Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Known security issues #8

Closed
11 tasks done
mkow opened this issue Jan 21, 2021 · 2 comments
Closed
11 tasks done

Known security issues #8

mkow opened this issue Jan 21, 2021 · 2 comments

Comments

@mkow
Copy link
Member

mkow commented Jan 21, 2021

This issue lists known security problems with Graphene. Everything we're aware of but didn't have time to fix yet should be listed here. We'll also need to resolve all of them before we can say we're ready for production.

I'll try to keep this list up-to-date.

Critical: (checked means "already fixed on master")

Probably not-so-critical: (or rather: we don't know any app which would be vulnerable because of these)

  • CPUID sanitization (Iago attacks on CPUID graphene#966) - currently we sanitize everything we know may lead to corruptions in users' apps (like xsave area sizes), but maybe there are more dangerous cpuid leaves? We also allow the values to change in time in some cases, which is usually impossible on real hardware.
  • There are tons of subtle attack angles related to differences between the upstream Linux API and what we actually implement or can support on a specific backend. E.g. on SGX1 we can't change memory permissions, so everything is RWX, or that we support flag X but not flag Y in some syscalls (while in Linux support for X implies support for Y). It's quite hard for me to imagine a real-world application which would rely on such things for its correctness (and I mean correctness, not exploitability if another bug is present), but it's still worth noting that such a possibility exists.
  • Time readings may be easily spoofed, but unless we won't allow it going backwards then it's hard to imagine an application exploitable by changing system time. There may be some issues with TLS certificate validation logic in applications (e.g. the attacker shifts back time and shows an old, leaked cert for some domain). I guess users would need to ship the applications with a reasonably up-to-date revocation lists?

Update: I moved the hardening ideas to a separate issue: #54.

@mkow mkow pinned this issue Jan 21, 2021
@mkow mkow transferred this issue from gramineproject/graphene Sep 9, 2021
@mkow mkow pinned this issue Sep 9, 2021
@mkow mkow closed this as completed Oct 8, 2021
@mkow mkow unpinned this issue Oct 8, 2021
@Glenrun
Copy link

Glenrun commented Jan 11, 2022

@mkow hello, is the security audit done by external security expert?

@mkow
Copy link
Member Author

mkow commented Jan 11, 2022

Hi, depends what do you mean by "external". There were some non-gramine-developers doing parts of it, but they were employed by a company involved in this project. And some parts were done by the maintainers.

kailun-qin pushed a commit to kailun-qin/gramine that referenced this issue Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants