Paper 2017/736

SGX Remote Attestation is not Sufficient

Yogesh Swami

Abstract

Intel SGX enclaves provide hardware enforced confidentiality and integrity guarantees for running pure computations (\ie, OS-level side-effect-free code) in the cloud environment. In addition, SGX remote attestation enables enclaves to prove that a claimed enclave is indeed running inside a genuine SGX hardware and not some (adversary controlled) SGX simulator. Since cryptographic protocols do not compose well, especially when run concurrently, SGX remote attestation is only a necessary pre-condition for securely instantiating an enclave. In practice, one needs to analyze all the different interacting enclaves as a \textit{single protocol} and make sure that no sub-computation of the protocol can be simulated outside of the enclave. In this paper we describe protocol design problems under (a) sequential-composition, (b) concurrent-composition, and (c) enclave state malleability that must be taken into account while designing new enclaves. We analyze Intel provided EPID \textsf{Provisioning} and \textsf{Quoting} enclave and report our (largely positive) findings. We also provide details about how SGX uses EPID Group Signatures and report (largely negative) results about claimed anonymity guarantees.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision. BlackHat'17
Contact author(s)
yogesh swami @ gmail com
History
2017-08-01: received
Short URL
https://ia.cr/2017/736
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/736,
      author = {Yogesh Swami},
      title = {SGX Remote Attestation is not Sufficient},
      howpublished = {Cryptology ePrint Archive, Paper 2017/736},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/736}},
      url = {https://eprint.iacr.org/2017/736}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.