Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

std::stringstream in encalve

shmoo
Novice
353 Views

Why is it not possible to use std::stringstream in an enclave?

0 Kudos
1 Solution
JesusG_Intel
Moderator
326 Views

Hello Shmoo,


The I/O operations defined within <iostream> are not supported due to security reasons. The SGX SDK includes a trusted version of the C++ standard library. Remember, that SGX enclaves must be isolated from the system in order to maintain their security posture. The system is essentially untrusted. I/O operations are too dependent on system resources so a trusted version could not be created. This is why the enclave must go through the untrusted app to do I/O. If the untrusted app gets compromised, the enclave is not affected.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

6 Replies
JesusG_Intel
Moderator
344 Views

Hello Shmoo,


Stringstream is part of <iostream> which is not supported by SGX. The SGX Developer Reference Guide states:


"As for the C++ standard library, most functions will work just as its untrusted counterpart, but here is a high level summary of features that are not supported inside the enclave:

1. I/O related functions and classes, like <iostream>;

2. Functions depending on a locale library;

3. Any other functions that require system calls."


The section Unsupported C++ Standard Classes and Functions contains a table, titled "Input/Output Library," in which iostream is listed as not supported.


As a workaround to access iostream functions within an enclave, create an ocall. The SampleEnclave example in the SGX SDK demonstrates how to implement an ocall for using printf within an enclave.


Sincerely,

Jesus G.

Intel Customer Support





shmoo
Novice
334 Views

Hello Jesus!

Thank you for your response! I am aware of that table. But Is there any reason why it is not supported? Are there any technical difficulties regarding the implementation?

Sincerely,
David

JesusG_Intel
Moderator
327 Views

Hello Shmoo,


The I/O operations defined within <iostream> are not supported due to security reasons. The SGX SDK includes a trusted version of the C++ standard library. Remember, that SGX enclaves must be isolated from the system in order to maintain their security posture. The system is essentially untrusted. I/O operations are too dependent on system resources so a trusted version could not be created. This is why the enclave must go through the untrusted app to do I/O. If the untrusted app gets compromised, the enclave is not affected.


Sincerely,

Jesus G.

Intel Customer Support


shmoo
Novice
295 Views

I am aware that the enclave does not allow i/o operations. But the std::stringstream does not include iostream and does make any file i/o operations. 

The reason I am asking this, is because several third party libraries rely on std::stringsteam and because of the missing implementation, it was impossible for us to include these libraries.

JesusG_Intel
Moderator
290 Views

Hello Shmoo,

I do not know the particulars of how the SGX engineers assess a function's security posture. All we know is that they assessed the functions in <iostream> and decided that they could not be ported into a trusted library.

 

Sincerely,
Jesus G.
Intel Customer Support

 

JesusG_Intel
Moderator
271 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply