Security mitigations and hardening

[mkow]

Ideas for security mitigations and "bug prevention"

Mitigations/sanitizations

• We need better sanitization of OCALL arguments. Current version most likely is not dangerous, but there's a chance that some apps may be manipulated this way into doing something unexpected. See [Linux-SGX] Hardening in/out OCALL params graphene#1236.

Bug detection

• Run tests with sanitizers in CI (see Integration with sanitizers #19).
• Run some linters in CI. Problem: most have high false-positive ratios.
• Implement __user-like specifier to check for TOCTOU bugs during compilation (gramineproject/graphene#635; most relevant for OCALLs).

[boryspoplawski]

The TOCTOU part is already solved, see the last comment in #55.

[mkow]

Right, I updated that point.

[dimakuv]

From what I understand, only the first item ("We need better sanitization of OCALL arguments") must be resolved for the release (so priority P0 or P1). The rest (sanitizers/linters) is to be added after the release (so priority P2). For this reason, I'm marking this whole issue as P2.

Notice that gramineproject/graphene#1236 linked to the first item is already marked as P0.

[mkow]

Yup. Although the OCALL thing is a bit of an unknown area, I think all obviously dangerous places are sanitized already, only some more subtle ones are left. But we should resolve it rather sooner than later to not risk having security vulns. But if gramineproject/graphene#1236 is P0 then this can stay at P2.

[dimakuv]

I think we can close this issue. @mkow If you think that some parts are still relevant, I suggest to create a new issue then.

[mkow]

Most of them were solved or brought to a state where further improvements would yield only small gains, so I'm fine with closing it.