Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

External verification of enclave application legitimacy

adukots
Novice
‎10-07-2022 12:26 AM
1,177 Views
Solved Jump to solution

Hello,

I have a question about how to check the legitimacy of an enclave application from the outside.

 

I envision the following scenario: the enclave application runs on a remote server, and the client verifies the legitimacy of the enclave program's application on the server before executing it.

 

By performing remote attestation, the MRENCLAVE of the enclave program on the server can be obtained, which allows the client side to know what program is running on the server. However, how can I link this MRENCLAVE to a legitimate program? I thought that a trusted third party could store MRENCLAVE and the corresponding program, to which the client could query to determine if the enclave program running on the server is legitimate. Therefore, I would like to have a trusted third party check the enclave program, etc. in advance to guarantee its validity, but I do not know how a trusted third party can calculate MRENCLAVE.

 

How can a trusted third party calculate the MRENCALVE corresponding to the enclave program? Or is there another way for the client to verify the legitimacy of the enclave program on the server?

External validation of Enclave application legitimacy.jpg

 

Sincerely,

adukots

1 Solution
Scott_R_Intel
Employee
‎10-18-2022 02:15 PM
966 Views
Solved Jump to solution
In response to adukots

Hi again adukots.

 

Unfortunately, the only way to get the MRENCLAVE of an enclave is to have the actual enclave binary.  BTW, an enclave is simply a specially compiled library (.so in Linux, .dll in Windows) with the SIGSTRUCT added as already mentioned, so no need to reverse engineer anything, I don't think.

 

The way certain use cases (ie. joint muliti-party computation) do similar things (make sure source code compiles to a known MRSIGNER) is to have a reproducible build environment for the enclave.  Then all involved parties could build and verify the MRSIGNER comes from the code they have analyzed.

 

But again, no way to get the MRSIGNER straight from source without building as the build process itself (compile/link options) all come into play to actually create the resulting enclave library/binary.

 

Regards.

 

Scott

View solution in original post

In response to adukots
Copy link

Link Copied

6 Replies
Sahira_Intel
Moderator
‎10-12-2022 11:01 AM
1,109 Views
Solved Jump to solution

Hi,

 

When the enclave code/data pages are placed inside the EPC, the CPU calculates the enclave measurement and stores the 256-bit hash in MRENCLAVE. The contents of the CPU are compared against the enclave measurement in SIGSTRUCT, and the enclave will only be initialized if both match.

I've linked the part of the code here, where the measurement is compared.

 

If you have not already seen this Remote Attestation End-to-End sample, I recommend checking it out: https://www.intel.com/content/www/us/en/developer/articles/code-sample/software-guard-extensions-remote-attestation-end-to-end-example.html

 

Sincerely,

Sahira

 

 

 

0 Kudos
Copy link
adukots
Novice
‎10-14-2022 12:18 AM
1,061 Views
Solved Jump to solution
In response to Sahira_Intel

Hi, Sahira,

 

Thank you for your reply.

 

When the enclave code/data pages are placed inside the EPC, the CPU calculates the enclave measurement and stores the 256-bit hash in MRENCLAVE. The contents of the CPU are compared against the enclave measurement in SIGSTRUCT, and the enclave will only be initialized if both match.

I've linked the part of the code here, where the measurement is compared.

I think your answer is a little off from what I had in mind, so let me restate the question.

The trusted third party has the enclave code and sends it to the server for execution on the server. If the server wants to receive data from the client at this time, the server and client would perform RA to confirm the validity of enclave before sending the data. However, MRENCLAVE obtained by the client at the time of this verification does not know which enclave program it corresponds to. Therefore, I considered it necessary to link MRENCLAVE and the enclave application, so that the client could query the trusted third party using MRENCLAVE and the trusted third party would return the enclave application corresponding to MRENCLAVE.  However, I do not know how to link MRENCLAVE and enclave programs externally.

