Jo Van Bulck

icon indicating a website link https://jovanbulck.github.io/

icon company imec-DistriNet, KU Leuven icon location Leuven, Belgium icon location Postdoc @KU_Leuven | Trusted Computing & Side-Channel Attacks | #IntelSGX #Sancus #Foreshadow #LVI #SGXStep

Results 36 issues of Jo Van Bulck

libsgxstep/enclave.c: support for multiple enclaves

Current `libsgxstep` implicitly assumes a single victim enclave in the host process. Functions in `enclave.h` should better be parameterized with a unique victim enclave identifier.

refactor
feature

Add x2APIC support

1 comment

Nowadays SGX-Step requires `nox2apic` to operate the APIC timer in memory-mapped I/O mode. It may be useful to also have X2APIC support in SGX-Step. That would require manipulating MSRs instead...

feature

Refactor build system

Keeping here for future reference (low priority): Current Makefiles contain a lot of unnecessary duplicated variables and config. Better include a top-level Makefile.include file or so. or even consider using...

refactor

Support multithreaded enclaves

Currently, the Intel SGX-SDK patch and `aep_trampoline.S` use global variables to store the current TCS. This may not work in a multi-threaded environment (e.g., Gramine). Best would be better to...

feature

msp430: fix BR instruction behavior and register-indirect @Rn disassembly

Current behavior erroneously jumps to the _address_ of the BR instruction, instead of the SRC operand. This leads to an infinite loop as per below. ======================== EXAMPLE CODE (objdump) ========================...

Add Snoop Assisted L1D Sampling attack?

Described [here](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00330.html) and [here](https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-assisted-l1-data-sampling); "Snoopy" seems to be a special type of Foreshadow/L1TF; not sure how this would fit into the classification tree? It doesn't seem that snoops are a...

ext

Add SWAPGS/WRFSBASE attacks

Described [here](https://businessresources.bitdefender.com/hubfs/noindex/Bitdefender-WhitePaper-INTEL-CPUs.pdf?utm_campaign=swapgs&utm_source=web&adobe_mc=MCMID%3D77118601880064029731700614210949073821%7CMCORGID%3D0E920C0F53DA9E9B0A490D45%2540AdobeOrg%7CTS%3D1571064432) and [here](https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers), this actually also includes an interesting sub-instance of MD-GP. The paper and deep-dive are not very clear on the exact interaction with #GP faults, but afaik...

ext

Add LVI attacks

We should incorporate https://lviattack.eu/ into the tree. Either as an addition to the MD subtree or a separate branch? Given the symmetry with existing MD-type attacks, Id argue for extending...

ext

add timeline feature

would be a nice feature to have a "timeline" feature where you can drag a slider to see how the transient exec landscape and each of the attack nodes in...

website

Add defenses to the tree

We should add a paragraph to each attack node in the tree listing "known defenses" and links

website