https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183045#M3612 <P>Hi,</P><P>As I know,the core technology of SGX is to protect a memory area from being accessed by external environment, but I test that when I apply for a memory in Enclave,whatever in&nbsp;Real hardware mode or&nbsp;simulator mode, I can still access the memory in Enclave by calling OCALL outgoing address and using memory&nbsp;tools (such as Cheat Engine). And When I destroy the Encalve,the memory pointed&nbsp;by the address is also free.</P><P>I used the code sample in this tutorial as a test program :&nbsp;https://software.intel.com/en-us/node/701612</P><P>In this tutorial,He explained that the ECALL parameter passing without the user_check flag, the parameter address in non-secure area and the safe area will be different. But these two pointers can be accessed externally (For example, using Cheat Engine), then it's meaningless even if the two addresses are&nbsp;different.</P><P>Are there any mistakes in my steps?</P><P>Thank you.</P> Sun, 07 Apr 2019 06:15:38 GMT Ray1 2019-04-07T06:15:38Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183045#M3612 <P>Hi,</P><P>As I know,the core technology of SGX is to protect a memory area from being accessed by external environment, but I test that when I apply for a memory in Enclave,whatever in&nbsp;Real hardware mode or&nbsp;simulator mode, I can still access the memory in Enclave by calling OCALL outgoing address and using memory&nbsp;tools (such as Cheat Engine). And When I destroy the Encalve,the memory pointed&nbsp;by the address is also free.</P><P>I used the code sample in this tutorial as a test program :&nbsp;https://software.intel.com/en-us/node/701612</P><P>In this tutorial,He explained that the ECALL parameter passing without the user_check flag, the parameter address in non-secure area and the safe area will be different. But these two pointers can be accessed externally (For example, using Cheat Engine), then it's meaningless even if the two addresses are&nbsp;different.</P><P>Are there any mistakes in my steps?</P><P>Thank you.</P> Sun, 07 Apr 2019 06:15:38 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183045#M3612 Ray1 2019-04-07T06:15:38Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183046#M3613 <P>.</P> Sun, 07 Apr 2019 06:19:00 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183046#M3613 Ray1 2019-04-07T06:19:00Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183047#M3614 <P>In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.</P><P>To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.</P><P>To load it in non-debug mode, you need to pass in FALSE.</P><P>See <A href="https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference">https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference</A> , <A href="https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473">https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473</A> , <A href="https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509">https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509</A> for more information.</P><P>&nbsp;</P><P>Thanks,</P><P>Francisco</P> Tue, 09 Apr 2019 18:47:34 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183047#M3614 Francisco_C_Intel 2019-04-09T18:47:34Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183048#M3615 <P></P><BLOCKQUOTE>Francisco C. (Intel) wrote:<BR /><P></P><P>In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.</P><P>To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.</P><P>To load it in non-debug mode, you need to pass in FALSE.</P><P>See <A href="https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference">https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference</A> , <A href="https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473">https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473</A> , <A href="https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509">https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509</A> for more information.</P><P>&nbsp;</P><P>Thanks,</P><P>Francisco</P><P></P></BLOCKQUOTE><P></P><P>Thank you so much！</P><P>Ray</P> Thu, 11 Apr 2019 00:48:42 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-cannot-protect-memory-in-Enclave-from-being-accessed/m-p/1183048#M3615 Ray1 2019-04-11T00:48:42Z