- The function arguments and any marshaled data of the pass-by-reference parameters are inside the trusted environment and not accessible to attackers;
- A read and/or write operation on the arguments, the return value and the marshaled reference, according to the parameter definitions specified by the enclave writer, will not compromise the ISV code/data confidentiality and integrity.
- The argument, return value and the marshaled data are allocated and managed by the trusted runtime, not overlapping any ISV code or data.
- The size of an argument, return value and the marshaled reference is as specified by the ISV (for example, the buffer size of the marshaled data referenced by a pointer parameter is either specified by a constant, another parameter or a field in the fixed-size portion of the actual data).
Enclave inputs (and for this matter enclave outputs) can be observed and modified by untrusted code. The enclave writer must never trust any information coming from the untrusted domain and must always check ECall input parameters as well as OCall return values. When accepting inputs from outside the enclave, assumptions about the size and type of the values being passed in should be checked by the enclave software to assure correct behavior. After identifying the source and/or destination (remote entity, users, etc.) you should decide whether applying integrity protection and/or encryption with anti-replay and liveness protection checks are necessary to safeguard the information that at some point is exposed to the untrusted domain.
When an ISV interface function is invoked: