Arbitrary enclave memory overwrite vulnerability in Asylo TrustedPrimitives::UntrustedCall

Vulnerability

In google/asylo, the TrustedPrimitives::UntrustedCall function contains a time-of-check to time-of-use (TOCTOU) vulnerability. The code reads sgx_params->input and sgx_params->input_size from untrusted memory, then checks if the pointer is outside the enclave using IsOutsideEnclave. However, after the check, it uses sgx_params->input again instead of a saved copy, allowing an untrusted attacker to modify the pointer between the check and the Serialize call [1]. This affects versions prior to 0.6.2 and before commit 53ed5d8fd8118ced1466e509606dd2f473707a5c.

Exploitation

An attacker with the ability to modify the untrusted memory shared with the enclave (the sgx_params structure) can exploit the race window. The attacker first passes a valid pointer to untrusted memory during the IsOutsideEnclave check, then quickly changes sgx_params->input to point to trusted enclave memory before the Serialize function writes data [1]. This requires precise timing but is feasible as the attacker controls the untrusted side.

Impact

Successful exploitation allows the attacker to overwrite arbitrary trusted enclave memory, including code or sensitive data. This can lead to arbitrary code execution within the enclave, bypassing its security guarantees and potentially exposing secrets or enabling further attacks.

Mitigation

The vulnerability is fixed in Asylo version 0.6.2 and in commit 53ed5d8fd8118ced1466e509606dd2f473707a5c. Users should update past 0.6.2 or apply the corresponding git commit [1]. The repository is now archived and read-only.