Journal articles on the topic 'Intel Software Guard eXtensions (SGX)'
To see the other types of publications on this topic, follow the link: Intel Software Guard eXtensions (SGX).
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 19 journal articles for your research on the topic 'Intel Software Guard eXtensions (SGX).'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Fei, Shufan, Zheng Yan, Wenxiu Ding, and Haomeng Xie. "Security Vulnerabilities of SGX and Countermeasures." ACM Computing Surveys 54, no. 6 (July 2021): 1–36. http://dx.doi.org/10.1145/3456631.
Full textAbstract:
Trusted Execution Environments (TEEs) have been widely used in many security-critical applications. The popularity of TEEs derives from its high security and trustworthiness supported by secure hardware. Intel Software Guard Extensions (SGX) is one of the most representative TEEs that creates an isolated environment on an untrusted operating system, thus providing run-time protection for the execution of security-critical code and data. However, Intel SGX is far from the acme of perfection. It has become a target of various attacks due to its security vulnerabilities. Researchers and practitioners have paid attention to the security vulnerabilities of SGX and investigated optimization solutions in real applications. Unfortunately, existing literature lacks a thorough review of security vulnerabilities of SGX and their countermeasures. In this article, we fill this gap. Specifically, we propose two sets of criteria for estimating security risks of existing attacks and evaluating defense effects brought by attack countermeasures. Furthermore, we propose a taxonomy of SGX security vulnerabilities and shed light on corresponding attack vectors. After that, we review published attacks and existing countermeasures, as well as evaluate them by employing our proposed criteria. At last, on the strength of our survey, we propose some open challenges and future directions in the research of SGX security.
2
Alder, Fritz, Jo Van Bulck, Jesse Spielman, David Oswald, and Frank Piessens. "Faulty Point Unit: ABI Poisoning Attacks on Trusted Execution Environments." Digital Threats: Research and Practice 3, no. 2 (June 30, 2022): 1–26. http://dx.doi.org/10.1145/3491264.
Full textAbstract:
This article analyzes a previously overlooked attack surface that allows unprivileged adversaries to impact floating-point computations in enclaves through the Application Binary Interface (ABI). In a comprehensive study across 7 industry-standard and research enclave shielding runtimes for Intel Software Guard Extensions (SGX), we show that control and state registers of the x87 Floating-Point Unit (FPU) and Intel Streaming SIMD Extensions are not always properly sanitized on enclave entry. We furthermore show that this attack goes beyond the x86 architecture and can also affect RISC-V enclaves. Focusing on SGX, we abuse the adversary’s control over precision and rounding modes as an ABI fault injection primitive to corrupt enclaved floating-point operations. Our analysis reveals that this is especially relevant for applications that use the older x87 FPU, which is still under certain conditions used by modern compilers. We exemplify the potential impact of ABI quality-degradation attacks for enclaved machine learning and for the SPEC benchmarks. We then explore the impact on confidentiality, showing that control over exception masks can be abused as a controlled channel to recover enclaved multiplication operands. Our findings, affecting 5 of 7 studied SGX runtimes and one RISC-V runtime, demonstrate the challenges of implementing high-assurance trusted execution across computing architectures.
3
Yoon, HanJae, and ManHee Lee. "SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory." Applied Sciences 12, no. 15 (July 29, 2022): 7655. http://dx.doi.org/10.3390/app12157655.
Full textAbstract:
Intel SGX (Software Guard Extensions) is a hardware-based security solution that provides a trusted computing environment. SGX creates an isolated memory area called enclave and prevents any illegal access from outside of the enclave. SGX only allows executables already linked statically to the enclave when compiling executables to access its memory, so code injection attacks to SGX are not effective. However, as a previous study has demonstrated, Return-Oriented Programming (ROP) attacks can overcome this defense mechanism by injecting a series of addresses of executable codes inside the enclave. In this study, we propose a novel ROP attack, called SGXDump, which can repeat the attack payload. SGXDump consists only of gadgets in the enclave and unlike previous ROP attacks, the SGXDump attack can repeat the attack payload, communicate with other channels, and implement conditional statements. We successfully attacked two well-known SGX projects, mbedTLS-SGX and Graphene-SGX. Based on our attack experiences, it seems highly probable that an SGXDump attack can leak the entire enclave memory if there is an exploitable memory corruption vulnerability in the target SGX application.
4
Woo, Sangyeon, Jeho Song, and Sungyong Park. "A Distributed Oracle Using Intel SGX for Blockchain-Based IoT Applications." Sensors 20, no. 9 (May 10, 2020): 2725. http://dx.doi.org/10.3390/s20092725.
Full textAbstract:
A blockchain oracle problem is a problem that defines a mechanism for how to safely bring external data to the blockchain. Although there have been various research efforts to solve this problem, existing solutions are limited in that they do not support either data availability or data integrity. Furthermore, no solution has been proposed to minimize the response time when an oracle server is malicious or overloaded. This paper proposes a distributed oracle using Intel Software Guard Extensions (SGX). The proposed approach uses multiple oracle servers to support data availability. It also supports data integrity using Intel SGX and Transport Layer Security (TLS) communication. The reputation system, which favors oracle servers with short response times, minimizes the average response time even if some of the oracle servers are malicious. The benchmarking results show that the response time of the proposed approach with 3 oracle servers is only 14% slower than a centralized oracle called Town-crier and scales well even if the number of oracle servers is increased up to 9. The reputation system is also evaluated, and its feasibility is analyzed using various experiments.
5
Selo, Omar Abou, Maan Haj Rachid, Abdullatif Shikfa, Yongge Wang, and Qutaibah Malluhi. "Private Function Evaluation Using Intel’s SGX." Security and Communication Networks 2020 (September 15, 2020): 1–10. http://dx.doi.org/10.1155/2020/3042642.
Full textAbstract:
Private Function Evaluation (PFE) is the problem of evaluating one party’s private data using a private function owned by another party. Existing solutions for PFE are based on universal circuits evaluated in secure multiparty computations or on hiding the circuit’s topology and the gate’s functionality through additive homomorphic encryption. These solutions, however, are not efficient enough for practical use; hence there is a need for more efficient techniques. This work looks at utilizing the Intel Software Guard Extensions platform (SGX) to provide a more practical solution for PFE where the privacy of the data and the function are both preserved. Notably, our solution carefully avoids the pitfalls of side-channel attacks on SGX. We present solutions for two different scenarios: the first is when the function’s owner has an SGX-enabled device and the other is when a third party (or one of the data owners) has the SGX capability. Our results show a clear expected advantage in terms of running time for the first case over the second. Investigating the slowdown in the second case leads to the garbling time which constitutes more than 60% of the consumed time. Both solutions clearly outperform FairplayPF in our tests.
6
Zhang, Denghui, and Zhaoquan Gu. "A High-Quality Authenticatable Visual Secret Sharing Scheme Using SGX." Wireless Communications and Mobile Computing 2021 (March 17, 2021): 1–12. http://dx.doi.org/10.1155/2021/6660709.
Full textAbstract:
Visual cryptography scheme (VCS) is a secret-sharing scheme which encrypts images as shares and can decrypt shares without digital devices. Although a participant can reveal the secret image by merely stacking a sufficient number of shares, the visual quality of recovered images is reduced, and malicious adversaries can cheat participants by giving faked shares. The paper presents a novel VCS called T-VCS (trusted VCS) which consists of two main components: a high-quality VCS and an enhanced verification scheme of shares based on the emerging Intel Software Guard eXtensions (SGX). While providing high-quality recovery, T-VCS keeps the size of the shares the same as the original secret image. We use SGX to act as a trusted third party (TTP) to verify the validity of the shares in an attested enclave without degrading the image quality. The experimental results show that T-VCS can achieve a balance among contrast, share size, and verification efficiency.
