3

I'm trying to understand how secure Intel SGX actually is.

According to Intel:

Note that developers cannot rely on a measurement supplied by system software; as noted earlier, software can always be virtualized or otherwise spoofed by suitably privileged rogue software. This implies that hardware must be responsible for supplying this measurement – the same hardware that establishes the trusted environment, loads/initializes the trusted application, and (ultimately) performs computations on the sensitive data.

However, what is stopping rogue software from virtualizing the Intel SGX extension itself, so that the enclaves and basically the whole thing becomes fake? One might claim that the hardware uses a built-in secret key for signing, but if rogue software sits in between the hardware and the software, it can wrap SGX completely and have it "measure" the right code to produce the desired signatures, to then get the trusted party to send protected data, to then execute it as-if it is running in an enclave. What am I missing?

rustyx
  • 751
  • 6
  • 10
  • SGX attempts to do the opposite. An SGX enclave can prove for sure that the code it is running is correct, but code cannot prove that it is running in a real SGX enclave. There are multiple SGX emulators out there, each of which can simply toggle whatever "is_running_in_sgx" variable the target program has at will. – guest Nov 19 '17 at 01:59

1 Answers1

2

The SGX enclave uses a built-in secret key for transmission of information to and from the enclave. Even if you wrap SGX in rogue software, you still cannot decrypt information sent to it. The best you can do with rogue software is trick a client in sending you encrypted data.

The vulnerability lies with a rogue SGX manufacturer who could save the built-in secret key when the SGX hardware is produced.

LTPCGO
  • 965
  • 1
  • 5
  • 22
DontCallMeLarry
  • 21
  • 3