SGX Secure Enclaves in Practice: Security and Crypto Review

Black Hat USA 2016

Presented by: Jean-Philippe Aumasson (veorq), LuisMerino
Date: Thursday August 04, 2016
Time: 12:10 - 13:00
Location: South Seas GH

Software Guard Extensions (SGX) is a technology available in Intel(R) CPUs released in autumn 2015. SGX allows a remote server to process a client's secret data within a software enclave that hides the secrets from the operating system, hypervisor, and even BIOS or chipset manager, while giving cryptographic evidence to the client that the code has been executed correctly the very definition of secure remote computation.

This talk is the first public assessment of SGX based on real SGX-enabled hardware and on Intel's software development environment. While researchers already scrutinized Intel's partial public documentation, many properties can only be verified and documented by working with the real thing: What's really in the development environment? Which components are implemented in microcode and which are in software? How can developers create secure enclaves that won't leak secrets? Can the development environment be trusted? How to debug and analyze SGX software? What crypto schemes are used in SGX critical components? How reliable are they? How safe are their implementations? Based on these newly documented aspects, we'll assess the attack surface and real risk for SGX users. We'll then present and demo proofs-of-concept of cryptographic functionalities leveraging SGX: secure remote storage and delegation (what fully homomorphic encryption promises, but is too slow to put in practice), and reencryption. We'll see how basic architectures can deliver powerful crypto functionalities with a wide range of applications. We'll release code as well as a tool to extract and verify an enclave's metadata.

Jean-Philippe Aumasson

Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security,in Switzerland. He designed the popular cryptographic functions BLAKE2 andSipHash, and the new authenticated cipher NORX. He has spoken at Black Hat,DEFCON, RSA, CCC, SyScan, Troopers. He initiated the Crypto Coding Standardand the Password Hashing Competition projects, and co-wrote the 2015 book "TheHash Function BLAKE". JP tweets as @veorq.

LuisMerino

Luis Merino is Senior Security Engineer at Kudelski Security, Switzerlandworking on research projects. In the past, he has been involved in engineeringand research projects at Riscure, the Andalusian Astrophysics Institute, andthe University of Granada, amongst others. He graduated in computerengineering at University of Granada and is Offensive Security certified.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats