Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

information leak in Enclave code. #1

Open
jmp0x7c00 opened this issue Mar 17, 2022 · 0 comments
Open

information leak in Enclave code. #1

jmp0x7c00 opened this issue Mar 17, 2022 · 0 comments

Comments

@jmp0x7c00
Copy link

jmp0x7c00 commented Mar 17, 2022
edited
Loading

hi,sir
I think there is an information leak here, could you help me confirm it?

int dispatch(unsigned char *result, int *fan_out, size_t *buffer_size, int fan_all_out) {

    unsigned char *message;
    float probability_false = (WATER_MARK - (float)buffer.size()) / (float)WATER_MARK;

    // calculate the probability of fan out
    if (fan_all_out || generate_random_value() < PROBABILITY_FAN_OUT)
        *fan_out = 1;

    
    if (!*fan_out && probability_false > 0 && generate_random_value() < probability_false) {             // create a false message
        message = (unsigned char *) MESSAGE_FALSE;
        *buffer_size = buffer.size();
    } else {                                                                                                            // obtain a message from the buffer
        *buffer_size = buffer.size();

        if (buffer.size() < 1)
            return -1;

        int index = (int)(generate_random_value()*buffer.size());
        char *choosen_message = (char *) buffer.at(index).c_str();
        message = (unsigned char *)malloc(strlen(choosen_message));
        std::copy(choosen_message, choosen_message + strlen(choosen_message), message);
        message[strlen(choosen_message)] = '\0';

                                                                                              
        buffer.erase(buffer.begin() + index);


        // ======================= vulnerable code:========================
        // fan_out may be controlled by the attacker,
        //when *fan_out !=0, the unencrypted message can be leaked .


        if (*fan_out) { 
            std::copy(message, message + strlen((char *) message), result);
            return 1;
        }
    }

    size_t out_len = 0;

    sgx_status_t ret_get_output_len = sgx_rsa_pub_encrypt_sha256(
        previous_public_key, NULL, &out_len, message, strlen((char *) message));

    if (ret_get_output_len != SGX_SUCCESS) {
        printf("Determination of output length failed\n");
        return 0;
    }

    sgx_status_t ret_encrypt = sgx_rsa_pub_encrypt_sha256(
        previous_public_key, result, &out_len, message, strlen((char *) message));

    if (ret_encrypt != SGX_SUCCESS) {
        printf("Encryption failed\n");
        return 0;
    } else {
        printf("Encrypted message with success!\n");
    }

    return 1;
}

fan_out may be controlled by the attacker,
when *fan_out !=0, the unencrypted message can be leaked .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jmp0x7c00