Intel
Intel SGX is a set of central processing unit (CPU) instruction codes
from
Intel
Intel that allows user-level code to allocate private regions of
memory, called enclaves, that are protected from processes running at
higher privilege levels.[1]
Intel
Intel designed SGX to be useful for
implementing secure remote computation, secure web browsing, and
digital rights management (DRM).[2]
Contents
1 Details
2 Prime+Probe attack
3 Spectre-like attack
4 References
5 External links
Details[edit]
Support for SGX in the CPU is indicated in
CPUID "Structured Extended
feature Leaf", EBX bit 02,[3] but its availability to applications
requires
BIOS
BIOS support and opt-in enabling which is not reflected in
CPUID bits. This complicates the feature detection logic for
applications.[4]
Emulation of SGX was added to experimental version of the
QEMU
QEMU system
emulator in 2014.[5] In 2015, researchers at the Georgia Institute of
Technology released an open-source simulator known as OpenSGX.[6]
It was introduced in 2015 with the sixth generation
Intel
Intel Core
microprocessors based on the Skylake microarchitecture.
One example of SGX used in security was a demo application from
wolfSSL[7] using it for cryptography algorithms. One example of a
secure service built using SGX is Fortanix's key management
service.[8] This entire cloud based service is built using SGX servers
and designed to provide privacy from cloud provider. An additional
example is
Numecent
Numecent using SGX to protect the DRM that is used to
authorize application execution with their Cloudpaging application
delivery products.[9]
Intel
Intel
Goldmont Plus (Gemini Lake) microarchitecture will also add
support for
Intel
Intel SGX.
Prime+Probe attack[edit]
On 27 March 2017 researchers at Austria's Graz University of
Technology developed a proof-of-concept that can grab RSA keys from
SGX enclaves running on the same system within five minutes by using
certain CPU instructions in lieu of a fine-grained timer to exploit
cache
DRAM
DRAM side-channels.[10][11] One countermeasure for this type of
attack was presented and published by Daniel Gruss et al. at the
USENIX
USENIX Security Symposium in 2017.[12] Among other published
countermeasures, one countermeasure to this type of attack was
published on September 28, 2017, a compiler-based tool, DR.SGX,[13]
that claims to have superior performance with the elimination of the
implementation complexity of other proposed solutions.
Spectre-like attack[edit]
The LSDS group at Imperial College London showed a proof of concept
that the Spectre speculative execution security vulnerability can be
adapted to attack the secure enclave.[14]
References[edit]
Computer security
Computer security portal
^ "
Intel
Intel SGX for Dummies (
Intel
Intel SGX Design Objectives)". intel.com.
2013-09-26.
^ "
Intel
Intel SGX Details". intel.com. 2017-07-05.
^
Intel
Intel Architecture Instruction Set Extensions Programming Reference,
Intel, AUGUST 2015, page 36 "Structured Extended feature Leaf EAX=07h,
EBX Bit 02: SGX"
^ "Properly Detecting
Intel
Intel
Software Guard Extensions in Your
Applications". intel.com. 2016-05-13.
^ https://tc.gtisc.gatech.edu/bss/2014/l/final/pjain43.pdf
^ "sslab-gatech/opensgx". GitHub. Retrieved 2016-08-15.
^ "wolfSSL At IDF". wolfssl. 2016-08-11.
^ "Fortanix
Intel
Intel SGX Based Key Management". 2017-02-26.
^ "
Numecent
Numecent Cloudpaging at
Intel
Intel IDF". numecent.com. 2016-08-16.
^ Chirgwin, Richard (March 7, 2017). "Boffins show Intel's SGX can
leak crypto keys". The Register. Retrieved 1 May 2017.
^ Schwarz, Michael; Weiser, Samuel; Gruss, Daniel; Maurice,
Clémentine; Mangard, Stefan (March 1, 2017). "Malware Guard
Extension: Using SGX to Conceal Cache Attacks". Graz University of
Technology. Retrieved 1 May 2017.
