The Wolf In SGX Clothing

Presented at TROOPERS18 (2018), March 15, 2018, 2:30 p.m. (Unknown duration)

SGX is a security technology, which is designed to hide secrets from the very platform they are stored on. While this sounds sweet in case one is worried about leaving secrets lying around unguarded in memory, it is a terrifying proposal for someone who hunts threats. As a blind spot by definition, SGX provides worrisome capabilities to potential intruders. But just how much of a blind spot is an SGX enclave, what can it hide and what not, what can an attacker actually achieve leveraging this technology? Malware hidden within secure enclaves has been a topic of security research quicker than legitimate customers could implement their crypto containers, but what we are still missing today is a holistic, no wait, realistic threat model. The extent of malicious activities attackers can hide within home-grown enclaves, the risk posed by benign but vulnerable enclaves, and the horrifying outlook for DFIR specialists facing SGX protected threats are the major focus of this presentation. The presented research sheds light on capabilities and limitations of malicious enclaves, and shows what attackers can gain from compromising benign enclaves. A legitimate but vulnerable Linux pet enclave gone rogue will serve as demonstration, and also be a base for discussion of SGX monitoring approaches.

This is ongoing research to help the community and also Intel engineers understand real and imaginative risks around the SGX technology.


  • Marion Marschalek
    Marion Marschalek is a former malware analyst and reverse engineer, who recently started work at Intel in order to conquer the field of low level security research. She has spoken at all the conferences and such, and seen all the things, and if you want more details on her current activities you'll have to find your way around Intel's law department. Also, she runs a free reverse engineering workshop for women, because the world needs more crazy researchers \m/


Similar Presentations: