In SGX developer guide Pointer Handling https://software.intel.com/en-us/node/696463, it mentions that
You may use the direction attribute to trade protection for performance. Otherwise, you must use the
user_checkattribute described below and validate the data obtained from untrusted memory via pointers before using it, since the memory a pointer points to could change unexpectedly because it is stored in untrusted memory.
I get that a pointer from untrusted memory could potentially change without notification, but how is the code inside enclave supposed to check the pointer? It doesn't know what the value the pointer points to. It only knows the type of data. So is it just a type check?
In certain situations, the restrictions imposed by the direction attribute may not support the application needs for data communication across the enclave boundary. For instance, a buffer might be too large to fit in enclave memory and needs to be fragmented into smaller blocks that are then processed in a series of ECALLs, or an application might require passing a pointer to trusted memory (enclave context) as en ECALL parameter.
To support these specific scenarios, the EDL language provides the user_check attribute. Para-meters declared with the user_check attribute do not undergo any of the checks described for [in] and [out] attributes. However, the ISV must understand the risks associated with passing pointers in and out the enclave, in general, and the user_check attribute, in particular. The ISV must ensure that all the pointer checking and data copying is done correctly or risk compromising enclave secrets.
Thank you R.Prabu, but I still have some issue in understanding it, especially the case when
a buffer might be too large to fit in enclave memory and needs to be fragmented into smaller blocks that are then processed in a series of ECALLs
In this case, the application code is responsible to fragment the buffer, right? So why not mark the ECALL with [in] attribute and simply call the ECALLs in a one-after-another fashion?
I guess my core question is what exactly should we check in the [user_check] pointers?
Thank you so much.
The documentation pertaining [user_check] is somewhat vague because the checks that need to be performed depend on the nature of the data being pointed at and how it will be used. At a minimum, for [user_check] you must confirm that the pointer isn't NULL and the location of the data pointed to. Whether it should be outside or inside enclave memory is application specific. Additional, application specific checks must follow.