Cryptology ePrint Archive: Report 2017/736

SGX Remote Attestation is not Sufficient

Yogesh Swami

Abstract: Intel SGX enclaves provide hardware enforced confidentiality and integrity guarantees for running pure computations (\ie, OS-level side-effect-free code) in the cloud environment. In addition, SGX remote attestation enables enclaves to prove that a claimed enclave is indeed running inside a genuine SGX hardware and not some (adversary controlled) SGX simulator.

Since cryptographic protocols do not compose well, especially when run concurrently, SGX remote attestation is only a necessary pre-condition for securely instantiating an enclave. In practice, one needs to analyze all the different interacting enclaves as a \textit{single protocol} and make sure that no sub-computation of the protocol can be simulated outside of the enclave. In this paper we describe protocol design problems under (a) sequential-composition, (b) concurrent-composition, and (c) enclave state malleability that must be taken into account while designing new enclaves. We analyze Intel provided EPID \textsf{Provisioning} and \textsf{Quoting} enclave and report our (largely positive) findings. We also provide details about how SGX uses EPID Group Signatures and report (largely negative) results about claimed anonymity guarantees.

Category / Keywords: applications /

Original Publication (with minor differences): BlackHat'17

Date: received 30 Jul 2017

Contact author: yogesh swami at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20170801:152136 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]