Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

SGX cannot protect memory in Enclave from being accessed

Ray1
Beginner
280 Views

Hi,

As I know,the core technology of SGX is to protect a memory area from being accessed by external environment, but I test that when I apply for a memory in Enclave,whatever in Real hardware mode or simulator mode, I can still access the memory in Enclave by calling OCALL outgoing address and using memory tools (such as Cheat Engine). And When I destroy the Encalve,the memory pointed by the address is also free.

I used the code sample in this tutorial as a test program : https://software.intel.com/en-us/node/701612

In this tutorial,He explained that the ECALL parameter passing without the user_check flag, the parameter address in non-secure area and the safe area will be different. But these two pointers can be accessed externally (For example, using Cheat Engine), then it's meaningless even if the two addresses are different.

Are there any mistakes in my steps?

Thank you.

0 Kudos
1 Solution
Francisco_C_Intel
280 Views

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

View solution in original post

3 Replies
Ray1
Beginner
280 Views

.

Francisco_C_Intel
281 Views

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

Ray1
Beginner
280 Views

Francisco C. (Intel) wrote:

In order to prevent an enclave from being debugged, in the application, the enclave must be loaded in the non-debug mode.

To load an enclave in debug mode, the debugger flag (the second parameter of sgx_create_enclave) must be TRUE.

To load it in non-debug mode, you need to pass in FALSE.

See https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-diff... , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473 , https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/737509 for more information.

 

Thanks,

Francisco

Thank you so much!

Ray

Reply