7

Future Intel processors will support SGX (Software Guard Extensions), which allows running security-critical software on your processor in a way that is isolated from all the other code. The hardware provides secure isolation, so other code can't tamper with the security-critical code running in the SGX enclave. Even the OS kernel is not trusted and can't tamper with the code in the SGX enclave. The enclave itself is stateless, but there's a way it can save data on external storage securely: the hardware supports sealed storage, where data is encrypted and MAC'ed before being written to disk.

Are there any guarantees for freshness of sealed data? In other words, I'm worried about a rollback attack, where a malicious OS tries to roll the state of the enclave back to some earlier point in time: e.g., checkpoint the saved state, run the enclave for a while, then possibly restore back to the checkpoint. Can SGX code defend against such rollback attacks? If so, how?

pnp
  • 1,818
  • 2
  • 26
  • 42
D.W.
  • 98,420
  • 30
  • 267
  • 572

2 Answers2

5

No, not directly.

As you've observed, SGX ensures the freshness and integrity of transient state in memory, but doesn't provide any mechanism (like a monotonic counter) for ensuring freshness of persistent state. So if you just want to rely on SGX on the local CPU, you can't protect against state rollback attacks. The general solution to this problem is communication with another trusted party which can provide you the basic mechanism to ensure freshness. That could be a trusted machine/service on the other side of a network, or it might be some other trusted hardware like a TPM. In either case, because you'll be communicating over an untrusted channel, you need to secure it (i.e., crypto). If your workload is update-heavy, you'll also run into the messy tradeoff between holding up writes while you wait for communication with the trusted party vs. allowing some window for rollback attacks.

ab.
  • 151
  • 2
  • 2
    based on http://www.google.com/patents/WO2014084908A1?cl=en, it looks like Intel will provide some sort of local SGX enclave which implements a virtual monotonic counter through a hardware monotonic counter. I wont be surprised if Skylake(which has SGX) has this hardware monotonic counter. If you can figure out how to use this, then you can avoid communicating with a trusted party over network and may not need to worry about this trade-off. – Raghu Sep 08 '15 at 16:41
2

SGX provides monotonic counters to prevent rollback attacks but these are not available on all machines. Intel applies a frequency limit to write operations to prevent memory wearing out, after which point the counters become unusable. This is stated in the official documentation.

Creating a monotonic counter (MC) involves writing to the non-volatile memory available in the platform. Repeated write operations could cause the memory to wear out during the normal lifecycle of the platform. Intel® SGX prevents this by limiting the rate at which MC operations can be performed. If you exceed the limit, the MC operation may return SGX_ERROR_BUSY for several minutes.

There are other problems according to this paper,

  • monotonic counters are slow,
  • wear out after just over 1M writes in their tests (5 laptops, one does not support MC),
  • and perhaps worse the counters disappear if the BIOS battery is removed or the PSW is reinstalled. They are not reset, it is as if they were never created to start with.
Daniel
  • 627
  • 5
  • 16