Is there a better way? Or is there another way to validate the enclave application on the server from the client, such as not using the trusted third party?

 

External validation of Enclave application legitimacy_2.jpg

 

If you have not already seen this Remote Attestation End-to-End sample, I recommend checking it out: https://www.intel.com/content/www/us/en/developer/articles/code-sample/software-guard-extensions-remote-attestation-end-to-end-example.html

Yes, I have seen it. In this example, I think it is necessary for the client to know in advance MRENCLAVE corresponding to the enclave program. However, I don't think this sharing is easy since there is no way to verify if the provided MRENCLAVE is really the enclave program the client expects. Is there a solution to this? My apologies if I am wrong.

 

Best Regards,
adukots

In response to Sahira_Intel
0 Kudos
Copy link
Scott_R_Intel
Employee
‎10-17-2022 03:48 PM
1,015 Views
Solved Jump to solution

Hi adukots.

 

As Sahira mentioned, the MRENCLAVE that is calculated at build time is included in the signature structure (aka SIGSTRUCT) appended to the end of every SGX enclave binary.  So, the trusted third party can read/use that directly, if need be.

 

You can also use the sgx_sign (open sourced) tool to dump the SIGSTRUCT (or build your own tool for the trusted third party) to see all the appended data, including the MRENCLAVE.  This is tool that actually measures and appends the SIGSTRUCT to the enclave at build time.  A sample command line to do this:

sgx_sign dump -dumpfile metadata.txt -cssfile sigstruct.hex -enclave libenclave.signed.so

 

You could even theoretically remove the SIGSTRUCT and measure the enclave at the trusted third server, again, using the open-sourced code contained in the sgx_sign tool.  This exactly mirrors how the CPU would measure the enclave while loading before allowing it to launch.

 

Does this answer your question?  If not, we will unfortunately need to have a bit more information/detail.

 

Regards.

Scott

0 Kudos
Copy link
adukots
Novice
‎10-18-2022 06:57 AM
996 Views
Solved Jump to solution
In response to Scott_R_Intel

Hi Scott,

 

I understood that I can send the SGX enclave binary to the trusted third party, where I can dump the SIGSTRUCT using sgx_sign and link the SGX enclave binary to the MRENCLAVE. However, in this way, the trusted third party cannot know how this binary will behave just by looking at it.


Is there any way to get the MRENCLAVE from uncompiled source code or other sources without building it? Or do I need to reverse engineer this SGX enclave binary and analyze how it works?


Best Regards,
adukots

In response to Scott_R_Intel
0 Kudos
Copy link
Scott_R_Intel
Employee
‎10-18-2022 02:15 PM
967 Views
Solved Jump to solution
In response to adukots

Hi again adukots.

 

Unfortunately, the only way to get the MRENCLAVE of an enclave is to have the actual enclave binary.  BTW, an enclave is simply a specially compiled library (.so in Linux, .dll in Windows) with the SIGSTRUCT added as already mentioned, so no need to reverse engineer anything, I don't think.

 

The way certain use cases (ie. joint muliti-party computation) do similar things (make sure source code compiles to a known MRSIGNER) is to have a reproducible build environment for the enclave.  Then all involved parties could build and verify the MRSIGNER comes from the code they have analyzed.

 

But again, no way to get the MRSIGNER straight from source without building as the build process itself (compile/link options) all come into play to actually create the resulting enclave library/binary.

 

Regards.

 

Scott

In response to adukots
Copy link
adukots
Novice
‎10-18-2022 06:59 PM
932 Views
Solved Jump to solution
In response to Scott_R_Intel

Hello Scott,

 

I was told that to get the MRENCLAVE of the enclave, I need the actual enclave binary, so I am planning to share this binary or prepare a similar environment on the trusted third party side and get the MRENCLAVE there.

 

Thank you very much for your response. It was very helpful.

 

Best regards,
adukots.

In response to Scott_R_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.