EnclaveFuzz: Finding Vulnerabilities in SGX Applications
Liheng Chen
Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · TEE & SGX Security
Intel's Software Guard Extensions (SGX) provides a robust hardware-isolated execution environment, known as an **enclave**, designed to protect sensitive code and data from a potentially malicious operating system and other untrusted software. This strong system-level isolation makes SGX highly appealing for security-critical applications, such as Signal's contact discovery service. However, despite these hardware protections, the C/C++ code executing within enclaves remains susceptible to common memory corruption vulnerabilities like buffer overflows and use-after-free bugs. Moreover, SGX's unique threat model can introduce novel attack vectors or significantly amplify the severity of existing vulnerabilities, such as **Time-of-Check-Time-of-Use (TOCTOU)** bugs stemming from direct memory access to untrusted regions, or **null-pointer dereferences** becoming critical security flaws due to the untrusted operating system controlling the zero page.