|
|
Subscribe / Log in / New account

SGX: when 20 patch versions aren't enough

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 1:01 UTC (Wed) by amarao (guest, #87073)
Parent article: SGX: when 20 patch versions aren't enough

I can understand why there is a need for enclave data concealment, but I can't understand why a code should not be open for inspection? Make it read-only, and half concern are gone.

to post comments

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 6:39 UTC (Wed) by smurf (subscriber, #17840) [Link] (4 responses)

The whole enclave is encrypted. There's no way to read the bytes in there, code or data doesn't matter.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 9:45 UTC (Wed) by grawity (subscriber, #80596) [Link] (3 responses)

Um, but that was already the question: why is the entire enclave encrypted, as opposed to just the "data" pages being encrypted. "It's encrypted because it's encrypted" doesn't quite answer it. (The article notes that encryption is done at enclave startup time – the original code blob is merely signed, but not encrypted yet.)

Not that it would help much, if at all. You'd quickly find malware putting a bytecode interpreter in the "code" part, and all the interesting stuff being stored as "data".

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 13:29 UTC (Wed) by mageta (subscriber, #89696) [Link]

As far as I know - in reference to this paper: https://arxiv.org/abs/1902.03256 (pretty nice paper, shows that SGX enclaves can in fact do more than information retrieval: "WithSGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROPgadgets in the host context enabling practical enclave malware.") - the prime exploiter of SGX at this points are DRM systems, or systems that try to protect intellectual property in general. For me it is obvious why these users are interested to do away with any access what so ever, in order to limit the amount of reverse engineering the user can do on them.

In regards to the thought that the images are only signed, not encrypted: there is some thoughts on how attackers/drm-providers might load code into an enclave at run-time: http://theinvisiblethings.blogspot.com/2013/09/thoughts-o.... This way you can not inspect the code at all, even if you can inspect the original image/blob.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 14:34 UTC (Wed) by smurf (subscriber, #17840) [Link]

Define "data". Constant data are stored in code pages. Like a hardcoded encryption key (those can't always be avoided). Game over if anybody can read that.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 16:57 UTC (Wed) by flussence (guest, #85566) [Link]

It's encrypted because it's *designed* first and foremost to run malware - specifically corporate DRM.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 17:01 UTC (Wed) by luto (guest, #39314) [Link]

The code is open for inspection, or at least the initial code is. SGX only provides confidentiality after the enclave starts running.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 20:16 UTC (Wed) by mm7323 (subscriber, #87386) [Link]

It could be as simple as some bit of hardware that does the encryption and decryption for the enclave page access follows von Neumann architecture and so makes no distinction between code and data and it all ends up encrypted. Just a guess though.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds