Software Guard Extensions

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Intel SGX is a set of CPU code instructions from Intel that allows user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels.[1] Intel designed SGX to be useful for implementing secure remote computation, secure browsing, and digital rights management (DRM).[2]

Support for SGX in the CPU is indicated in CPUID "Structured Extended feature Leaf", EBX bit 02,[3] but its availability to applications requires BIOS support and opt-in enabling which is not reflected in CPUID bits. This complicates the feature detection logic for applications.[4]

Emulation of SGX was added to experimental version of the QEMU system emulator in 2014.[5] In 2015, researchers at the Georgia Institute of Technology released an open-source simulator known as OpenSGX.[6]

It was introduced in 2015 with the sixth generation Intel Core microprocessors based on the Skylake microarchitecture.

One example of SGX used in security was a demo application from wolfSSL[7] using it for cryptography algorithms. One example of a secure service built using SGX is Fortanix's key management service.[8] This entire cloud based service is built using SGX servers and designed to provide privacy from cloud provider. An additional example is Numecent using SGX to protect the DRM that is used to authorize application execution with their Cloudpaging application delivery products.[9]

Intel Goldmont Plus(Gemini Lake) microarchitecture will also add support for Intel SGX.

Flaws[edit]

Prime+Probe attack[edit]

On 27 March 2017 researchers at Austria's Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels.[10][11]

References[edit]

  1. ^ "Intel® SGX for Dummies (Intel® SGX Design Objectives)". intel.com. 2013-09-26. 
  2. ^ "Intel SGX Details". intel.com. 2017-07-05. 
  3. ^ Intel Architecture Instruction Set Extensions Programming Reference, Intel, AUGUST 2015, page 36 "Structured Extended feature Leaf EAX=07h, EBX Bit 02: SGX"
  4. ^ "Properly Detecting Intel® Software Guard Extensions in Your Applications". intel.com. 2016-05-13. 
  5. ^ https://tc.gtisc.gatech.edu/bss/2014/l/final/pjain43.pdf
  6. ^ "sslab-gatech/opensgx". GitHub. Retrieved 2016-08-15. 
  7. ^ "wolfSSL At IDF". wolfssl. 2016-08-11. 
  8. ^ "Fortanix Intel SGX Based Key Management". 2017-02-26. 
  9. ^ "Numecent Cloudpaging at Intel IDF". numecent.com. 2016-08-16. 
  10. ^ Chirgwin, Richard (March 7, 2017). "Boffins show Intel's SGX can leak crypto keys". The Register. Retrieved 1 May 2017. 
  11. ^ Schwarz, Michael; Weiser, Samuel; Gruss, Daniel; Maurice, Clémentine; Mangard, Stefan (March 1, 2017). "Malware Guard Extension: Using SGX to Conceal Cache Attacks". Graz University of Technology. Retrieved 1 May 2017. 

External links[edit]