Monotonic Counter in Intel SGX and ME

Some notes on the Monotonic Counter in Intel SGX and ME
Posted on November 10, 2017 by daveti

SGX sealing is vulnerable to rollback attacks as the enclave is not able to tell if the sealed data is the latest or a old copy. To mitigate this attack, monotonic counter (MC) has been introduced in Intel SGX SDK 1.8. This post looks into some implementation details inside Intel SGX SDK.[…]

Some notes on the Monotonic Counter in Intel SGX and ME


Scotch: Combining SGX and SMM to Monitor Cloud Resource Usage

First Online: 12 October 2017
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)

The growing reliance on cloud-based services has led to increased focus on cloud security. Cloud providers must deal with concerns from customers about the overall security of their cloud infrastructures. In particular, an increasing number of cloud attacks target resource allocation in cloud environments. For example, vulnerabilities in a hypervisor scheduler can be exploited by attackers to effectively steal CPU time from other benign guests on the same hypervisor. In this paper, we present Scotch, a system for transparent and accurate resource consumption accounting in a hypervisor. By combining x86-based System Management Mode with Intel Software Guard Extensions, we can ensure the integrity of our accounting information, even when the hypervisor has been compromised by an escaped malicious guest. We show that we can account for resources at every task switch and I/O interrupt, giving us richly detailed resource consumption information for each guest running on the hypervisor. We show that using our system incurs small but manageable overhead—roughly 1 μ
s every task switch or I/O interrupt. We further discuss performance improvements that can be made for our proposed system by performing accounting at random intervals. Finally, we discuss the viability of this approach against multiple types of cloud-based resource attacks.



Signal use of Intel SGX

Signal by Open Whisper Systems is one of the modern ‘secure communication applications’ in use today. They recently blogged about how they use Intel SGX tech to help secure their tech:

[…]Huge thanks to Jeff Griffin for doing the heavy lifting and writing all the enclave code, Henry Corrigan-Gibbs for introducing us to SGX, Raluca Ada Popa for explaining ORAM state of the art to us, and Nolan Leake for systems insight.




Microsoft Azure introduces confidential computing

[…]With Azure confidential computing, we’re developing a platform that enable developers to take advantage of different TEEs without having to change their code. Initially we support two TEEs, Virtual Secure Mode and Intel SGX. Virtual Secure Mode (VSM) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution. We’re also offering hardware-based Intel SGX TEE with the first SGX-capable servers in the public cloud. Customers that want their trust model to not include Azure or Microsoft at all can leverage SGX TEEs. We’re working with Intel and other hardware and software partners to develop additional TEEs and will support them as they become available.[…]



Intel SGX elevation of privilege update

Intel SGX security update for Intel Servers/NUC/ComputeStick. Excerpt of announcement:

Intel ID: INTEL-SA-00076
Product family: Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Jul 25, 2017

Intel has released updates that improve the security of Intel® Software Guard Extensions (SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Product Families. This update improves the security of Intel® Software Guard Extensions (SGX) and is strongly recommended. While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information. If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.

Full announcement:



Baidu releases SGX SDK for Rust

Rust SGX SDK, v0.2.0 Release

This Rust SGX SDK helps developers write Intel SGX enclaves in Rust programming language. We are proud to have our v0.2.0 Rust SGX SDK released. It is now providing more threading functions, thread local storages, exception handling routines and supports unwind mechanism, as well as support of LARGE ENCLAVE MEMORY with the help of Intel SGX v1.9 (31.75 GB enclave memory tested). Please refer to release notes for further details. And we are working on a white paper for technical details about this project.[…]