Attack demonstration

Let's consider the following hypothetical yet practical use case. Imagine that we have a Redis server to be deployed on the public cloud. Since the Redis server contains some sensitive data (e.g., medical records), we decided to protect the Redis server with SGX.

To port a complex application like Redis to SGX easily, we need the help of an SGX Library OS. We chose Occlum because it has an encrypted file system that leverages SGX-PFS for encrypted I/O. By default, all file I/O operations of applications running upon Occlum go through the encrypted file system, thus enjoying transparent encryption. Behind the scenes, each inode of the encrypted file system (an inode can be either a regular file or a directory) is backed by a separate protected file of SGX-PFS. Thus, reading or writing a regular file on Occlum is, in essence, reading or writing a protected file of SGX-PFS. So it follows that Occlum's encrypted file system inherits the vulnerability of transient snapshots from SGX-PFS. Therefore, although our attack PoC is based on Occlum, it actually demonstrates the vulnerability in SGX-PFS.

In this use case, we set a Bash script as the entry point of the Occlum enclave, which is the first user program to be executed after the Occlum enclave starts up. The script involves two main steps: 1) creating a Redis configuration file ("redis.conf"), if it does not exist, and 2) starting the Redis server, which loads the configuration file and serves user requests. The "redis.conf" file needs to be created on the fly because it contains some information that cannot be known beforehand or should not be hard-coded. For example, the "redis.conf" file includes the "requirepass" directive, which specifies the password for Redis clients to log in to the Redis server.

Note that the "requirepass" directive is security-critical. If it is not present in the configuration file, any Redis clients (including attackers, of course!) can connect to the Redis server. Unfortunately, such a security loophole can be triggered by transient snapshot attacks. This is because, in the aforementioned first step of creating the configure file, a partially-written "redis.conf" that does not contain the "requirepass" directive may be generated by SGX-PFS as a transient snapshot. An attacker can capture this incomplete but otherwise secure version of "redis.conf" and later replay it to start another instance of the same Occlum enclave, which in turn runs a Redis server that does not require any client authentication. The whole process is summarised in the figure below.