- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible to directly convert a existing dll into enclave? what steps should we take?
normal dll files provide a dllmain(...) function as the entry and export table, but I can't find any export function table of enclave dll files using dependency walker, except enclave_entry and g_peak_heap_used, even though I've defined interfaces in EDL file
Assume all the instructions of an existing dll project are supported by enclaves, can we just add an EDL file to define the export function inside it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We cannot convert existing dll into SGX Enclave. SGX Dll needs to build on top of SGX SDK.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We cannot convert existing dll into SGX Enclave. SGX Dll needs to build on top of SGX SDK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we just define the Dllmain() function in the EDL file and change the included header files to standard trusted c library offered by the SDK?
For a dllmain() function like below:
BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
We can define the interface in EDL file as:
enclave { trusted { public BOOL DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) }; };
Can the untrusted process load the dll via LoadLibrary so as to automatically execute the codes in Dllmain()? Or should we still need to create an enclave first so as to call the Dllmain() function in it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>Can the untrusted process load the dll via LoadLibrary...
sgx_create_enclave has more input and output params when compared to LoadLibrary(Ex). There is more 'stuff' that happens and so you cannot load an enclave DLL using LoadLibrary(Ex). It may work (I am not sure, haven't tried it), but if it does you would have a 'normal' DLL, not an enclave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
We are able to run our first "hello world" program using SGX.
Can we demonstrate to ensure how our trusted piece of code is getting protected?
Is there any way to display that the memory area is protected by the SGX Enclave?
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
Can we use SGX in Linux OS as well.
If so, then please let us know the compatible OS and other supporting software.
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debakanta,
Yes we can use SGX in Linux OS as well.
Required Hardware: 6th Generation Core™ processor (or later) based platform with SGX Enabled BIOS support
Supported OS: Ubuntu* Desktop-14.04-LTS 64-bit version
Supported Languages: C and C++
The Intel(R) SGX SDK for Linux* OS Open Source project is now live and can be found here: https://01.org/intel-software-guard-extensions/
The code is hosted here: https://github.com/01org/linux-sgx (link is external) and https://github.com/01org/linux-sgx-driver (link is external)
- Surenthar Selvaraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Debakanta S. wrote:
Hi Surenthar,
We are able to run our first "hello world" program using SGX.
Can we demonstrate to ensure how our trusted piece of code is getting protected?
Is there any way to display that the memory area is protected by the SGX Enclave?
Thanks & Regards,
Debakanta
When running with SGX, all of the enclave code is paged into a region of memory not visible to OS. This is the EPC memory allocation reserved in the BIOS. Generate a complete memory dump of the system with the enclave loaded. Provision a well-known-string in there at run time and then try to find it in the memory dump
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Srenthar,
We want to protect some image file using SGX.
Tried following FILE pointer and fstream but all seems to be failing.
stdio.h needs to be customized it seems.
Is it possible to use file descriptor for any kind of file operation and carrying the files from one system to another via SGX?
We need to carry some 3D files from one security system to 3D printer and we want to protect from intruders.
Please let me know your suggestion.
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can only provide you some pointers...
For file i/O operations, you need to define file I/O APIs as OCALLs in the EDL file and include additional declarations in a header file, which can be included in the EDL file.
If you are planning to carry files from one machine to another, you cannot use the sealing API that the SGX provides. Instead, enclaves running on both machines need to agreed on a shared key or have a key provisioned by a 3rd party.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to transfer files to an oCall function and call an oCall function in an eCall function?
All I need to do is to pull a file from web service to an oCall function and call the oCall function inside the eCall function.
Please let me know your suggestion and opinion.
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debakanta,
By definition, an OCALL is made from within an ECALL.
You enter the enclave with an ECALL. Once in the enclave, if you need to do something like I/O, you then use an OCALL to temporarily exit the enclave to call a function in untrusted space. When that function returns, you are back in the enclave.
A function that you run via an OCALL can even make another ECALL to enter the enclave at a different function (though in the EDL file, you can limit which ECALLs you are allowed to make from within the context of an OCALL).
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we call Web Services from SGX?
What could be the process to do it?
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debakanta,
Implementing the whole web services infrastructure inside an enclave environment can be done but is not recommended due to large memory footprint. Developers should only be implementing the code and data that needs to be kept confidential, inside the enclave. For example, If you look in the remote attestation sample provided in IDZ portal, the client application implements the REST SDK in the untrusted part of the application and the payload to be communicated is generated inside the enclave
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We should not use system("Command") inside the enclave.
Can we use wget,CuraEngine or " powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://myUrl', 'C:\path\to\test.json')}" " like commands directly inside the enclave.
Usually we keep eclaveWrapper files in enclave_definition folder. Can we run the above commands in eclaveWrapper files which is different than the enclave_application folder. if we follow this process can we make sure about the safety of the files.
Thanks & Regards,
Debakanta
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As a general statement, IO is not supported inside an enclave - you have to make OCALLs.
If your enclave makes an OCALL to the untrusted part of your application, and in the untrusted part of your application you decide to make any of the IO calls you mentioned, then this "will work" from a "is this possible" perspective.
As you mentioned, it would be up to you to verify that whatever data you obtained (via wget, powershell, etc) is data that you trust and want to pass back to the enclave. Furthermore, an attacker may view or modify the data sometime between the time you received it and the time you sent it to the enclave. You would have to protect against that as well.
-Surenthar
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page