topic Thanks Surenthar in Intel® Software Guard Extensions (Intel® SGX)

SGX enclaves

Sam5 — Fri, 22 Jul 2016 03:21:50 GMT

Hi,

Are there any guarantees for freshness of sealed data? In other words, rollback attack, where a malicious OS tries to roll the state of the enclave back to some earlier point in time: e.g., checkpoint the saved state, run the enclave for a while, then possibly restore back to the checkpoint. Can SGX code defend against such rollback attacks? If so, how?

-Thanks

Hi Sam,

Surenthar_S_Intel — Mon, 25 Jul 2016 03:55:40 GMT

Hi Sam,

The CPU does not directly provide such protection, but you can rely on the monotonic counter and the trusted time features of the ME to achieve it. They can be used to limit the duration for which a secret is valid (trusted time) and prevent replay attacks (monotonic counter). I would point them at the developer reference:

https://software.intel.com/sites/default/files/managed/b4/cf/Intel-SGX-SDK-Developer-Reference-for-Windows-OS.pdf

The section on Sealed Data talks about setting replay and time-based policies, and which functions in the SDK are there to assist.

Thanks and Reagrds,
Surenthar Selvaraj

Thanks Surenthar

Sam5 — Mon, 25 Jul 2016 04:37:17 GMT

Thanks Surenthar