Question

SGX

1. Why is the initial program loaded into an SGX enclave unencrypted?
2. What does a client program have to verify before passing secrets to an SGX enclave?
3. What state must be encrypted to protect the contents of an SGX enclave from the operating system or virtual machine monitor?
4. Suppose code in an SGX enclave is waiting for data to arrive and calls the read() system call. What conditions must it check after the read() call returns to make sure it executes correctly?

Answer 1

Q) why is the inital program loaded into an SGX enclave unencrypetd?

Ans: Intel SGX provides secure enclave in which the code and data are hidden form the outside world including privileged code such as the OS. by default enclave the code prior to initialization can be disassembled and therefor no secret can be embedded in binary this is problem for developers wishing the protect code secrete.

-SGC , a nearly-transparent framework that enables enclave code confidentiality. The key idea is to treat program code as data and dynamically restore secrets after an enclave is initialized. SGX can be integrated into any enclave, providing a mechanism to securely decrypte or deliver the secret code with the assistance of a developer controlled trusted remote party.

-SGX Enclaves. The first step in creating an enclave is to call the instruction ECREATE. This allocates memory inside the Enclave Page Cache (EPC) to hold enclave code and data.

-EPC memory is encrypted by the Memory Encryption Engine (MEE) and decrypted when accessed by enclave code.

-SGX must also calculate the enclave’s measurement, a cryptographic hash that is used for remote attestation. This is done with the EEXTEND instruction. Every time EEXTEND is executed, it measures 256 bytes, and therefore it must be executed 16 times to cover a full page.

-The original vendor of software can ensure that the code that the client is running is identical to the code provided by the vendor. This also defends against any tampering of program code.

Advantages:

- Data Confidentiality.

- Data Confidentiality.

Q2) What does a client program have to verify before passing secrets to an SGX enclave?

Ans: Intel SGX (Software Guard Extension) technology, available in Skylake and later processors, allows to create secure memory regions (enclaves) protected with hardware encryption in the SoC (system on chip).

-The data is in cleartext only inside the processor. It is encrypted in the SoC before leaving to the main memory, and decrypted in SoC upon fetching from the main memory. Paging is done on encrypted data.

-This is a powerful security tool, but it is highly challenging for usage in practical systems. One of the main challenges is a complex trust establishment mechanism required to verify the CPU and the application binary running in the enclave.

-Without verification, the user can not send secrets (such as data encryption keys) to the enclave, because the CPU can be substituted by a fake processor that leaks the secrets to a malicious party, and the application binary could be replaced by malicious code that leaks the data even in a genuine SGX CPU.

-Intel specifies a procedure for such verification, called “remote attestation” and provides example code for using it. Unfortunately, the SGX toolkit doesn’t have an end-to-end mechanism that implements this procedure.

-Instead, the SGX SDK contains a collection of API calls that can be utilized by an expert developer to create such mechanism.

-The remote attestation is followed by sending data encryption keys, or other secret information, to the enclave. We have implemented an easy-to-use mechanism for sending such secrets from clients to enclaves, and opening the secrets inside enclaves  all performed by simple API calls.

The Trust Management Framework has two main components:

• TruCE server: A standalone process that registers with Intel Attestation Service and assists in the remote attestation of cloud enclaves.
• TruCE SDK: A toolkit for application development. It has API and libraries for the trusted (enclave) part of the cloud application, the untrusted part of the cloud application, and the off-cloud client code that interacts with the cloud application.

TruCE is a service model that can have different implementations underneath, yet exposes the same interface to applications. Currently, we have two implementations, one based on an Intel prototype sample code, and the other developed by IBM as part of the RestAssured project.

Remote attestation has the following goals:

1. Verify that the attestation report was indeed created in a genuine Intel SGX hardware.
2. Verify that the code being executed by the enclave has not been tampered with.
3. Create a secure channel between an external client and the enclave and pass a secret to the enclave using this secure channel.

Q3) What state must be encrypted to protect the contents of an SGX enclave from the operating system or virtual machine monitor?

Ans: He first step in creating an enclave is to call the instruction ECREATE. This allocates memory inside the Enclave Page Cache (EPC) to hold enclave code and data

-. EPC memory is encrypted by the Memory Encryption Engine (MEE) and decrypted when accessed by enclave code. Enclave contents are added with the EADD instruction, which copies a 4KB page from ordinary memory into an EPC page. However, SGX must also calculate the enclave’s measurement, a cryptographic hash that is used for remote attestation. T

-his is done with the EEXTEND instruction. Every time EEXTEND is executed, it measures 256 bytes, and therefore it must be executed 16 times to cover a full page. The enclave cannot be entered until it has been initialized with the EINIT instruction. However, unless the enclave’s measurement matches the original measurement calculated by the enclave’s creator, the hardware will not initialize it.

-The creator of the enclave provides the measurement inside the SIGSTRUCT data structure, which the creator signs with their private key and provides along with the enclave.

-After remote attestation is complete, a server is assured that the enclave it is talking to matches its declared measurement, and a secure channel has been established between them, allowing the server to provide secrets to the enclave.

Q4) Suppose code in an SGX enclave is waiting for data to arrive and calls the read() system call. What conditions must it check after the read() call returns to make sure it executes correctly?

-As stated earlier, we aim to require as few changes as possible to an SGX application, and our solution was to sanitize all developer functions.

-This requires no input from the developer, as the white list is identical for all SGX applications. However, we do require a developer to call elide_restore in order to restore enclave functions.

-One solution would be to insert a call to elide_restore at the top of all ecalls before the original functions are restored, meaning the first ecall to be called would restore the enclave before continuing.

-In addition, by explicitly having developers call elide_restore, they can handle various errors the enclave might encounter (e.g  a network error)

-Therefore, the only changes a developer must make to the enclave application are adding the library and a single call to elide_restore. However, the library also requires an authentication server to give an attested enclave the data it needs to restore its functions.

-Our framework contains a very small number of public API functions: only one ecall (elide_restore) and two ocalls (elide_server_request and elide_read_file). The ocalls are automatically called by our library, so the required developer effort is minimal.Finally, in our framework, the server stands alone and requires no developer input, but in many applications it may be desirable for the developer to add custom functionality between enclave and server.

-Thus our framework only requires a server with access to the secret data and metadata that the enclave requires.