Why Intel’s SGX-based Attestation is Questionable at Best
Intel’s SGX implementation of protected enclaves is used by many different companies for its ability to provide a protected execution environment. These CPUs have been designed with cryptographic signatures which are used prevent the OS from being tampered with. But the inviolability of Intel’s SGX enclaves has routinely been breached in the past, and recent developments point to another attack vector.
Independent researchers have recently revealed a bug that poses significant threats to Intel SGX enclave security. The researchers were able to orchestrate attacks against Intel SGX enclaves by targeting stale data. This leftover data can be exposed by an attacker who controls the OS and can read from the legacy xAPIC.
The attacks are detailed in the following report. The researchers implemented two attack techniques — Cache Line Freezing and Enclave Shaking — that they used to extract out both the AES-NI and RSA keys from Intel SGX sealing and remote attestation keys.
The ÆPIC Leak is not a transient execution attack like that affected earlier SGX vulnerabilities. For example, some earlier SGX hacks used side-channels to deduce sensitive data. The ÆPIC Leak is more significant as it’s a result of a fundamental flaw in the SGX chip architecture.
Affected Intel CPUs
According to the report’s authors, the bug affects recent Intel CPUs based on the Sunny Cove architecture. These include Intel’s 10th generation Ice Lake CPUs and its current 3rd generation Xeon server CPUs.
Intel officially responded to the hack announcement with the following:
Stale Data Read from legacy xAPIC against Intel SGX enclaves will be mitigated in hardware, starting in Intel® Xeon® 4th Gen Scalable processors, code named Sapphire Rapids, and future processors.
Intel recently announced that starting with their 12th generation CPUs, they’ll no longer be releasing SGX-enabled CPUs for the consumer market. There’s a growing opinion that Intel may be looking to transition away from offering CPUs with protected enclaves in the future, an outcome that businesses need to be prepared for.
The TEA Project Uses TPM Chips for its Protected Enclaves
Protected enclaves are an important aspect of how the TEA Project is able to run programs at cloud computing speeds while remaining decentralized. Encrypted data and encrypted app code are able to be decrypted within the protected enclaves of individual CML mining nodes. Not only does the miner not know what’s running inside their enclave, the memory of the enclave space is wiped right after the app has finished execution on the data. Attacks like the ÆPIC Leak affecting Intel SGX CPUs aren’t possible as any cached data isn’t available to be accessed.
The TEA Project could’ve used a trusted execution environment (TEE) standard like Intel’s SGX, but using SGX to supply the enclave would’ve presented thorny issues for the TEA development team:
- The actual enclave provided by Intel SGX CPUs is inadequate, with only a small portion of RAM set aside to function as the enclave.
- SGX standards are always governed by Intel and are closed sourced. Intel goals with SGX will always align with their business objectives, such as deciding to discontinue SGX for their consumer-focused processors. Companies that rely on SGX to furnish protected enclaves for their infrastructure have to deal with the fall out of any decisions made by Intel.
For information on why the TEA Project is using hardware security modules instead of TEE environments like Intel SGX, you can read more here:
The TEA Project mining nodes use TPM chips that follow the TPM 2.0 international standard. Hardware forms one of the TEA Project’s primary roots of trust (blockchain and time are the other two). If you’d like to understand more about how hardware security modules fit into the TEA Project’s concept of trust, read more here:
And feel free to join us in our Telegram group if you have more questions: https://t.me/teaprojectorg