25. June 2024

[dimakuv]

Agenda

(please write your proposed agenda items in comments under this discussion)

• Dmitrii/Mona: Stack overflows in non-EDMM cases are silent and hard to debug
  • Continue discussion from 18. June 2024 #1906
  • Proposal from Dmitrii: make the main-thread (first) stack a "special" one -- it is EADDed on enclave creation with RWX permissions, but the guard page is EADDed with NONE permissions. It is very probable that the main thread will trip over this guard page (though this ad-hoc solution won't detect if a stack overflow happens in a non-main thread).
• Dmitrii: Update ciphersuite used for securing pipe/UDS connections
  • Tried two PRs: DONTMERGE [common] Update ciphersuite used for securing pipe/UDS connections #1911 and DONTMERGE [common] Update ciphersuite used for securing pipe/UDS connections #1918
  • Both are quite bad in terms of performance (the former is also in terms of broken functionality)
  • Asked an Intel crypto expert on performance, waiting for reply

Dmitrii/Mona: Stack overflows in non-EDMM cases are silent and hard to debug

Osho: the documentation fix was the agreed-upon solution from previous week's meeting.

Anjo: need to have a guard page for Gramine internal stacks anyway (unrelated issue, but still need to fix).

Dmitrii: my proposed solution has bad security, main thread's stack is not randomized, negating ASLR benefits.

Osho/Dmitrii: Golang apps (pretty sure) immediately switch the first provided-by-kernel stack to their own allocated stack. Google Chrome does it as well. Python probably not. So at least some language runtimes/frameworks won't benefit at all from Dmitrii's proposal.

Mona: go with a documentation update, as agreed in the previous meeting (#1906).

• "One known reason for Gramine to crash/misbehave is a small stack size (when Gramine runs without EDMM)."
• "Typically for Python you need bigger stack sizes like 2MB or 8MB"
• Add to places: sys.stack.size and where we talk about EDMM

Osho: maybe create a new Docs page "Known problems", and start with this particular issue

• Mona: this is low priority for now

Dmitrii: Update ciphersuite used for securing pipe/UDS connections

Dmitrii explained the problem. However, in the meantime, the original problem was resolved (it was misunderstanding from Dmitrii's side). Read these threads:

• Remove support for the RSA-decryption key exchange in TLS 1.2 Mbed-TLS/mbedtls#8170
• DONTMERGE [common] Update ciphersuite used for securing pipe/UDS connections #1918