[tor-bugs] #21114 [Applications/Tor Browser]: Evaluate SGX impact on exploitation

[Tor Bug Tracker & Wiki]

#21114: Evaluate SGX impact on exploitation
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [ticket:21114 cypherpunks]:
 > Threat model:
 > 1 adversary has access to Intel backdoors to put own versions of Intel
 trusted SGX service enclaves.
 > 2 adversary uses the most sophisticated exploits they have against the
 user
 > 3 adversary is not willing to use the most sophisticated exploits if
 they can be investigated and disclosed. In this case it will spare them
 for high-value targets. Othervise it will use them on everybody.

 >
 > so
 >
 > 1 We shouldn't put whole TorBrowser into SGX enclave. This will make
 exploits unauditable.
 > 2 Enclaves are restricted to ring 3 but they can use syscalls. The
 common attack scenario is hacking usermode process first and then
 escalating the privileges. For privilege escalation phase an adversary can
 setup an enclave and upload an exploit there after remote attestation,
 which will make the exploit unanalyzable. So we need a way to reliably
 disable SGX on the systems TorBrowser is executed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21114#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online