Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Ray1
Beginner
152 Views

SGX cannot protect memory in Enclave from being accessed

Jump to solution

Hi,

As I know,the core technology of SGX is to protect a memory area from being accessed by external environment, but I test that when I apply for a memory in Enclave,whatever in Real hardware mode or simulator mode, I can still access the memory in Enclave by calling OCALL outgoing address and using memory tools (such as Cheat Engine). And When I destroy the Encalve,the memory pointed by the address is also free.

I used the code sample in this tutorial as a test program : https://software.intel.com/en-us/node/701612

In this tutorial,He explained that the ECALL parameter passing without the user_check flag, the parameter address in non-secure area and the safe area will be different. But these two pointers can be accessed externally (For example, using Cheat Engine), then it's meaningless even if the two addresses are different.

Are there any mistakes in my steps?

Thank you.

0 Kudos
1 Solution
152 Views

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

View solution in original post

3 Replies
Ray1
Beginner
152 Views

.

153 Views

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

View solution in original post

Ray1
Beginner
152 Views

Francisco C. (Intel) wrote:

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

Thank you so much!

Ray

Reply