7
Yuan, Munan, Xiaofeng Li, Xiru Li, Haibo Tan, and Jinlin Xu. "Trust Hardware Based Secured Privacy Preserving Computation System for Three-Dimensional Data." Electronics 10, no. 13 (June 25, 2021): 1546. http://dx.doi.org/10.3390/electronics10131546.
Full textAbstract:
Three-dimensional (3D) data are easily collected in an unconscious way and are sensitive to lead biological characteristics exposure. Privacy and ownership have become important disputed issues for the 3D data application field. In this paper, we design a privacy-preserving computation system (SPPCS) for sensitive data protection, based on distributed storage, trusted execution environment (TEE) and blockchain technology. The SPPCS separates a storage and analysis calculation from consensus to build a hierarchical computation architecture. Based on a similarity computation of graph structures, the SPPCS finds data requirement matching lists to avoid invalid transactions. With TEE technology, the SPPCS implements a dual hybrid isolation model to restrict access to raw data and obscure the connections among transaction parties. To validate confidential performance, we implement a prototype of SPPCS with Ethereum and Intel Software Guard Extensions (SGX). The evaluation results derived from test datasets show that (1) the enhanced security and increased time consumption (490 ms in this paper) of multiple SGX nodes need to be balanced; (2) for a single SGX node to enhance data security and preserve privacy, an increased time consumption of about 260 ms is acceptable; (3) the transaction relationship cannot be inferred from records on-chain. The proposed SPPCS implements data privacy and security protection with high performance.
8
Yoon, Hyundo, Soojung Moon, Youngki Kim, Changhee Hahn, Wonjun Lee, and Junbeom Hur. "SPEKS: Forward Private SGX-Based Public Key Encryption with Keyword Search." Applied Sciences 10, no. 21 (November 5, 2020): 7842. http://dx.doi.org/10.3390/app10217842.
Full textAbstract:
Public key encryption with keyword search (PEKS) enables users to search over encrypted data outsourced to an untrusted server. Unfortunately, updates to the outsourced data may incur information leakage by exploiting the previously submitted queries. Prior works addressed this issue by means of forward privacy, but most of them suffer from significant performance degradation. In this paper, we present a novel forward private PEKS scheme leveraging Software Guard Extension (SGX), a trusted execution environment provided by Intel. The proposed scheme presents substantial performance improvements over prior work. Specifically, we reduce the query processing cost from O(n) to O(1), where n is the number of encrypted data. According to our performance analysis, the overall computation time is reduced by 80% on average. Lastly, we provide a formal security definition of SGX-based forward private PEKS, as well as a rigorous security proof of the proposed scheme.
9
Wu, Tsu-Yang, Liyang Wang, Xinglan Guo, Yeh-Cheng Chen, and Shu-Chuan Chu. "SAKAP: SGX-Based Authentication Key Agreement Protocol in IoT-Enabled Cloud Computing." Sustainability 14, no. 17 (September 5, 2022): 11054. http://dx.doi.org/10.3390/su141711054.
Full textAbstract:
With the rapid development of the Internet, Internet of Things (IoT) technology is widely used in people’s daily lives. As the number of IoT devices increases, the amount of data to be processed also increases. The emergence of cloud computing can process the data of IoT devices in a timely manner, and it provides robust storage and computing capabilities to facilitate data resource sharing. Since wireless communication networks are unstable and open, it is easy for attackers to eavesdrop, intercept, and tamper with the messages sent. In addition, authentication protocols designed for IoT-enabled cloud computing environments still face many security challenges. Therefore, to address these security issues, we propose an Intel software-guard-extensions (SGX)-based authentication key agreement protocol in an IoT-enabled cloud computing environment. The goal is to ensure data privacy and sustainable communication between the entities. Moreover, SGX can resist several well-known attacks. Finally, we show the security using the real-or-random model, ProVerif, and informal analysis. We also compare the security and performance of the proposed protocol with existing protocols. The comparison results show that our proposed protocol reduces the communication cost by 7.07% compared to the best one among the current protocols and ensures sufficient security.
