[tbb-bugs] #21114 [Applications/Tor Browser]: Evaluate SGX impact on exploitation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jan 2 09:48:43 UTC 2017
#21114: Evaluate SGX impact on exploitation
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by cypherpunks):
There is no way to disable SGX enclaves completely. Even on hardware
without SGX support, there is something similar on hardware with Intel TXT
support called memory curtaining (though it's not quite as comprehensive
as an SGX enclave, e.g. you can still use probe mode when in memory
curtaining context).
Anyway, your threat model falls apart at part 3. There is no way that an
exploit can be served in a way that is completely undetectable, because it
will still need to go through the network, and through processes/buffers
outside the enclave to get there. All it could accomplish is being harder
to audit, by making debugging live code paths harder. Just a few ways a
program could already make itself insanely difficult to audit, other than
SGX:
* TXT memory curtaining
* Bispe (TRESOR-based bytecode interpreter)
* Page-fault based bytecode interpreter
* Offloading execution to other processors (GPUs, NICs, etc)
Hell would freeze over before it would be possible to put the entirety of
Firefox in an SGX enclave anyway. Even putting a basic program into an
enclave requires heavily rewriting it to support the necessary I/O with
the rest of the system.
Btw, enclaves cannot make syscalls. They cannot even use all instructions
available to ring 3.
This is a rather poorly thought out ticket due to scope and threat model.
I vote to close it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21114#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list