https://community.intel.com/t5/Intel-Software-Guard-Extensions/system-quot-Command-quot-inside-the-enclave/m-p/1068925#M249 <P style="word-wrap: break-word; font-size: 12px;">Hi,</P> <P style="word-wrap: break-word; font-size: 12px;">We should not use system("Command") inside the enclave.</P> <P style="word-wrap: break-word; font-size: 12px;">Can we use wget,CuraEngine or "&nbsp;powershell -command "&amp; { (New-Object Net.WebClient).DownloadFile('<A href="http://myurl/" style="cursor: pointer;">http://myUrl</A>', 'C:\path\to\test.json')}" " like commands directly inside the enclave.</P> <P style="word-wrap: break-word; font-size: 12px;">Usually we keep eclaveWrapper&nbsp;&nbsp;files in enclave_definition folder.&nbsp;Can we run the above commands in eclaveWrapper files which is different than the enclave_application folder. if we follow this process can we make sure about the safety of the files.</P> <P style="word-wrap: break-word; font-size: 12px;"><SPAN style="line-height: 1.5;">Thanks &amp; Regards,</SPAN></P> Thu, 08 Sep 2016 06:21:19 GMT SAM_R_2 2016-09-08T06:21:19Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/system-quot-Command-quot-inside-the-enclave/m-p/1068925#M249 <P style="word-wrap: break-word; font-size: 12px;">Hi,</P> <P style="word-wrap: break-word; font-size: 12px;">We should not use system("Command") inside the enclave.</P> <P style="word-wrap: break-word; font-size: 12px;">Can we use wget,CuraEngine or "&nbsp;powershell -command "&amp; { (New-Object Net.WebClient).DownloadFile('<A href="http://myurl/" style="cursor: pointer;">http://myUrl</A>', 'C:\path\to\test.json')}" " like commands directly inside the enclave.</P> <P style="word-wrap: break-word; font-size: 12px;">Usually we keep eclaveWrapper&nbsp;&nbsp;files in enclave_definition folder.&nbsp;Can we run the above commands in eclaveWrapper files which is different than the enclave_application folder. if we follow this process can we make sure about the safety of the files.</P> <P style="word-wrap: break-word; font-size: 12px;"><SPAN style="line-height: 1.5;">Thanks &amp; Regards,</SPAN></P> Thu, 08 Sep 2016 06:21:19 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/system-quot-Command-quot-inside-the-enclave/m-p/1068925#M249 SAM_R_2 2016-09-08T06:21:19Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/system-quot-Command-quot-inside-the-enclave/m-p/1068926#M250 <P>As a general statement, IO is not supported inside an enclave - you have to make OCALLs.</P> <P>If your enclave makes an OCALL to the untrusted part of your application, and in the untrusted part of your application you decide to make any of the IO calls you mentioned, then this "will work" from a "is this possible" perspective.</P> <P>As you mentioned, it would be up to you to verify that whatever data you obtained (via wget, powershell, etc) is data that you trust and want to pass back to the enclave. Furthermore, an attacker may view or modify the data sometime between the time you received it and the time you sent it to the enclave. You would have to protect against that as well.</P> Thu, 08 Sep 2016 16:38:58 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/system-quot-Command-quot-inside-the-enclave/m-p/1068926#M250 Francisco_C_Intel 2016-09-08T16:38:58Z