10
Wu, Tsu-Yang, Xinglan Guo, Yeh-Cheng Chen, Saru Kumari, and Chien-Ming Chen. "SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing." Symmetry 14, no. 7 (July 6, 2022): 1393. http://dx.doi.org/10.3390/sym14071393.
Full textAbstract:
With the maturity and popularization of the Internet of Things, we saw the emergence of the Internet of Vehicles. This collects and processes real-time traffic information, alleviates traffic congestion, and realizes intelligent transportation. However, sensitive information, such as real-time driving data of vehicles, are transmitted on public channels, which are easily to steal and manipulate for attackers. In addition, vehicle communications are vulnerable to malicious attacks. Therefore, it is essential to design secure and efficient protocols. Many studies have adopted asymmetric cryptosystems and fog computing to in this environment, but most of them do not reflect the advantages of fog nodes, which share the computational burden of cloud servers. Therefore, it is challenging to design a protocol that effectively uses fog nodes. In this paper, we design an authentication protocol based on a symmetric encryption algorithm and fog computing in the Internet of Vehicles. In this protocol, we first propose a four-layer architecture that significantly reduces the computational burden of cloud servers. To resist several well-known attacks, we also apply Intel software guard extensions to our protocol. This is because it can resist privileged insider attacks. We prove the security of the proposed protocol through the Real-Or-Random model and informal analysis. We also compare the performance of the proposed protocol with recent protocols. The results show better security and a lower computational cost.
11
Han, Jiujiang, Yuxiang Zhang, Jian Liu, Ziyuan Li, Ming Xian, Huimei Wang, Feilong Mao, and Yu Chen. "A Blockchain-Based and SGX-Enabled Access Control Framework for IoT." Electronics 11, no. 17 (August 29, 2022): 2710. http://dx.doi.org/10.3390/electronics11172710.
Full textAbstract:
With the rapid development of physical networks, tens of billions of Internet of Things (IoT) devices have been deployed worldwide. Access control is essential in the IoT system, which manages user access to vital IoT data. However, access control for the IoT is mainly based on centralized trusted servers, which face problems such as a single point of failure and data leakage. To tackle these challenges, we propose an access control framework for the IoT by combining blockchain and Intel software guard extension (SGX) technology. A blockchain validates both IoT devices and edge servers added to the network. The access control contract is deployed on the blockchain, which can manage attribute-based access control policies in a fine-grained manner and make access control decisions flexibly. SGX technology is introduced into the edge computing server to realize the confidentiality of data processing. Finally, we implemented the prototype of the framework on Quorum and conducted extensive experiments and theoretical analyses on the performance of the blockchain. The results of the experimental tests and theoretical analyses show that our framework has more advantages in computing costs and on-chain storage costs.
12
Wang, Juan, Yang Yu, Yi Li, Chengyang Fan, and Shirong Hao. "Design and Implementation of Virtual Security Function Based on Multiple Enclaves." Future Internet 13, no. 1 (January 6, 2021): 12. http://dx.doi.org/10.3390/fi13010012.
Full textAbstract:
Network function virtualization (NFV) provides flexible and scalable network function for the emerging platform, such as the cloud computing, edge computing, and IoT platforms, while it faces more security challenges, such as tampering with network policies and leaking sensitive processing states, due to running in a shared open environment and lacking the protection of proprietary hardware. Currently, Intel® Software Guard Extensions (SGX) provides a promising way to build a secure and trusted VNF (virtual network function) by isolating VNF or sensitive data into an enclave. However, directly placing multiple VNFs in a single enclave will lose the scalability advantage of NFV. This paper combines SGX and click technology to design the virtual security function architecture based on multiple enclaves. In our design, the sensitive modules of a VNF are put into different enclaves and communicate by local attestation. The system can freely combine these modules according to user requirements, and increase the scalability of the system while protecting its running state security. In addition, we design a new hot-swapping scheme to enable the system to dynamically modify the configuration function at runtime, so that the original VNFs do not need to stop when the function of VNFs is modified. We implement an IDS (intrusion detection system) based on our architecture to verify the feasibility of our system and evaluate its performance. The results show that the overhead introduced by the system architecture is within an acceptable range.