^ "Strong and Efficient Cache Side-Channel Protection using Hardware
Transactional Memory" (PDF). USENIX. 2017-08-16.
^ "DR.SGX: Hardening SGX Enclaves against Cache Attacks with Data
Location Randomization" (PDF). arxiv.org. 2017-09-28.
^ Sample code demonstrating a Spectre-like attack against an
Intel
Intel SGX
enclave.
External links[edit]
Intel
Intel
Software Guard Extensions (
Intel
Intel SGX) / ISA Extensions, Intel
Intel
Intel
Software Guard Extensions (
Intel
Intel SGX) Programming Reference,
Intel, October 2014
IDF 2015 - Tech Chat: A Primer on
Intel
Intel Software Guard Extensions,
Intel
Intel (poster)
ISCA 2015 tutorial slides for
Intel
Intel SGX, Intel, June 2015
McKeen, Frank, et al. (Intel), Innovative Instructions and Software
Model for Isolated Execution // Proceedings of the 2nd International
Workshop on Hardware and Architectural Support for Security and
Privacy. ACM, 2013.
Joanna Rutkowska, Thoughts on Intel's upcoming Software Guard
Extensions (Part 1), August 2013
SGX: the good, the bad and the downright ugly / Shaun Davenport,
Richard Ford (Florida Institute of Technology) / Virus Bulletin,
2014-01-07
Victor Costan and Srinivas Devadas,
Intel
Intel SGX Explained, January 2016.
wolfSSL, October 2016.
The Security of
Intel
Intel SGX for Key Protection and Data Privacy
Applications / Professor Yehuda Lindell (Bar Ilan University &
Unbound Tech), January 2018
v
t
e
Intel
Subsidiaries
3Dlabs
Altera
Comneon
Intel
Intel Security
Mobileye
Recon Instruments
Virtutech
Wind River Systems
4Group Holdings (50% owned by Technicolor SA)
Products
Intel
Intel AZ210
3D XPoint
Accounts & SSO
Amplify Tablet
Advanced Programmable Interrupt Controller
Cache Acceleration Software
Client Initiated Remote Access
Direct Media Interface
Flexible Display Interface
Hella Zippy
Intel
Intel 1103
Intel
Intel Display Power Saving Technology
Intel
Intel Modular Server System
Intel
Intel Reader
Intel
Intel SPSH4
Intel
Intel System Development Kit
Intel
Intel Upgrade Service
Intel740
InTru3D
IXP1200
OFono
Omni-Path
Performance acceleration technology
Shooting Star
Smart Cache
SSDs (X25-M)
Stable Image Platform
Virtual 8086 mode
WiDi
X86
Intel
Intel Clear Video
Intel
Intel Quick Sync Video
Litigation
Advanced Micro Devices, Inc. v.
Intel
Intel Corp.
High-Tech Employee Antitrust Litigation
Intel
Intel Corp. v. Advanced Micro Devices, Inc.
Intel
Intel Corp. v. Hamidi
Intel
Intel Corporation Inc. v CPM United Kingdom Ltd
Silvaco Data Systems v.
Intel
Intel Corp.
People
Gordon Moore
Robert Noyce
Related
Intel
Intel Foundation Achievement Award
Apple's transition to
Intel
Intel processors
Intel
Intel Architecture Labs
ASCI Red
BiiN
Classmate PC
Convera Corporation
Copy Exactly!
