Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1403 Discussions

Implications of Intel's SGX extension for malware detection and reverse engineering

Sam5
New Contributor I
‎07-19-2016 09:36 PM
348 Views
Solved Jump to solution

Hi,

If a malware application uses SGX, how can a malware analyst inspect the application?

The instruction set allows for encryption not only of data but of code as well. This would effectively defeat any attempts at reverse engineering a program. Think of the implications of this. Malware detection techniques will no longer work. People who want to reverse engineer code for research or cross-compatibility purposes will no longer be able to. The crackers and the people who want to stifle the free flow of information will have won. Is this really the future we have to look forward to?

-Thanks

0 Kudos
1 Solution
Surenthar_S_Intel
Employee
‎07-19-2016 09:44 PM
348 Views
Solved Jump to solution

Hi Sam,

It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel. 
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system. 

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link

Link Copied

2 Replies
Surenthar_S_Intel
Employee
‎07-19-2016 09:44 PM
349 Views
Solved Jump to solution

Hi Sam,

It is very unlikely that malware authors will be able to SGX. In fact it is very unlikely that most people will be able to use SGX. This is because Intel has implemented strong cryptographic DRM on SGX. In order to be able to launch an SGX program, it either needs to be signed directly by Intel, or by another local SGX program that is signed by Intel. 
SGX programs are not encrypted before launch, so it is possible to analyze the code as you would any other binary.
Also note that since SGX programs can't make syscalls in order for Malware to do anything to your system, there needs to be a insecure wrapper program to actually talk to the system. 

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
Copy link
Sam5
New Contributor I
‎07-19-2016 09:49 PM
348 Views
Solved Jump to solution

Thanks for your information

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.