Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Sam5
New Contributor I
84 Views

Implications of Intel's SGX extension for malware detection and reverse engineering

Jump to solution

Hi,

If a malware application uses SGX, how can a malware analyst inspect the application?

The instruction set allows for encryption not only of data but of code as well. This would effectively defeat any attempts at reverse engineering a program. Think of the implications of this. Malware detection techniques will no longer work. People who want to reverse engineer code for research or cross-compatibility purposes will no longer be able to. The crackers and the people who want to stifle the free flow of information will have won. Is this really the future we have to look forward to?

-Thanks

0 Kudos
1 Solution
84 Views

Hi Sam,

It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel. 
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system. 

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

2 Replies
85 Views

Hi Sam,

It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel. 
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system. 

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

Sam5
New Contributor I
84 Views

Thanks for your information

Reply