Cornell Cup USA
Intel
Intel Developer Forum
Dynamic video memory technology
Intel
Intel Extreme Masters
List of
Intel
Intel microprocessors
List of
Intel
Intel graphics processing units (2013 or earlier)
I/O Acceleration Technology
IA-32 Execution Layer
IM Flash Technologies
The Innovators
Inside
Inside Films
Intel
Intel ADX
Intel
Intel Capital
Intel
Intel Cluster Ready
Intel
Intel Compute Stick
Intel
Intel Ireland
Intel
Intel Mobile Communications
Intel
Intel Outstanding Researcher Award
Intel
Intel SHA extensions
Intel
Intel Teach
List of semiconductor fabrication plants
List of
Intel
Intel manufacturing sites
Intel
Intel Museum
OnCue
Intel
Intel PRO/Wireless
Intel
Intel International Science and Engineering Fair
Regeneron Science Talent Search
Simple
Firmware
Firmware Interface
Single-chip Cloud Computer
Software Guard Extensions
Supervisor Mode Access Prevention
Tarari
Intel
Intel Technology Journal
Intel
Intel Tera-Scale
Timeline of Intel
Xircom
v
t
e
CPU technologies
Architecture
Turing machine
Post–Turing machine
Universal Turing machine
Quantum Turing machine
Belt machine
Stack machine
Register machine
Counter machine
Pointer machine
Random access machine
Random access stored program machine
Finite-state machine
Queue automaton
Von Neumann
Harvard (modified)
Dataflow
TTA
Cellular
Artificial neural network
Machine learning
Deep learning
Neural processing unit (NPU)
Convolutional neural network
Load/store architecture
Register memory architecture
Endianness
FIFO
Zero-copy
NUMA
HUMA
HSA
Mobile computing
Surface computing
Wearable computing
Heterogeneous computing
Parallel computing
Concurrent computing
Distributed computing
Cloud computing
Amorphous computing
Ubiquitous computing
Fabric computing
Cognitive computing
Unconventional computing
Hypercomputation
Quantum computing
Adiabatic quantum computing
Linear optical quantum computing
Reversible computing
Reverse computation
Reconfigurable computing
Optical computing
Ternary computer
Analogous computing
Mechanical computing
Hybrid computing
Digital computing
DNA computing
Peptide computing
Chemical computing
Organic computing
Wetware computing
Neuromorphic computing
Symmetric multiprocessing
Symmetric multiprocessing (SMP)
Asymmetric multiprocessing
Asymmetric multiprocessing (AMP)
Cache hierarchy
Memory hierarchy
ISA types
ASIP
CISC
RISC
EDGE (TRIPS)
VLIW (EPIC)
MISC
OISC
NISC
ZISC
Comparison
ISAs
x86
z/Architecture
ARM
MIPS
Power Architecture
Power Architecture (PowerPC)
SPARC
Mill
Itanium
Itanium (IA-64)
Alpha
Prism
SuperH
V850
Clipper
VAX
Unicore
PA-RISC
MicroBlaze
RISC-V
Word size
1-bit
2-bit
4-bit
8-bit
9-bit
10-bit
12-bit
15-bit
16-bit
18-bit
22-bit
24-bit
25-bit
26-bit
27-bit
31-bit
32-bit
33-bit
34-bit
36-bit
39-bit
40-bit
48-bit
50-bit
60-bit
64-bit
128-bit
256-bit
512-bit
Variable
Execution
Instruction pipelining
Bubble
Operand forwarding
Out-of-order execution
Register renaming
Speculative execution
Branch predictor
Memory dependence prediction
Hazards
Parallel level
Bit
Bit-serial
Word
Instruction
Pipelining
Scalar
Superscalar
Task
Thread
Process
Data
Vector
Memory
Multithreading
Temporal
Simultaneous (SMT) (Hyper-threading)
Speculative (SpMT)
Preemptive
Cooperative
Clustered Multi-Thread (CMT)
Hardware scout
Flynn's taxonomy
SISD
SIMD
SIMD (SWAR)
SIMT
MISD
MIMD
SPMD
Addressing mode
CPU performance
Instructions per second (IPS)
Instructions per clock (IPC)
Cycles per instruction (CPI)
Floating-point operations per second (FLOPS)
Transactions per second (TPS)
Synaptic Updates Per Second (SUPS)
Performance per watt
Orders of magnitude (computing)
