ParaTaintGX: Detecting Memory Corruption Vulnerabilities in SGX Applications via Parameter-Taint Model

Intel Software Guard Extensions (SGX) have been widely studied and adopted in privacy-preserving information systems to enhance the security and privacy guarantees of sensitive data computation. By constructing a protected enclave within the processor, SGX provides hardware-enforced confidentiality and integrity for sensitive data and critical code. Nevertheless, due to inevitable interactions between trusted enclaves and untrusted host environments, SGX applications remain vulnerable to memory corruption attacks. Existing detection techniques exhibit fundamental limitations, including the lack of systematic induction of SGX-specific memory corruption behaviors, the absence of fine-grained parameter-level taint modeling during call-chain construction, and relatively inefficient call-chain exploration strategies over large search spaces. To address these issues, we propose ParaTaintGX, an analysis framework that integrates parameter-level taint states into vulnerability detection. ParaTaintGX constructs fine-grained call-chain nodes that capture both functions and the taint states of their parameters. It further introduces a Multi-node Heuristic Priority Search Algorithm to guide call-chain exploration. In addition, a backtracking-based pruning strategy is applied during path analysis to efficiently identify memory corruption vulnerabilities. Our evaluation demonstrates that ParaTaintGX discovers 12 vulnerabilities across 10 open-source SGX projects, outperforming the best baseline tool by two vulnerabilities. It achieves 19.35% precision, surpassing the most precise existing tool by 8.37 percentage points. These results highlight its superior detection capability and precision.