SoK: SGX.Fail: How Stuff Gets eXposed

Stephan Van Schaik, Alex Seto, Thomas Yurek, Adam Batori, Bader Albassam, Daniel Genkin, Andrew Miller, Eyal Ronen, Yuval Yarom, Christina Garman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Intel's Software Guard Extensions (SGX) promises an isolated execution environment, protected from all software running on the machine. As such, numerous works have sought to leverage SGX to provide confidentiality and integrity guarantees for code running in adversarial environments. In the past few years however, SGX has come under heavy fire, threatened by numerous hardware attacks. With Intel repeatedly patching SGX to regain security while consistently launching new (micro)architectures, it is increasingly difficult to track the applicability of various attack techniques across the SGX design landscape.Thus, in this paper we set out to survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information leaked by them. We then set out to explore the effectiveness of SGX's update mechanisms in preventing attacks on real-world deployments. Here, we study two commercial SGX applications. First, we investigate the SECRET network, an SGX-backed blockchain aiming to provide privacy-preserving smart contracts. Next, we also consider PowerDVD, a UHD Blu-Ray Digital Rights Management (DRM) software licensed to play discs on PCs. We show that in both cases vendors are unable to meet security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This in turn forces vendors to make difficult security/usability trade offs, resulting in security compromises.

Original languageEnglish
Title of host publicationProceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages4143-4162
Number of pages20
ISBN (Electronic)9798350331301
DOIs
StatePublished - 2024
Event45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States
Duration: 20 May 202423 May 2024

Publication series

NameProceedings - IEEE Symposium on Security and Privacy

Conference

Conference45th IEEE Symposium on Security and Privacy, SP 2024
Country/TerritoryUnited States
CitySan Francisco
Period20/05/2423/05/24

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this