Cache performance measurement and metric
Core count
Single-core processor
Multi-core processor
Manycore processor
Types
Central processing unit
Central processing unit (CPU)
GPGPU
AI accelerator
Vision processing unit (VPU)
Vector processor
Barrel processor
Stream processor
Digital signal processor
Digital signal processor (DSP)
I/O processor/DMA controller
Network processor
Baseband processor
Physics processing unit
Physics processing unit (PPU)
Coprocessor
Secure cryptoprocessor
ASIC
FPGA
FPOA
CPLD
Microcontroller
Microprocessor
Mobile processor
Notebook processor
Ultra-low-voltage processor
Multi-core processor
Manycore processor
Tile processor
Multi-chip module
Multi-chip module (MCM)
Chip stack multi-chip modules
System on a chip
System on a chip (SoC)
Multiprocessor system-on-chip (MPSoC)
Programmable
System-on-Chip
System-on-Chip (PSoC)
Network on a chip (NoC)
Components
Execution unit (EU)
Arithmetic logic unit
Arithmetic logic unit (ALU)
Address generation unit
Address generation unit (AGU)
Floating-point unit
Floating-point unit (FPU)
Load-store unit (LSU)
Branch predictor
Unified Reservation Station
Barrel shifter
Uncore
Sum addressed decoder (SAD)
Front-side bus
Back-side bus
Northbridge (computing)
Southbridge (computing)
Adder (electronics)
Binary multiplier
Binary decoder
Address decoder
Multiplexer
Demultiplexer
Registers
Cache
Memory management unit
Memory management unit (MMU)
Input–output memory management unit
Input–output memory management unit (IOMMU)
Integrated
Memory Controller (IMC)
Power Management Unit (PMU)
Translation lookaside buffer
Translation lookaside buffer (TLB)
Stack engine
Register file
Processor register
Hardware register
Memory buffer register (MBR)
Program counter
Microcode
Microcode ROM
Datapath
Control unit
Instruction unit
Re-order buffer
Data buffer
Write buffer
Coprocessor
Electronic switch
Electronic circuit
Integrated circuit
Three-dimensional integrated circuit
Boolean circuit
Digital circuit
Analog circuit
Mixed-signal integrated circuit
Power management integrated circuit
Quantum circuit
Logic gate
Combinational logic
Sequential logic
Emitter-coupled logic
Emitter-coupled logic (ECL)
Transistor–transistor logic
Transistor–transistor logic (TTL)
Glue logic
Quantum gate
Gate array
Counter (digital)
Bus (computing)
Semiconductor device
Clock rate
CPU multiplier
Vision chip
Memristor
Power
management
APM
ACPI
Dynamic frequency scaling
Dynamic voltage scaling
Clock gating
Hardware
security
Non-executable memory (NX bit)
Memory Protection Extensions (
Intel
Intel MPX)
Intel
Intel Secure Key
Hardware restriction (firmware)
Software Guard Extensions (
Intel
Intel SGX)
Trusted Execution Technology
Trusted Platform Module
Trusted Platform Module (TPM)
Secure cryptoprocessor
Hardware security module
Hengzhi chip
Related
History of general-purpose CPUs
v
t
e
Instruction set
Instruction set extensions
SIMD
SIMD (RISC)
Alpha
MVI
ARM
NEON
MIPS
MDMX
MIPS-3D
MXU
MIPS SIMD
PA-RISC
MAX
Power ISA
AltiVec
SPARC
VIS
SIMD
SIMD (x86)
MMX (1996)
3DNow! (1998)
SSE (1999)
SSE2 (2001)
SSE3 (2004)
S
SSE3 (2006)
SSE4 (2006)
SSE5 (2007)
AVX (2008)
F16C (2009)
XOP (2009)
FMA (FMA4: 2011, FMA3: 2012)
AVX2 (2013)
AVX-512 (2015)
Bit manipulation
BMI (ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012)
ADX (2014)
Compressed instructions
Thumb
MIPS16e ASE
Security and cryptography
AES-NI (2008); 32- and 6
4-bit
4-bit ARMv8 also has AES instructions
CLMUL (2010)
RdRand (2012)
SHA (2013)
MPX (2015)
SGX (2015)
Transactional memory
TSX (2013)
ASF
Virtualization
VT-x
VT-x (2005)
AMD-V
AMD-V (2006)
Suspended extensions' dates have be