Intel® SGX and Side-Channels

By Simon Paul Johnson, Published: 03/17/2017, Last Updated: 02/27/2018

Since launching Intel® Software Guard Extensions (Intel® SGX) on 6th Generation Intel® Core™ processors in 2015, there have been a number of academic articles looking at various usage models and the security of Intel SGX. Some of these papers focus on a class of attack known as a side-channel attack, where the attacker relies on the use of a shared resource to discover information about processing occurring in some other privileged domain that it does not have direct access to.

In general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture. Preventing side channel attacks is a matter for the enclave developer. Intel makes this clear In the security objectives for Intel SGX, which we published as part of our workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found here [slides 109-121], and in the Intel® SGX SDK Developer's Manual.

This is not to say that Intel does not care about side-channel attacks.

Intel has a strong collaboration with security experts in both academia and the industry and values their ability to both identify the next generation of threats as well as solutions.  The authors of many of the papers highlighting potential attacks have presented their work at Intel allowing for a robust dialog on implications and solutions.  When these types of vulnerabilities have been found, Intel has worked with its own developers, Independent Software Vendors (ISVs) and open source partners to address the vulnerabilities. For instance, the type of side-channel attack  identified on the RSA implementation used in one of the academic papers was well-known for some time and is addressed by other software solutions like the OpenSSL* crypto library.

For information about the side-channel security issue, please refer to our support page.

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804