Intel® SGX and Side-Channels

Since launching Intel® Software Guard Extensions (Intel® SGX) on 6th Generation Intel® Core™ processors in 2015, there have been a number of academic articles looking at various usage models and the security of Intel SGX. Some of these papers focus on a class of attack known as a side-channel attack, where the attacker relies on the use of a shared resource to discover information about processing occurring in some other privileged domain that it does not have direct access to.

In general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture. Preventing side channel attacks is a matter for the enclave developer. Intel makes this clear In the security objectives for Intel SGX, which we published as part of our workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found here [slides 109-121], and in the Intel® SGX SDK Developer's Manual.

This is not to say that Intel does not care about side-channel attacks.

Intel has a strong collaboration with security experts in both academia and the industry and values their ability to both identify the next generation of threats as well as solutions.  The authors of many of the papers highlighting potential attacks have presented their work at Intel allowing for a robust dialog on implications and solutions.  When these types of vulnerabilities have been found, Intel has worked with its own developers, Independent Software Vendors (ISVs) and open source partners to address the vulnerabilities. For instance, the type of side-channel attack  identified on the RSA implementation used in one of the academic papers was well-known for some time and is addressed by other software solutions like the OpenSSL* crypto library.

For information about the side-channel security issue, please refer to our support page.

For more complete information about compiler optimizations, see our Optimization Notice.