Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

potential defect in the oob detection policy implementation #10

Open
Trust04zh opened this issue Oct 23, 2022 · 1 comment
Open

potential defect in the oob detection policy implementation #10

Trust04zh opened this issue Oct 23, 2022 · 1 comment

Comments

@Trust04zh
Copy link

I wonder if the oob detection policy wasn't implemented as expected.

In the policy implementation, it is considered that either oob or uaf would be detected if the accessed memory region in heap isn't in certain allocated memory region in heap (which is recorded and the information is maintained in heap_map). While the implementation detects oob using alloc_start and alloc_end, which was assigned by the last iteration of the previous for loop, so the memory access is considered to be an oob case, only comparing memory boundaries with the last entry in heap_map. I wonder if an iteration was forgotten here.

see relevant code below

COIN-Attacks/src/core/Triton/src/enclaveCoverage/policies.py

Lines 265 to 311 in 464dd6e

if (addr_start >= BASE_ALLOC
and addr_end < BASE_ALLOC + current_heap_alloc - 0x1):
isFlagged = True
alloc_start = 0
alloc_end = 0
for alloc_mem, alloc_size in heap_map.iteritems():
alloc_start = alloc_mem
alloc_end = alloc_mem + alloc_size - 0x1
if (addr_start >= alloc_start and addr_start <= alloc_end
and addr_end >= alloc_start
and addr_end <= alloc_end):
isFlagged = False
if (isFlagged):
msg = ""
if (addr_start >= alloc_start and addr_start <= alloc_end
and addr_end > alloc_end):
msg = '[ERROR] Potential Out of Bound (OOB) at ' + hex(
inst.getAddress()) + ': ' + inst.getDisassembly(
) + '\nTry to use memory at ' + hex(
addr_start) + ' - ' + hex(
addr_end
) + '\nAllocated Memory range is ' + hex(
alloc_start) + ' - ' + hex(
alloc_end) + '\n'
else:
for st_alloc_mem, st_alloc_info in heap_story.iteritems(
):
st_alloc_start = st_alloc_mem
st_alloc_end = st_alloc_mem + st_alloc_info[1]
if (addr_start >= st_alloc_start
and addr_start <= st_alloc_end
and addr_end >= st_alloc_start
and addr_end <= st_alloc_end):
msg = '[UAF-REPORT] Potential Use-after-free (UAF) at ' + hex(
inst.getAddress()
) + ': ' + inst.getDisassembly(
) + '\nTry to use memory at ' + hex(
addr_start) + ' - ' + hex(
addr_end
) + '\nAllocated memory range is ' + hex(
st_alloc_start) + ' - ' + hex(
st_alloc_end
) + '\nAllocated memory at ' + hex(
st_alloc_info[0]
) + ' and Freed at ' + hex(
st_alloc_info[2]) + '\n'

@Trust04zh Trust04zh mentioned this issue Oct 23, 2022
Open
@Trust04zh
Copy link
Author

Trust04zh commented Oct 23, 2022
edited
Loading

If I execute scripts/SGX_SQLite/run.sh to launch the detection, case of oob may be discriminated not to be oob, and thus be discriminated to be uaf, while the relevant heap memory region wasn't freed and the access to st_alloc_info[2] fails. #11 fixes this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Trust04zh