Skip to content

Commit

Permalink
app/memcmp: improve rflags.tf simulation stepping
Browse files Browse the repository at this point in the history
  • Loading branch information
jovanbulck committed May 20, 2024
1 parent 27ff720 commit aea8caa
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 4 deletions.
22 changes: 18 additions & 4 deletions app/memcmp/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 15,7 @@
#include <sys/mman.h>

#define MAX_LEN 15
#define DO_TIMER_STEP 1
#define DO_TIMER_STEP 0
#define DEBUG 0
#define DBG_ENCL 1
#if DO_TIMER_STEP
Expand All @@ -33,6 33,15 @@
#warning "Using simulated stepping through HW trap flag; will not work for production enclaves!"
#endif

/*
* NOTE: set DO_TIMER_STEP=0 to _simulate_ a single-stepping attack through the
* x86 hardware trap flag (RFLAGS.TF). Use for demonstration/debugging purposes
* only, as this does _not_ work for SGX debug enclaves(!)
*/
#if !DO_TIMER_STEP
#warning "Using simulated stepping through HW trap flag; will not work for production enclaves!"
#endif

sgx_enclave_id_t eid = 0;
int irq_cnt = 0, do_irq = 0, fault_cnt = 0, trigger_cnt = 0, step_cnt = 0;
uint64_t *pte_encl = NULL, *pte_trigger = NULL, *pmd_encl = NULL;
Expand Down Expand Up @@ -74,7 83,7 @@ void aep_cb_func(void)
* referencing the enclave code page about to be executed, so as to be able
* to filter out "zero-step" results that won't set the accessed bit.
*/
if (ACCESSED(*pte_encl)) step_cnt ;
if (do_irq && ACCESSED(*pte_encl)) step_cnt ;
*pte_encl = MARK_NOT_ACCESSED( *pte_encl );
*pte_trigger = MARK_NOT_ACCESSED(*pte_trigger);

Expand All @@ -92,8 101,6 @@ void aep_cb_func(void)
*pmd_encl = MARK_NOT_ACCESSED( *pmd_encl );
#if DO_TIMER_STEP
apic_timer_irq( SGX_STEP_TIMER_INTERVAL );
#else
ENABLE_TF;
#endif
}
}
Expand All @@ -117,6 124,7 @@ void fault_handler(int signo, siginfo_t * si, void *ctx)
#endif
ASSERT(!mprotect(trigger_adrs, 4096, PROT_READ | PROT_WRITE));
do_irq = 1;
sgx_step_do_trap = 1;
}
else
{
Expand All @@ -130,6 138,10 @@ void fault_handler(int signo, siginfo_t * si, void *ctx)
#if DEBUG
//info("Caught single-step trap (RIP=%p)\n", si->si_addr);
#endif

/* ensure RFLAGS.TF is clear to disable debug single-stepping */
ucontext_t *uc = (ucontext_t *) ctx;
uc->uc_mcontext.gregs[REG_EFL] &= ~0x100;
break;
#endif

Expand Down Expand Up @@ -234,6 246,7 @@ int main( int argc, char **argv )
for (int j = 0; j < pwd_len; j ) pwd[j] = '*';
pwd[pwd_len] = '\0';
do_irq = 0; trigger_cnt = 0, step_cnt = 0, fault_cnt = 0;
sgx_step_do_trap = 0;
ASSERT(!mprotect(trigger_adrs, 4096, PROT_NONE ));
SGX_ASSERT( memcmp_pwd(eid, &pwd_success, pwd) );

Expand Down Expand Up @@ -261,6 274,7 @@ int main( int argc, char **argv )
{
pwd[i] = j;
do_irq = 0; trigger_cnt = 0, step_cnt = 0, fault_cnt = 0;
sgx_step_do_trap = 0;
ASSERT(!mprotect(trigger_adrs, 4096, PROT_NONE ));
SGX_ASSERT( memcmp_pwd(eid, &pwd_success, pwd) );

Expand Down
9 changes: 9 additions & 0 deletions libsgxstep/aep_trampoline.S
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 79,15 @@ sgx_step_aep_trampoline:

mov $3, %xax /* ERESUME leaf */


/* optionally set RFLAGS.TF to enable simulated single-stepping for DEBUG enclaves */
lea sgx_step_do_trap(%rip), %rdx
test %rdx, %rdx
je sgx_step_aep_eresume
pushf
orl $0x100, (%rsp)
popf

.global sgx_step_aep_eresume
sgx_step_aep_eresume:
.byte 0x0f, 0x01, 0xd7 /* ENCLU */
Expand Down
1 change: 1 addition & 0 deletions libsgxstep/enclave.c
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 38,7 @@ extern void sgx_step_aep_trampoline(void);
aep_cb_t sgx_step_aep_cb = NULL;
uint64_t nemesis_tsc_eresume = 0x0;
int sgx_step_eresume_cnt = 0;
int sgx_step_do_trap = 0;

extern int fd_step;
struct sgx_step_enclave_info victim = {0};
Expand Down
1 change: 1 addition & 0 deletions libsgxstep/enclave.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 36,7 @@ struct sgx_step_enclave_info

extern uint64_t nemesis_tsc_eresume, nemesis_tsc_aex;
extern int sgx_step_eresume_cnt;
extern int sgx_step_do_trap;

typedef void (*aep_cb_t)(void);
void register_aep_cb(aep_cb_t cb);
Expand Down

0 comments on commit aea8caa

Please sign in to comment.