topic Re:std::stringstream in encalve in Intel® Software Guard Extensions (Intel® SGX)

std::stringstream in encalve

shmoo — Mon, 15 Mar 2021 15:40:21 GMT

Why is it not possible to use std::stringstream in an enclave?

Re:std::stringstream in encalve

JesusG_Intel — Mon, 15 Mar 2021 21:52:26 GMT

Hello Shmoo,

Stringstream is part of <iostream> which is not supported by SGX. The SGX Developer Reference Guide states:

"As for the C++ standard library, most functions will work just as its untrusted counterpart, but here is a high level summary of features that are not supported inside the enclave:

1. I/O related functions and classes, like <iostream>;

2. Functions depending on a locale library;

3. Any other functions that require system calls."

The section Unsupported C++ Standard Classes and Functions contains a table, titled "Input/Output Library," in which iostream is listed as not supported.

As a workaround to access iostream functions within an enclave, create an ocall. The SampleEnclave example in the SGX SDK demonstrates how to implement an ocall for using printf within an enclave.

Sincerely,

Jesus G.

Intel Customer Support

Re: Re:std::stringstream in encalve

shmoo — Tue, 16 Mar 2021 06:36:00 GMT

Hello Jesus!

Thank you for your response! I am aware of that table. But Is there any reason why it is not supported? Are there any technical difficulties regarding the implementation?

Sincerely,
David

Re:std::stringstream in encalve

JesusG_Intel — Tue, 16 Mar 2021 16:35:46 GMT

Hello Shmoo,

The I/O operations defined within <iostream> are not supported due to security reasons. The SGX SDK includes a trusted version of the C++ standard library. Remember, that SGX enclaves must be isolated from the system in order to maintain their security posture. The system is essentially untrusted. I/O operations are too dependent on system resources so a trusted version could not be created. This is why the enclave must go through the untrusted app to do I/O. If the untrusted app gets compromised, the enclave is not affected.

Sincerely,

Jesus G.

Intel Customer Support

Re: Re:std::stringstream in encalve

shmoo — Wed, 17 Mar 2021 06:11:08 GMT

I am aware that the enclave does not allow i/o operations. But the std::stringstream does not include iostream and does make any file i/o operations.

The reason I am asking this, is because several third party libraries rely on std::stringsteam and because of the missing implementation, it was impossible for us to include these libraries.

Re: std::stringstream in encalve

JesusG_Intel — Wed, 17 Mar 2021 22:00:12 GMT

Hello Shmoo,

I do not know the particulars of how the SGX engineers assess a function's security posture. All we know is that they assessed the functions in <iostream> and decided that they could not be ported into a trusted library.

Sincerely,
Jesus G.
Intel Customer Support

Re:std::stringstream in encalve

JesusG_Intel — Mon, 22 Mar 2021 22:38:48 GMT

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.