- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If a malware application uses SGX, how can a malware analyst inspect the application?
The instruction set allows for encryption not only of data but of code as well. This would effectively defeat any attempts at reverse engineering a program. Think of the implications of this. Malware detection techniques will no longer work. People who want to reverse engineer code for research or cross-compatibility purposes will no longer be able to. The crackers and the people who want to stifle the free flow of information will have won. Is this really the future we have to look forward to?
-Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam,
It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel.
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system.
Thanks and Regards,
Surenthar Selvaraj
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam,
It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel.
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system.
Thanks and Regards,
Surenthar Selvaraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your information

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page