Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Methods to check pointers when using [user_check] attribute?

jason_t_
Beginner
‎01-03-2017 07:51 PM
855 Views

In SGX developer guide Pointer Handling https://software.intel.com/en-us/node/696463, it mentions that 

You may use the direction attribute to trade protection for performance. Otherwise, you must use the user_checkattribute described below and validate the data obtained from untrusted memory via pointers before using it, since the memory a pointer points to could change unexpectedly because it is stored in untrusted memory. 

I get that a pointer from untrusted memory could potentially change without notification, but how is the code inside enclave supposed to check the pointer? It doesn't know what the value the pointer points to. It only knows the type of data. So is it just a type check?

 

 

0 Kudos

Link Copied

3 Replies
Prabu_R_Intel
Employee
‎01-04-2017 10:57 AM
855 Views


Hello Jason,

In certain situations, the restrictions imposed by the direction attribute may not support the application needs for data communication across the enclave boundary. For instance,  a buffer might be too large to fit in enclave memory and needs to be fragmented into smaller blocks that are then processed in a series of ECALLs, or an application might require  passing a pointer to trusted memory (enclave context) as en ECALL parameter.

 To support these specific scenarios, the EDL language provides the user_check attribute. Para-meters declared with the user_check attribute do not undergo any of the checks described  for [in] and [out] attributes. However, the ISV must understand the risks associated with passing pointers in and out the enclave, in general, and the user_check attribute, in  particular. The ISV must ensure that all the pointer checking and data copying is done correctly or risk compromising enclave secrets.
 
Thanks,
R.Prabu

0 Kudos
Copy link
jason_t_
Beginner
‎01-04-2017 05:43 PM
855 Views

Thank you R.Prabu, but I still have some issue in understanding it, especially the case when

a buffer might be too large to fit in enclave memory and needs to be fragmented into smaller blocks that are then processed in a series of ECALLs

In this case, the application code is responsible to fragment the buffer, right? So why not mark the ECALL with [in] attribute and simply call the ECALLs in a one-after-another fashion?

I guess my core question is what exactly should we check in the [user_check] pointers?

Thank you so much.

Jason

0 Kudos
Copy link
Juan_d_Intel
Employee
‎01-09-2017 11:16 AM
855 Views

The documentation pertaining [user_check] is somewhat vague because the checks that need to be performed depend on the nature of the data being pointed at and how it will be used. At a minimum, for [user_check] you must confirm that the pointer isn't NULL and the location of the data pointed to. Whether it should be outside or inside enclave memory is application specific. Additional, application specific checks must follow.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.