Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Question on possible attacks against SGX

slava
Beginner
‎09-22-2020 07:16 PM
844 Views
Solved Jump to solution

I've exhausted my resources, and have asked about this everywhere and didn't get a satisfatory answer , so I came here, to the source, hopefully I'll be able to understand the following points now.

 

Alright so first of all, I'll briefly describe SGX as I UNDERSTAND IT, so if I got it wrong, please explain.

The basic idea of SGX is to provide a secure way to execute code REMOTLY right? I mean the server contains the RSA private key which is used to decrypt and execute the code sent by the user which encrypted it with the public key.

With that in mind a have the following questions:

 

 

  1. Who generates the key pair, and who is it send to the other party?
  2. The intel manual describes that code running inside an enclave CAN receive a SMI interrupt, so would the SMM code be able to look at the enclave? Even if its encryptped the key is in memory right?Like, it won't encrypt this key without another key. It's only a matter of finding it, am I right?
  3. Where can I find out about the key management that SGX employs? Or rather, how exatcly (if at all) is the key protect during an event like a SMI interrupt
  4. Is there ANY benefit in using SGX locally?
  5. The EPC (Enclave Page Cache) is it literally on the CPU cache or it's on the RAM?
  6. What is the point of keeping a hash of the EPC inside SGX Enclave Control Structure (SECS) if the code can change? Like, suppose a variable increases or whatever, that would change the hash right at run time
0 Kudos
1 Solution
JesusG_Intel
Moderator
‎09-23-2020 10:31 AM
823 Views
Solved Jump to solution

Hello Slava,

 

You ask a lot of good questions. While I can answer some questions in a few short sentences, others will require more reading on your part because the answers are complex. I will provide links to the relevant documents.

 

SGX is not a mechanism to run software remotely. SGX enclaves run locally, and can communicate directly only with an application that runs locally. If an SGX enclave needs to communicate with remote software, the remote software interfaces with the local app, and the local app interfaces with the enclave.

 

There is a way to for SGX to load and run encrypted [at rest] code using the "Intel SGX Protected Code Loader." Please see the section, Enabling Enclave Code Confidentiality , in the Intel SGX Developer Reference Guide for Windows or Linux.

 

SMI interrupts do not allow the SMM code to look inside the enclave. Like any other interrupt, the SMI causes an Asynchronous Enclave Exit (AEX). During an AEX, execution of the enclave stops, the processor state is saved securely in the enclave, the event that causes the AEX is processed normally, then execution returns to the enclave. Please read chapters 38.2.2 and 38.2.3 in the Intel Software Development Manual, Volume 3D.

 

You will find much more information on key management and protections in the paper SGX Explained (I highly recommend reading this paper) and the Intel SGX Developer Guide, chapter Enclave Signature Structure.

 

The EPC is in DRAM, although it is named "Cache."

 

The hash of the enclave in the EPC is a hash of the source code itself. It does not take into account enclave data memory, which changes at runtime. The source code does not change at runtime.


View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎09-23-2020 10:31 AM
824 Views
Solved Jump to solution

Hello Slava,

 

You ask a lot of good questions. While I can answer some questions in a few short sentences, others will require more reading on your part because the answers are complex. I will provide links to the relevant documents.

 

SGX is not a mechanism to run software remotely. SGX enclaves run locally, and can communicate directly only with an application that runs locally. If an SGX enclave needs to communicate with remote software, the remote software interfaces with the local app, and the local app interfaces with the enclave.

 

There is a way to for SGX to load and run encrypted [at rest] code using the "Intel SGX Protected Code Loader." Please see the section, Enabling Enclave Code Confidentiality , in the Intel SGX Developer Reference Guide for Windows or Linux.

 

SMI interrupts do not allow the SMM code to look inside the enclave. Like any other interrupt, the SMI causes an Asynchronous Enclave Exit (AEX). During an AEX, execution of the enclave stops, the processor state is saved securely in the enclave, the event that causes the AEX is processed normally, then execution returns to the enclave. Please read chapters 38.2.2 and 38.2.3 in the Intel Software Development Manual, Volume 3D.

 

You will find much more information on key management and protections in the paper SGX Explained (I highly recommend reading this paper) and the Intel SGX Developer Guide, chapter Enclave Signature Structure.

 

The EPC is in DRAM, although it is named "Cache."

 

The hash of the enclave in the EPC is a hash of the source code itself. It does not take into account enclave data memory, which changes at runtime. The source code does not change at runtime.


0 Kudos
Copy link
JesusG_Intel
Moderator
‎09-28-2020 11:30 AM
801 Views
Solved Jump to solution

Hello Slava,


Have all your questions been answered satisfactorily?


0 Kudos
Copy link
JesusG_Intel
Moderator
‎09-30-2020 08:52 AM
794 Views
Solved Jump to solution

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.