Video Series: Intel® Software Guard Extensions—Part 6: Debug Applications

Learn how to debug applications that use Intel® Software Guard Extensions (Intel® SGX).

Hi, I'm John Mechalas with Intel. In this video, we're going to discuss debugging Intel® Software Guard Extensions applications. 

Intel® SGX enclaves can be built in debug mode or in release mode. A debug mode enclave is inspectable. You can attach to it with the Intel SGX debugger. Examine its state and step through its code just as you would when debugging any other application. 

When you are actively developing your Intel SGX application, you are probably building your enclave in debug mode. The CPU will allow any debug mode enclave to launch, but because you can attach to them with the Intel SGX debugger, they are not secure. Enclave's built in debug mode should never be deployed in a production application. 

Unlike debug mode, an enclave that's built in release mode cannot be debugged under any circumstances, this restriction is enforced by the CPU. 

Debugging in Intel SGX enclave does require the use of special CPU instructions and that means you must use the Intel SGX debugger that is included with the Intel SGX software development kit. Debuggers without Intel SGX will simply skip over your enclave code. 

In the example program shown here, we've set a breakpoint in the enclave. When we launch the standard Visual Studio* [sic] debugger, you can see that the breakpoint is never triggered. 

To properly debug this application, we need to change the debugger in the project configuration to the Intel SGX debugger. We also need to make sure that the Intel SGX debugger has the correct working path so that it can find the debugging symbols. Here, we change the working directory to the output directory. Now when we run the Intel SGX debugger, we can see that the breakpoint gets triggered. 

If you are developing a managed application, such as one written in C#, you can't run the Intel SGX debugger directly from within Visual Studio. Instead, you'll need to launch your application and then attach to it. 

Under the Debug menu, select Attach to Process. Hit Select. Choose Intel SGX as the code type. Now you can run your application, refresh the process list in the attached to process window and select the application. As you can see, our enclave breakpoint is triggered. 

Debugging is an important part of application development. Enclaves that are built in debug mode can be debugged, but you must use the Intel SGX debugger to do it. You can even debug mixed mode Intel SGX applications in Windows*, though there are some additional steps required. 

Be sure to watch the rest of this playlist to learn more about Intel SGX application development, and remember to like this video and subscribe.