Uncategorized

Signal use of Intel SGX

Signal by Open Whisper Systems is one of the modern ‘secure communication applications’ in use today. They recently blogged about how they use Intel SGX tech to help secure their tech:

[…]Huge thanks to Jeff Griffin for doing the heavy lifting and writing all the enclave code, Henry Corrigan-Gibbs for introducing us to SGX, Raluca Ada Popa for explaining ORAM state of the art to us, and Nolan Leake for systems insight.

https://signal.org/blog/private-contact-discovery/

https://github.com/whispersystems/contactdiscoveryservice

Standard
Uncategorized

Microsoft Azure introduces confidential computing

[…]With Azure confidential computing, we’re developing a platform that enable developers to take advantage of different TEEs without having to change their code. Initially we support two TEEs, Virtual Secure Mode and Intel SGX. Virtual Secure Mode (VSM) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution. We’re also offering hardware-based Intel SGX TEE with the first SGX-capable servers in the public cloud. Customers that want their trust model to not include Azure or Microsoft at all can leverage SGX TEEs. We’re working with Intel and other hardware and software partners to develop additional TEEs and will support them as they become available.[…]

https://azure.microsoft.com/en-us/blog/introducing-azure-confidential-computing/

Standard
Uncategorized

Intel SGX elevation of privilege update

Intel SGX security update for Intel Servers/NUC/ComputeStick. Excerpt of announcement:

Intel ID: INTEL-SA-00076
Product family: Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Jul 25, 2017

Intel has released updates that improve the security of Intel® Software Guard Extensions (SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Product Families. This update improves the security of Intel® Software Guard Extensions (SGX) and is strongly recommended. While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information. If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.

Full announcement:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00076&languageid=en-fr

Standard
Uncategorized

Baidu releases SGX SDK for Rust

Rust SGX SDK, v0.2.0 Release

This Rust SGX SDK helps developers write Intel SGX enclaves in Rust programming language. We are proud to have our v0.2.0 Rust SGX SDK released. It is now providing more threading functions, thread local storages, exception handling routines and supports unwind mechanism, as well as support of LARGE ENCLAVE MEMORY with the help of Intel SGX v1.9 (31.75 GB enclave memory tested). Please refer to release notes for further details. And we are working on a white paper for technical details about this project.[…]

https://github.com/baidu/rust-sgx-sdk/releases/tag/v0.2.0

Standard
Uncategorized

APT monitoring & analysis …below Ring 0

Applying Provenance in APT Monitoring and Analysis Practical Challenges for Scalable, Efficient and Trustworthy Distributed Provenance
Jenkinson G, Carata L, Bytheway T, Sohan R, Watson RNM, Anderson J, Kidney B, Strnad A, Thomas A, Neville-Neil G

[…] Below Ring 0 – hardware primitives can potentially support provenance capture in a number of ways. Trusted Computing primitives such as Intel SGX (Software Guard Extensions) can be used provide stronger non-repudiation (even in the presence of a compromised OS). And new hardware primitives could directly support provenance capture, for example providing an append only log for use by the kernel to store provenance records prior to sending over a network.[…]

https://www.usenix.org/conference/tapp17/workshop-program/presentation/jenkinson
https://www.usenix.org/system/files/conference/tapp2017/tapp17_paper_jenkinson.pdf
https://www.researchgate.net/publication/317827922_Applying_Provenance_in_APT_Monitoring_and_Analysis_Practical_Challenges_for_Scalable_Efficient_and_Trustworthy_Distributed_Provenance

Standard
Uncategorized

Intel-SGX-SSL

The Intel Software Guard Extensions SSL (Intel SGX SSL) cryptographic library is intended to provide cryptographic services for Intel Software Guard Extensions (SGX) enclave applications. The Intel SGX SSL cryptographic library is based on the underlying OpenSSL Open Source project, providing a full-strength general purpose cryptography library. The API exposed by the Intel SGX SSL library is fully compliant with unmodified OpenSSL APIs.

https://github.com/01org/intel-sgx-ssl

 

Standard