Intel SGX solves many security issues. Nevertheless, there are some known security exploits that should be mentioned because knowing them, allows mitigating them. One should be aware that this is probably incomplete, even if it is to the best of our knowledge.
The following enclave properties could be used in attack vectors.
- An enclave has no way to control how many instances of that enclave are instantiated
- An enclave process can be interrupted at any point.
- An enclave is stateless. The encrypted state lives on the untrusted host and is therefore subject to interference, like deletion or providing an old state.
- Monotonic counter and trusted time provided by Platform Services (PSE) rely on Intel ME, which doesn't have a good reputation for security.
These properties should be generally considered, when designing enclave code, but they also lead to a few attack vectors that are discussed below.
Attack: Provide an outdated state to the enclave to re-execute an already executed operation. This could be used to trigger a double spending attack, but also to re-execute random operations, which might leak secrets if the randomness is not strong enough.
Cause: 3.)
Countermeasure: Blockchain registers the hash of the latest state, so a state update is only valid when it refers to the latest registered state.
Attack: An enclave ecall can be interrupted at any time by interrupts. Instead of returning after the interrupt, an attacker can then call the same ecall again.
Cause: 2.)
Countermeasure: Apply verify-first-write-last paradigm, not only for sealed storage, but also for global state variables.
Can be considered a special case of the Rollback attack, which is similar to the smart contracts reentrancy attack.
Cause: 2.) & 3.)
Countermeasure: Apply verify-first-write-last paradigm.
Attack: Intel could attack a service provider by always replying to RA requests positively, and put a simulated enclave as a MITM. Intel could target specific providers as it knows which SP is requesting a RA based on the SPID.
Countermeasure: None, but trusting Intel is part of the security model anyhow.
For further education, please see the black hat presentation by Swami at 34:50.
Foreshadow is a specific side-channel attack, which compromised both integrity, confidentiality, and therefore remote attestation. It has been fixed in Intel’s recent microcode.
Countermeasures: Update the SGX hardware, and verify that SGX is up-to-date for all enclaves. IAS contains that information and will issue a warning if the SGX microcode is outdated.