13
Spohn, Marco Aurélio, and Mateus Trebien. "Avaliação do Intel Software Guard Extensions via Emulação." Revista de Informática Teórica e Aplicada 25, no. 1 (February 18, 2018): 90. http://dx.doi.org/10.22456/2175-2745.77654.
Full text
14
Shih, Dong-Her, Ting-Wei Wu, Ming-Hung Shih, Wei-Cheng Tsai, and David C. Yen. "A Novel Auction Blockchain System with Price Recommendation and Trusted Execution Environment." Mathematics 9, no. 24 (December 13, 2021): 3214. http://dx.doi.org/10.3390/math9243214.
Full textAbstract:
Online auctions are now widely used, with all the convenience and efficiency brought by internet technology. Despite the advantages over traditional auction methods, some challenges still remain in online auctions. According to the World Business Environment Survey (WBES) conducted by the World Bank, about 60% of companies have admitted to bribery and manipulation of the auction results. In addition, buyers are prone to the winner’s curse in an online auction environment. Since the increase in information availability can reduce uncertainty, easy access to relevant auction information is essential for buyers to avoid the winner’s curse. In this study, we propose an Online Auction Price Suggestion System (OAPSS) to protect the data from being interfered with by third-party programs based on Intel’s Software Guard Extensions (SGX) technology and the characteristics of the blockchain. Our proposed system provides a smart contract by using α-Sutte indicator in the final transaction price prediction as a bidding price recommendation, which helps buyers to reduce the information uncertainty on the value of the product. The amount spent on the smart contract in this study, excluding deployed contracts, plus the rest of the fees is less than US$1. Experimental results of the simulation show that there is a significant difference (p < 0.05) between the recommended price group and the actual price group in the highest bid. Therefore, we may conclude that our proposed bidder’s price recommendation function in the smart contract may mitigate the loss of buyers caused by the winner’s curse.
15
Dall, Fergus, Gabrielle De Micheli, Thomas Eisenbarth, Daniel Genkin, Nadia Heninger, Ahmad Moghimi, and Yuval Yarom. "CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks." IACR Transactions on Cryptographic Hardware and Embedded Systems, May 8, 2018, 171–91. http://dx.doi.org/10.46586/tches.v2018.i2.171-191.
Full textAbstract:
Intel Software Guard Extensions (SGX) allows users to perform secure computation on platforms that run untrusted software. To validate that the computation is correctly initialized and that it executes on trusted hardware, SGX supports attestation providers that can vouch for the user’s computation. Communication with these attestation providers is based on the Extended Privacy ID (EPID) protocol, which not only validates the computation but is also designed to maintain the user’s privacy. In particular, EPID is designed to ensure that the attestation provider is unable to identify the host on which the computation executes. In this work we investigate the security of the Intel implementation of the EPID protocol. We identify an implementation weakness that leaks information via a cache side channel. We show that a malicious attestation provider can use the leaked information to break the unlinkability guarantees of EPID. We analyze the leaked information using a lattice-based approach for solving the hidden number problem, which we adapt to the zero-knowledge proof in the EPID scheme, extending prior attacks on signature schemes.
16
Huo, Tianlin, Xiaoni Meng, Wenhao Wang, Chunliang Hao, Pei Zhao, Jian Zhai, and Mingshu Li. "Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX." IACR Transactions on Cryptographic Hardware and Embedded Systems, November 19, 2019, 321–47. http://dx.doi.org/10.46586/tches.v2020.i1.321-347.
