- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
I'm working on a proof of concept to demonstrate that SGX enclaves protect the content of the memory, by scanning the allocated memory of a process that hosts an enclave.
From the untrusted part, when scanning some values that are only located in the enclave (transferred using TLS, not hardcoded in the enclave binary), I found them in a memory range allocated in the process and indicated to be part of the mapped pages of /dev/isgx when checking /proc/<pid>/maps, which surprises me because I thought PRERELEASE mode offered the same security guarantees than RELEASE in terms of isolation.
My enclave is compiled using the following flags:
- SGX_MODE ?= HW
- SGX_PRERELEASE ?= 1
-
SGX_DEBUG ?= 0
The XML config file looks like this:
<!-- Please refer to User's Guide for the explanation of each field --> <EnclaveConfiguration> <ProdID>0</ProdID> <ISVSVN>0</ISVSVN> <StackMaxSize>0x100000</StackMaxSize> <HeapMaxSize>0x2000000</HeapMaxSize> <ReservedMemMaxSize>0x1000000</ReservedMemMaxSize> <ReservedMemExecutable>1</ReservedMemExecutable> <TCSNum>10</TCSNum> <TCSPolicy>1</TCSPolicy> <DisableDebug>0</DisableDebug> <MiscSelect>0</MiscSelect> <MiscMask>0xFFFFFFFF</MiscMask> </EnclaveConfiguration> |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ket,
In an enclave launched in release mode, which disables the access to the enclave's memory (by untrusted apps, debugger, etc) at a hardware level. Pre-Release mode does not have this functionality.
Hope this helps
Sincerely,
Sahira
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ket,
Yes, DisableDebug flag must remain 0 if you are running in pre-release mode. Also make sure the other flags are set correctly to run in pre-release mode (sgx_prerelease =1, sgx_debug=0, sgx_mode=hw)
In pre-release mode, the data is not necessarily protected by the hw. For full memory protection, you would need to have the enclave signed by intel.
Hope this is helpful.
Sincerely,
Sahira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sahira,
Many thanks for your response! This explains why we observe such results. May you please share more information regarding how data is protected in PRERELEASE mode and the difference between PRERELEASE and RELEASE in terms of memory isolation (provided we use an up-to-date Linux distribution as an OS)?
Many thanks!
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ket,
In an enclave launched in release mode, which disables the access to the enclave's memory (by untrusted apps, debugger, etc) at a hardware level. Pre-Release mode does not have this functionality.
Hope this helps
Sincerely,
Sahira
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page