Attack demonstration

Attack PoC

Let's consider the following hypothetical yet practical use case. Imagine that we have a Redis server to be deployed on the public cloud. Since the Redis server contains some sensitive data (e.g., medical records), we decided to protect the Redis server with SGX.


To port a complex application like Redis to SGX easily, we need the help of an SGX Library OS. We chose Occlum because it has an encrypted file system that leverages SGX-PFS for encrypted I/O. By default, all file I/O operations of applications running upon Occlum go through the encrypted file system, thus enjoying transparent encryption. Behind the scenes, each inode of the encrypted file system (an inode can be either a regular file or a directory) is backed by a separate protected file of SGX-PFS. Thus, reading or writing a regular file on Occlum is, in essence, reading or writing a protected file of SGX-PFS. So it follows that Occlum's encrypted file system inherits the vulnerability of transient snapshots from SGX-PFS. Therefore, although our attack PoC is based on Occlum, it actually demonstrates the vulnerability in SGX-PFS.


In this use case, we set a Bash script as the entry point of the Occlum enclave, which is the first user program to be executed after the Occlum enclave starts up. The script involves two main steps: 1) creating a Redis configuration file ("redis.conf"), if it does not exist, and 2) starting the Redis server, which loads the configuration file and serves user requests. The "redis.conf" file needs to be created on the fly because it contains some information that cannot be known beforehand or should not be hard-coded. For example, the "redis.conf" file includes the "requirepass" directive, which specifies the password for Redis clients to log in to the Redis server.


Note that the "requirepass" directive is security-critical. If it is not present in the configuration file, any Redis clients (including attackers, of course!) can connect to the Redis server. Unfortunately, such a security loophole can be triggered by transient snapshot attacks. This is because, in the aforementioned first step of creating the configure file, a partially-written "redis.conf" that does not contain the "requirepass" directive may be generated by SGX-PFS as a transient snapshot. An attacker can capture this incomplete but otherwise secure version of "redis.conf" and later replay it to start another instance of the same Occlum enclave, which in turn runs a Redis server that does not require any client authentication. The whole process is summarised in the figure below.

There are many ways that such an incomplete and insecure "redis.conf" file may be generated by SGX-PFS depending upon the exact content of the "redis.conf" file and how it is written. We show one possible way in our PoC where the configure file is relatively large and initialized by a series of sequential writes. After writing an amount of data that exceeds the cache size of SGX-PFS (let's denote it as CACHE_SIZE, whose value is 48 * 4KB), a transient snapshot of the "redis.conf" file will be generated (explained in the previous section). As long as the first CACHE_SIZE bytes of the "redis.conf" file do not contain the "requirepass" directive (which is our case), the generated snapshot (aka. the transient snapshot) of the "redis.conf" file will be insecure and can be used by the attacker for replay.


Watch our screen recording below.

snapshot-demo.mov