[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21114 [Applications/Tor Browser]: Evaluate SGX impact on exploitation



#21114: Evaluate SGX impact on exploitation
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 There is no way to disable SGX enclaves completely. Even on hardware
 without SGX support, there is something similar on hardware with Intel TXT
 support called memory curtaining (though it's not quite as comprehensive
 as an SGX enclave, e.g. you can still use probe mode when in memory
 curtaining context).

 Anyway, your threat model falls apart at part 3. There is no way that an
 exploit can be served in a way that is completely undetectable, because it
 will still need to go through the network, and through processes/buffers
 outside the enclave to get there. All it could accomplish is being harder
 to audit, by making debugging live code paths harder. Just a few ways a
 program could already make itself insanely difficult to audit, other than
 SGX:
 * TXT memory curtaining
 * Bispe (TRESOR-based bytecode interpreter)
 * Page-fault based bytecode interpreter
 * Offloading execution to other processors (GPUs, NICs, etc)

 Hell would freeze over before it would be possible to put the entirety of
 Firefox in an SGX enclave anyway. Even putting a basic program into an
 enclave requires heavily rewriting it to support the necessary I/O with
 the rest of the system.

 Btw, enclaves cannot make syscalls. They cannot even use all instructions
 available to ring 3.

 This is a rather poorly thought out ticket due to scope and threat model.
 I vote to close it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21114#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs