SGXRacer is detection tool for controlled data races in enclave code.
SGXRacer systematically identifies possible shared (i.e., the racing) variables and explores both intended and unintended thread interleavings in enclave code to inspect whether there are proper synchronizations on shared variables. A data race is identified if there is a lack of synchronization primitives when TCSnum is configured to be more than one. The key idea is to assume that every ecall can run concurrently with another ecall (including itself), given a strong privileged attacker who can abuse enclave thread creation, ecall invocation, and fine-grained enclave code execution. At a high level, SGXRacer contains two phases of analysis: the variable analysis phase and the data race detection phase. The variable analysis phase recovers shared variables and lock variables from enclave code and generates locksets and lock acquisition histories. The data race detection phase considers each ecall to be possibly concurrent and performs a reentrancy-aware lockset-based data race detection.
@inproceedings {Chen:2023:SGXRacer,
author = {Sanchuan Chen and Zhiqiang Lin and Yinqian Zhang},
title = {{Controlled Data Races in Enclaves: Attacks and Detection}},
booktitle = {32st USENIX Security Symposium (USENIX Security 23)},
year = {2023},
publisher = {USENIX Association},
}
We evaluated SGXRacer on four well-known SGX SDKs: Intel SGX SDK, Microsoft Open Enclave SDK, Apache Teaclave Rust-SGX SDK, and Fortanix Rust EDP SDK.
The specific versions evaluated:
| SDK | Repository | Version |
|---|---|---|
| Intel SGX SDK | https://github.com/intel/linux-sgx | 2.6 |
| Microsoft Open Enclave SDK | https://github.com/openenclave/openenclave | 0.7.0 |
| Apache Teaclave Rust-SGX SDK | https://github.com/apache/incubator-teaclave-sgx-sdk | 1.0.8 |
| Fortanix Rust EDP SDK | https://github.com/fortanix/rust-sgx | commit dbe1430367b3fde78ccb6209cfd49ed0fdc2d707 |
We also evaluated eight widely used SGX Applications: mbedtls-SGX, intel-sgx-ssl, TaLoS, LibSEAL, SGX_SQLite, stealthdb, SGXDeep, and hot-calls.
The specific versions evaluated:
SGXRacer was originally developed and tested on Ubuntu 20.04. SGXRacer needs Python 3 environment, such as command line tool python3 and pip3. SGXRacer also needs Python 3 package angr.
- Install pip3 for Python 3:
sudo apt install python3-pip- Install binary code analysis framework angr:
sudo pip3 install angr- Clone SGXRacer GitHub repository:
git clone https://github.com/OSUSecLab/SGXRacer.gitpython3 sgxrace.py -input ./enclave_binaries/intel_sgx_sdk/enclave.signed.so -output intel_sgx_sdk_results.txt -output1 intel_sgx_sdk_results1.txt > intel_sgx_sdk_stdout
python3 sgxrace.py -input ./enclave_binaries/open_enclave_sdk/enclave.signed -output open_enclave_sdk_results.txt -output1 open_enclave_sdk_results1.txt > open_enclave_sdk_stdout
python3 sgxrace.py -input ./enclave_binaries/rust_sgx_sdk/enclave.signed.so -output rust_sgx_sdk_results.txt -output1 rust_sgx_sdk_results1.txt > rust_sgx_sdk_stdout
python3 sgxrace.py -input ./enclave_binaries/rust_edp_sdk/enclave -output rust_edp_sdk_results.txt -output1 rust_edp_sdk_results1.txt > rust_edp_sdk_stdoutpython3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/001_mbedtls-SGX/enclave.signed.so -output 001_mbedtls-SGX_results.txt -output1 001_mbedtls-SGX_results1.txt > 001_mbedtls-SGX_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/002_intel-sgx-ssl/enclave.signed.so -output 002_intel-sgx-ssl_results.txt -output1 002_intel-sgx-ssl_results1.txt > 002_intel-sgx-ssl_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/008_TaLoS/enclave.signed.so -output 008_TaLoS_results.txt -output1 008_TaLoS_results1.txt > 008_TaLoS_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/016_SGX_SQLite/enclave.signed.so -output 016_SGX_SQLite_results.txt -output1 016_SGX_SQLite_results1.txt > 016_SGX_SQLite_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/026_LibSEAL/enclave.signed.so -output 026_LibSEAL_results.txt -output1 026_LibSEAL_results1.txt > 026_LibSEAL_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/028_stealthdb/enclave.signed.so -output 028_stealthdb_results.txt -output1 028_stealthdb_results1.txt > 028_stealthdb_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/065_hot-calls/enclave.signed.so -output 065_hot-calls_results.txt -output1 065_hot-calls_results1.txt > 065_hot-calls_stdout
python3 sgxrace.py -app -fast -input ./enclave_binaries/sgx_apps/087_intel-sgx-deep-learning/enclave.signed.so -output 087_intel-sgx-deep-learning_results.txt -output1 087_intel-sgx-deep-learning_results1.txt > 087_intel-sgx-deep-learning_stdout