Full textAbstract:
Software Guard Extension (SGX) is a hardware-based trusted execution environment (TEE) implemented in recent Intel commodity processors. By isolating the memory of security-critical applications from untrusted software, this mechanism provides users with a strongly shielded environment called enclave for executing programs safely. However, recent studies have demonstrated that SGX enclaves are vulnerable to side-channel attacks. In order to deal with these attacks, several protection techniques have been studied and utilized.In this paper, we explore a new pattern history table (PHT) based side-channel attack against SGX named Bluethunder, which can bypass existing protection techniques and reveal the secret information inside an enclave. Comparing to existing PHT-based attacks (such as Branchscope [ERAG+18]), Bluethunder abuses the 2-level directional predictor in the branch prediction unit, on top of which we develop an exploitation methodology to disclose the input-dependent control flow in an enclave. Since the cost of training the 2-level predictor is pretty low, Bluethunder can achieve a high bandwidth during the attack. We evaluate our attacks on two case studies: extracting the format string information in the vfprintf function in the Intel SGX SDK and attacking the implementation of RSA decryption algorithm in mbed TLS. Both attacks show that Bluethunder can recover fine-grained information inside an enclave with low training overhead, which outperforms the latest PHT-based side channel attack (Branchscope) by 52×. Specifically, in the second attack, Bluethunder can recover the RSA private key with 96.76% accuracy in a single run.
17
Galijatovic, Esma, Maria Eichlseder, Simon Franz Heindl, and Corina Klug. "Integrity of virtual testing for crash protection." Frontiers in Future Transportation 3 (November 30, 2022). http://dx.doi.org/10.3389/ffutr.2022.914489.
Full textAbstract:
The interest in virtual testing is globally rapidly increasing because of several advantages compared to physical tests in laboratories. In the area of passive car safety, finite element simulations can be used to get further insights, use more biofidelic human models and make the overall assessment more robust by incorporating more variety in the virtual testing load cases. For a successful implementation of virtual testing in regulations or consumer information, the integrity of the procedure has to be ensured. As car simulation models used within the virtual testing are usually not shared with the evaluation institutions due to intellectual property (IP) issues, this is a challenging task. Stringent validation and certification procedures are needed and it has to be ensured that the models used in these steps are the same as the ones used for the virtual testing. In this paper, we developed a secure procedure for model version control. Through analysis of possible threats for both sides, car manufacturer and evaluation institution, we defined requirements, which the new procedure should satisfy. These requirements state that the integrity and authenticity of all shared documents should be protected, as well as the confidentiality of the simulation model. By considering all prerequisites, we developed an architecture for a new procedure. This architecture uses cryptographic algorithms such as hash functions and digital signatures to ensure integrity and authenticity, as well as secure computation mechanisms such as Intel Software Guard Extensions (SGX). In our proof-of-concept implementation, we demonstrated how a secure wrapper around LS-DYNA can produce a signed report to authenticate the input model files based on a hash tree and link them to the simulation results. The evaluation institution can use a matching verification tool to verify that the models were not manipulated compared to other simulation runs or the qualification process. The developed procedure can be used for trustworthy implementation of virtual testing into consumer information or regulation for the assessment of car safety with strengthened integrity. Further research is needed to develop comparable procedures for other simulation software packages or ideally integrate it directly into the simulation software.
18
Youssef, Qasmaoui, Maleh Yassine, and Abdelkrim Haqiq. "Secure Software Defined Networks Controller Storage using Intel Software Guard Extensions." International Journal of Advanced Computer Science and Applications 11, no. 10 (2020). http://dx.doi.org/10.14569/ijacsa.2020.0111060.
Full text
19
Küçük, Kubilay Ahmet, David Grawrock, and Andrew Martin. "Managing confidentiality leaks through private algorithms on Software Guard eXtensions (SGX) enclaves." EURASIP Journal on Information Security 2019, no. 1 (September 5, 2019). http://dx.doi.org/10.1186/s13635-019-0091-5.
Full text