Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

SGX enclaves

Sam5
New Contributor I
‎07-21-2016 08:21 PM
1,103 Views
Solved Jump to solution

Hi,

Are there any guarantees for freshness of sealed data? In other words, rollback attack, where a malicious OS tries to roll the state of the enclave back to some earlier point in time: e.g., checkpoint the saved state, run the enclave for a while, then possibly restore back to the checkpoint. Can SGX code defend against such rollback attacks? If so, how?

-Thanks

0 Kudos
1 Solution
Surenthar_S_Intel
Employee
‎07-24-2016 08:55 PM
1,103 Views
Solved Jump to solution

Hi Sam,

The CPU does not directly provide such protection, but you can rely on the monotonic counter and the trusted time features of the ME to achieve it. They can be used to limit the duration for which a secret is valid (trusted time) and prevent replay attacks (monotonic counter). I would point them at the developer reference:

https://software.intel.com/sites/default/files/managed/b4/cf/Intel-SGX-SDK-Developer-Reference-for-Windows-OS.pdf

The section on Sealed Data talks about setting replay and time-based policies, and which functions in the SDK are there to assist.

Thanks and Reagrds,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link

Link Copied

2 Replies
Surenthar_S_Intel
Employee
‎07-24-2016 08:55 PM
1,104 Views
Solved Jump to solution

Hi Sam,

The CPU does not directly provide such protection, but you can rely on the monotonic counter and the trusted time features of the ME to achieve it. They can be used to limit the duration for which a secret is valid (trusted time) and prevent replay attacks (monotonic counter). I would point them at the developer reference:

https://software.intel.com/sites/default/files/managed/b4/cf/Intel-SGX-SDK-Developer-Reference-for-Windows-OS.pdf

The section on Sealed Data talks about setting replay and time-based policies, and which functions in the SDK are there to assist.

Thanks and Reagrds,
Surenthar Selvaraj

0 Kudos
Copy link
Sam5
New Contributor I
‎07-24-2016 09:37 PM
1,103 Views
Solved Jump to solution

Thanks Surenthar

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.