@ -380,11 +401,6 @@ Have a look at the Makefiles in the `app` directory to see how a client
 application can link to `libsgxstep` plus any local SGX SDK/PSW packages.
 
 <a name="bottom"></a>
-Some of the main use cases of the SGX-Step
-framework are summarized below:
-
-![SGX-Step attacks overview](doc/attacks-overview.png)
-
 The following is a list of known projects that use SGX-Step. Feel free to open
 a pull request if your project uses SGX-Step but is not included below.
 

diff --git a/app/memcmp/README.md b/app/memcmp/README.md
@@ -1 +1,62 @@
+# SGX-Step demo: Building a determinstic `memcmp()` password oracle
+
+This directory contains a small demo application that illustrates the power of
+SGX-Step attacks by single-stepping a sample enclave that contains subtle,
+non-constant-time `memcmp` password comparison logic.
+
+## Description of the vulnerability
+
+The vulnerable enclave function is shown below:
+
+```C
+int my_memcmp(char *a, int a_len, char *b, int b_len)
+{
+    int i;
+
+    /* first check overall len */
+    if (a_len != b_len)
+        return 0;
+
+    /* now check individual chars */
+    for (i=0; i < a_len; i++)
+    {
+        if (a[i] != b[i])
+            return 0;
+    }
+    return 1;
+}
+```
+
+This non-constant-time function is called to compare the attacker-provided
+password guess with the secret, in-enclave password. The main idea of the
+exploit is to accurately detect the early-out `return 0` cases in the
+conditional control-flow above to learn which _individual_ password byte was
+wrong. This allows to brute-force the password in linear (instead of
+exponential) time one password byte at a time, as illustrated below:
+
+![overview](memcmp-sca.png)
+
+## Example exploit
+
+The demo shows that by merely counting the number of instructions executed on
+the `memcmp` page per password guess, the password can be trivially
+brute-forced character-per-character in linear time.
+
 ![sgxstep-memcmp-demo](sgxstep-memcmp-demo.gif)
+
+This clearly shows the substantial advantage of an interrupt-driven SGX-Step
+adversary, as opposed to traditional start-to-end timing attacks, which are
+notoriously noisy and would need _many_ repetitions to establish the subtle,
+single-instruction control-flow differences exploited in this example, e.g., as
+experimentally illustrated below:
+
+![overview](memcmp-timing.png)
+
+## Real-world counterpart
+
+This example is loosely based on the real-world CVE-2018-3626
+([paper](https://jovanbulck.github.io/files/ccs19-tale.pdf);
+[source code](https://github.com/jovanbulck/0xbadc0de/tree/master/intel-sgx-sdk/sgx-strlen))
+that similarly exploited a non-constant-time `strlen` computation to build a
+deterministic zero-byte oracle with SGX-Step.
+
diff --git a/app/memcmp/memcmp-sca.png b/app/memcmp/memcmp-sca.png
diff --git a/app/memcmp/memcmp-timing.png b/app/memcmp/memcmp-timing.png
diff --git a/doc/irq_box.png b/doc/irq_box.png