Intel® Software Guard Extensions (Intel® SGX) SDK

An SDK intended for developers who wish to harden their application’s security using Intel® SGX technology.

  • Hardware enforced security
  • Remote attestation support
  • Data sealing
What is Intel® SGX?
Intel® Software Guard Extensions (Intel® SGX) consists of a set of CPU instructions and platform enhancements that enable applications to create private areas within which code and associated data can be protected from compromise during execution. The protection offered by Intel SGX, when used appropriately by application developers, can prevent compromise due to attacks from privileged software and many hardware-based attacks.
What market need is Intel SGX ideally suited to address?
Intel SGX is aimed at improving application security. Traditionally, application security has been derived from, and dependent upon, platform security. Intel SGX allows applications to protect select code and data from direct compromise and manipulation by other software, including privileged platform software such as the operating system and/or hypervisors, device drivers, firmware and/or BIOS. Most critically, the application security provided by Intel SGX is dependent on implicitly trusting the integrity of the CPU package – and of course, the code within the regions of the application being protected. A protected region is referred to as an “enclave”.
What are the usage models for SGX?

Intel believes that there are three primary SGX usage models. Each of these usage models can be instantiated by a large variety of use cases.

Usage Model 1 (Client) – Protect IP/Data/Execution of an application running on an endpoint from disclosure or modification.

Usage Model 2 (End to End) – Deliver a server-based application to an endpoint (via a browser/streaming/remoting) while maintaining (potentially mutual) IP/Data/Execution protection standards determined by the point of service.

Usage Model 3 (Datacenter) – Prove to an application owner that the datacenter and/or services owner, operator, provider has no ability to observe or tamper with application IP/Data/Execution and has not permitted other applications to do so.

Application categories that could benefit from using Intel SGX include content protection, key management, and biometric authentication. Applications used by regulated industries to help maintain privacy, data use control and audited transactions can also benefit from using Intel SGX.

How can I learn more about Intel SGX?
The following is a list of public information about Intel SGX, starting with programmer’s reference, followed by three papers presented by Intel at an industry conference in 2014, and one in 2015, two papers from Microsoft Research on their approach to solving challenges using Intel SGX and a paper from Google on the use of SGX for a two-way sandbox.
  1. Intel Software Guard Extensions (Intel SGX) Programmers Reference
  2. Innovative Instructions and Software Model for Isolated Execution
  3. Innovative Instructions for Trusted Solutions
  4. Innovative Technology for Attestation and Sealing
  5. SGX Tutorial for ISCA 2015
  6. Microsoft Research Paper on Secure Cloud Analytics
  7. Microsoft Research Paper on Haven Project
  8. Google Research Paper on a Two-Way Sandbox
How will it be possible to tell if a system is Intel SGX capable?
Intel® vPro™ technology, Intel® Core™ processor, Intel® Pentium® processor and Intel® Celeron® processor branded systems with initial ship dates in Q3 2015 will have Intel SGX silicon capabilities. In order to use Intel SGX, BIOS support is required. OEMs can choose whether to provide BIOS support or not. If BIOS support is provided, it can be shipped turned on or turned off. OEMs can choose to not provide Intel SGX BIOS support. This will render Intel SGX capabilities inert (this means it cannot be turned on without potentially violating the product warranty).
How can Intel SGX be used to improve application security?
An application that wants to use Intel SGX to improve its security needs to be re-factored into trusted and untrusted components. The trusted parts of an application can then be run inside one or more Intel SGX enclaves. Code executing within an enclave is opaque to other software, regardless of privilege level. Data associated with code executing within an enclave is also opaque to other software (including the untrusted part of the application that set up the enclave(s)) during execution and while at rest, on disk and/or in memory. Improved application security is derived from provisioning application confidential information (such as keys, algorithms, datasets, etc.) into enclaves, thereby protecting them from compromise.
What is an enclave?
An enclave is an area of execution that is protected by processor-based controls. Enclaves exist within the same context as their host application and have access to the same host application resources. Enclaves have been designed to only execute user-mode code. Any need to execute code at higher privilege levels requires leaving the enclave. Attempts by non-enclave code to read or write enclave memory are blocked by processor-level controls. Two enclaves belonging to the same or different applications can communicate with each other, provided they have established mutual trust. Intel SGX provides capabilities to establish mutual trust.
How do enclaves get instantiated on a system?

Applications that want to use Intel SGX set up their own enclaves as part of their initial launch process. The untrusted portion of an application creates an enclave (by using a kernel level service that invokes Intel SGX instructions) and places it in a protected memory region, which is solely available to Intel SGX instructions and controls. Enclave creation is a measured process and results in a cryptographic digest. Any interference with enclave creation by malware will result in a different digest than expected by the application developer.

Applications seeking to use enclaves must create a set of defined entry points into their enclaves. Attempts to jump into an arbitrary point of execution of an enclave will fail due to processor-based controls. Enclave execution may be interrupted, but exits to untrusted code only occur after all processor state within an enclave has been securely stored and then registers have been cleared by the processor.

What is enclave attestation? When and why is it required?

Since enclaves are instantiated on platforms by untrusted code, before enclaves are provisioned with application confidential information, it is essential to be able to confirm that the desired enclave was correctly instantiated on a platform protected by Intel SGX.

This is done by a remote attestation process. Remote attestation consists of using Intel SGX instructions and platform software to generate a “quote” that combines the enclave digest with a digest of relevant enclave data and a platform-unique asymmetric key into a data structure that is sent to a remote server over an authenticated channel. If the remote server concludes that the enclave was instantiated as intended and is running on a genuine Intel SGX-capable processor, it will provision the enclave as required.

In addition to remote attestation, enclaves can also engage in local attestation. Local attestation is useful when applications have more than one enclave that need to work together to accomplish a desired task. Before enclaves on the same platform can work together they need to engage in mutual authentication. This mutual authentication consists of each enclave verifying the other’s digest and confirming that each is running on the same genuine Intel SGX-capable processor. Once complete, the two enclaves are free to exchange authenticated shared keys to protect the communication of sealing keys between the two enclaves, thereby allowing one enclave to access data sealed to another enclave.

Enclave attestation can only proceed once the system on which the enclave has been instantiated has been provisioned with an EPID key. EPID provisioning occurs either as part of enclave attestation or as part of an independent provisioning step.

What is enclave sealing? Why is sealing required?
When an enclave process ends (due to an application no longer running or due to a system low-power state or shutdown), enclave confidential information still needs to be protected from compromise. This is accomplished by encrypting the delivered confidential information with a sealing key. A sealing key is unique to the platform and the enclave in which it is created. Sealing prevents any entity other than the enclave from accessing enclave confidential information while at rest.
What does a developer need to do in order to create Intel SGX-enhanced applications?

Intel is currently making the Intel SGX SDK available to developers on a selective basis. Developers must contact Intel through their representative and follow the process to get the SDK. Thereafter, developers must be willing to:

  • Sign the Intel SGX SDK license and comply with all terms
  • Sign their own apps (ideally are currently doing so)
  • Proxy access to attestation service

In addition, developers should ensure that their applications:

  • Should primarily use enclaves in a “headless” manner or within the “headless” portion of their code. “Headless” means that secure user input and/or secure sensor is not a requirement
  • Must not aim to put an entire application into an enclave
  • Must be developed in C/C++ using
    1. Windows* – Microsoft Visual Studio* 2012
  • Can only run on
    1. Windows 7 (64-bit apps only), Windows 8.1 (64/32-bit apps), Windows 10 (64/32-bit apps)