1

so i've started to read about this technology, and i have few questions i don't quite understand:

  1. i understand that anyone can create enclaves, and they should be trusted because they are signed by a specific author - but what denies a malicious attacker to just replace the enclave, and re-sign it? certificates usually work around that because they are signed with a trusted root
  2. let's say i want to use an enclave to store an encryption key, what denies a malicious app to just call the eclave and get my key? because if i use enclave to perform a trusted area that lets say encrypts, someone needs to decrypt it (which will be also the enclave no?)

thanks

ArielB
  • 189
  • 6

1 Answers1

1

but what denies a malicious attacker to just replace the enclave, and re-sign it?

Attestation does. When you create an enclave it has no protected data in it. It should be sent into enclave after attestation. Trusted party won't give the enclave protected data unless it is attested. It won't be attested if it is signed with the key different from the one the trusted party expects.

what denies a malicious app to just call the eclave and get my key

If the code in your enclave has rce or side channel (for example timing) vulnerability it can be possible to extract protected data from it.

Last but not least, to use enclaves you have to have a contract with Intel. SGX is insecure because Intel has trusted access to every enclave's contents. Yet another backdoor.

KOLANICH
  • 892
  • 6
  • 14
  • Can you explain more about the attestation? Enclave is just a piece of code that performs what i want it to do. so the process is to supply the "secret" data after i seal it? if so, isn't an untrusted domain is responsible on doing it? (which means, an attacker can feed it?) about the 2nd question, my main idea is to decrypt information sent from a server to a lets say desktop computer. i need to save the decryption key somewhere - so in theory my app will send the encrypted data to the enclave, and it will decrypt it. why won't an attacker do the same? – ArielB Nov 30 '16 at 11:12
  • what i'm trying to emphasize - will i have to perform all the logic that relates to my encrypted data inside the enclave? because if i return any decrypted content to the untrusted domain - it's like i havent done anything. right? – ArielB Nov 30 '16 at 11:13
  • Here is a nice must-read overview of sgx: https://eprint.iacr.org/2016/086.pdf – KOLANICH Nov 30 '16 at 11:41
  • If you want to use SGX as a DRM you should do everything you can in an enclave. But don't be surprized if noone buys your app. – KOLANICH Nov 30 '16 at 11:43
  • The enclave is designed for you to run sensitive operations in it. It is up to you to decide what operations are sensitive enough to be secured with SGX. It provides a minimum way to communicate outside the enclave, so you have to write an API to do that (or use an existing library). Deciding what the API can do and what information goes over it is not in the scope of the SGX design. – guest Nov 19 '17 at 04:00