During CCS 2017, Taesoo Kim (Georgia Tech), Zhiqiang Lin (UT Dallas) and Chia-Che Tsai (Stony Brook University / UC Berkeley) together gave an overall tutorial on Intel SGX technology. The tutorial’s contents are well organized and presented by SGX experts in the acadamia. We believe that this tutorial serves as a perfect entry point to understand the background of SGX technology.
This tutorial consists of three parts, including:
- SGX 101: introduction, performance, and applications
- SGX shielding framework and development tools
- SGX Security Issues
Presentation slides and demo videos are available here.
In this tutorial, Zhiqiang Lin first introduced the basic concepts of Intel SGX, its development workflows, potential applications and performance characteristics. Then, Chia-Che Tsai introduced various ways to quickly start writing SGX applications, specifically by utilizing library OSes or thin shielding layers; he explaind the pros and cons of each approach in terms of security and usability. Last but not least, Taesoo Kim explained known security concerns, including cache/branch side-channel attacks and memory safety issues, and corresponding defenses with various working demos.
SGX 101: introduction, performance, and applications (Zhiqiang Lin)
SGX shielding framework and development tools (Chia-Che Tsai)
SGX Security Issues (Taesoo Kim)
Demo Videos from SSLab
- Branch Shadowing
This video shows how the branch shadowing attack can extract RSA private key bits
- Target code: Sliding window exponentiation of mbedTLS
- Attack code: We modified Linux SGX SDK to run our shadow code
- Kernel log: Our attack code prints the output of LBR via dmesg
- Dark ROP
This video shows how the Dark ROP attack detects memcpy() and copy the entire memory contents of an enclave to the outside.
- SGX page-table-based attack
This video presents the page-table-based attack, which is also known as the controlled-channel attack. By manipulating the page table and hooking the page fault handler, the attacker is able to observe precise page access patterns.
- SGX-Shield
This video demonstrates the effectiveness of fine-grained ASLR support of SGX-Shield.
- T-SGX
This video shows how T-SGX protect an SGX enclave from page-table-based attacks.
- SGX-Bomb
This video shows how the SGX-Bomb attack locks down a victim machine.
- SGX-Bleed
This video shows how the SGX-Bleed problem leaks uninitialized SGX memory via structure padding.