Fuzzing SGX Enclaves via Host Program Mutations.

Intel Software Guard eXtension (SGX) is the cornerstone of Confidential Computing, enabling runtime code and data integrity and confidentiality via enclaves. Unfortunately, memory-unsafe and type-unsafe programming languages, such as C/C++, are commonly used to develop enclave implementations. As a result, a memory corruption or a data race within enclaves could lead to different attacks against the enclaves, such as Return-Of-Programming (ROP) and data leakage, breaking the hardware security guarantee provided by SGX. To automatically identify these issues in existing enclave implementations, in this paper, we propose FUZZSGX, an input and program mutation-based fuzzer for Intel SGX enclave implementations. FUZZSGX provides an enclave fuzzing runtime, FUZZSGX RUNTIME, a drop-in library for Intel SGX SDK, enabling code coverage and sanitization within enclaves. To explore the host app-enclave boundary, FUZZSGX conducts static analysis and symbolic execution on existing host apps and enclave implementations to generate promising fuzzing programs, fuzzing both ECALLs and OCALLs. We evaluate FUZZSGX using 30 popular SGX applications and enclave implementations and find 93 bugs among these SGX projects, including data races, null pointer dereferences, out-of-bound accesses, division-by-zero, etc. FUZZSGX achieves 3.2x higher code coverage and finds 48.2% more bugs by directly targeting the host app-enclave boundary by using program mutations, compared to state-of-the-art fuzzers.