What is Intel SGX

Amirali Sanatinia
Jul 17, 2017 · 2 min read

Intel Software Guard Extensions (SGX), is a set of security architecture extensions first introduced in the Skylake microarchitecture that enables a Trusted Execution Environment (TEE). It provides an ‘inverse sandbox’, for sensitive programs, and guarantees the integrity and confidentiality of secure computations even from the most privileged malicious software (e.g. OS, Hypervisor).

Intel SGX allows the creation of secure enclaves that can keep and be trusted with a secret. In the context of SGX, enclaves are isolated execution units, with encrypted code and data. At first, enclaves have no secret, since they can be disassembled and viewed like any other normal program. After their launch, the enclaves need to be provisioned, to retrieve the secret data. The following is on overview of SGX. Figure 1 provides a diagram of the procedure and lifecycle of an SGX enclave as described above.

Image for post
Image for post

Step 1 (Launch): the untrusted application loads the enclave code and instantiates it. During this process the enclave’s measurement is created which is later used for verification.

Step 2 (Attestation): the enclave contacts the service provider for provisioning and retrieving the secrets. The enclave presents its measurement.

Step 3 (Provisioning): after verifying the attestation provided by the enclave in step 2, the service provider sends the secure data to the enclave through a secure channel.

Step 4 (Sealing/Unsealing): to allow an enclave to access the secret material in a secure and confidential way, the data can be sealed (encrypted) and stored on persistent storage.

A set of 18 new instructions, and 6 new data structures were introduced to support the operations of SGX. For example, instructions to build and destroy enclaves, enter to and exit from enclaves, and data structures to hold the enclave’s data and meta-data

SGX Applications

Since the trusted computing base (TCB) the TCB is small in the SGX, some applications include Digital Rights Management (DRM) and trusted code execution on untrusted platforms. Bundled with technologies such as Intel’s Protected Audio Video Path (PAVP) and High-bandwidth Digital Content Protection (HDCP), SGX can realized DRM functionalities.

For more info please have a look at our Virus Bulletin (VB) 2016 paper: “Trusted Code Execution on Untrusted Platform Using Intel SGX”

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store