You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wonder if the oob detection policy wasn't implemented as expected.
In the policy implementation, it is considered that either oob or uaf would be detected if the accessed memory region in heap isn't in certain allocated memory region in heap (which is recorded and the information is maintained in heap_map). While the implementation detects oob using alloc_start and alloc_end, which was assigned by the last iteration of the previous for loop, so the memory access is considered to be an oob case, only comparing memory boundaries with the last entry in heap_map. I wonder if an iteration was forgotten here.
If I execute scripts/SGX_SQLite/run.sh to launch the detection, case of oob may be discriminated not to be oob, and thus be discriminated to be uaf, while the relevant heap memory region wasn't freed and the access to st_alloc_info[2] fails. #11 fixes this problem.
I wonder if the oob detection policy wasn't implemented as expected.
In the policy implementation, it is considered that either oob or uaf would be detected if the accessed memory region in heap isn't in certain allocated memory region in heap (which is recorded and the information is maintained in
heap_map
). While the implementation detects oob usingalloc_start
andalloc_end
, which was assigned by the last iteration of the previousfor
loop, so the memory access is considered to be an oob case, only comparing memory boundaries with the last entry inheap_map
. I wonder if an iteration was forgotten here.see relevant code below
COIN-Attacks/src/core/Triton/src/enclaveCoverage/policies.py
Lines 265 to 311 in 464dd6e
The text was updated successfully, but these errors were encountered: