Emilia: Catching Iago in Legacy Code

 April 4, 2021 at 10:34 am

PDF

Abstract

There has been interest in mechanisms that enable the secure use of legacy code to implement trusted code in a Trusted Execution Environment (TEE), such as Intel SGX. However, because legacy code generally assumes the presence of an operating system, this naturally raises the spectre of Iago attacks on the legacy code. We observe that not all legacy code is vulnerable to Iago attacks and that legacy code must use return values from system calls in an unsafe way to have Iago vulnerabilities.

Based on this observation, we develop Emilia, which automatically detects Iago vulnerabilities in legacy applications by fuzzing applications using system call return values. We use Emilia to discover 51 Iago vulnerabilities in 17 applications, and find that Iago vulnerabilities are widespread and common. We conduct an in-depth analysis of the vulnerabilities we found and conclude that while common, the majority (82.4%) can be mitigated with simple, stateless checks in the system call forwarding layer, while the rest are best fixed by finding and patching them in the legacy code. Finally, we study and evaluate different trade-offs in the design of Emilia.

  • Target: SGX Applications running inside a middleware
  • Method: Fuzzing
  • Tool: strace (to intercept syscall return value)

Fuzzing Strategies

  1. Target selection (syscalls)
  2. Extract branch conditions depending on the return value from syscalls
  3. Random/valid/invalid return values
  4. Different return fields

Evaluation

to be continued