Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

system("Command") inside the enclave

SAM_R_2
Beginner
359 Views

Hi,

We should not use system("Command") inside the enclave.

Can we use wget,CuraEngine or " powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://myUrl', 'C:\path\to\test.json')}" " like commands directly inside the enclave.

Usually we keep eclaveWrapper  files in enclave_definition folder. Can we run the above commands in eclaveWrapper files which is different than the enclave_application folder. if we follow this process can we make sure about the safety of the files.

Thanks & Regards,

0 Kudos
1 Solution
Francisco_C_Intel
359 Views

As a general statement, IO is not supported inside an enclave - you have to make OCALLs.

If your enclave makes an OCALL to the untrusted part of your application, and in the untrusted part of your application you decide to make any of the IO calls you mentioned, then this "will work" from a "is this possible" perspective.

As you mentioned, it would be up to you to verify that whatever data you obtained (via wget, powershell, etc) is data that you trust and want to pass back to the enclave. Furthermore, an attacker may view or modify the data sometime between the time you received it and the time you sent it to the enclave. You would have to protect against that as well.

View solution in original post

0 Kudos
1 Reply
Francisco_C_Intel
360 Views

As a general statement, IO is not supported inside an enclave - you have to make OCALLs.

If your enclave makes an OCALL to the untrusted part of your application, and in the untrusted part of your application you decide to make any of the IO calls you mentioned, then this "will work" from a "is this possible" perspective.

As you mentioned, it would be up to you to verify that whatever data you obtained (via wget, powershell, etc) is data that you trust and want to pass back to the enclave. Furthermore, an attacker may view or modify the data sometime between the time you received it and the time you sent it to the enclave. You would have to protect against that as well.

0 Kudos
Reply