Article ID: 000059845 Content Type: Product Information & Documentation Last Reviewed: 07/12/2021

Is it Possible to Prevent any Application from Unsealing data if it loads the Intel® Software Guard Extensions (Intel® SGX) Enclave that Sealed the data?

BUILT IN - ARTICLE INTRO SECOND COMPONENT
Summary

Example method to prevent an enclave from returning unsealed data to the calling application

Description

Unable to determine how to prevent an attacker from accessing unsealed data if it loads the enclave that originally sealed the data.

Resolution

Implement a policy for checking a shared secret between the untrusted application and the enclave before the enclave returns the unsealed data.

Example policy:

  1. Create and seal a payload structure that includes a secret and the data.
  2. When unsealing the payload, the untrusted application provides the enclave the secret that was originally sealed with the data.
  3. The enclave compares the provided secret to the original secret that it sealed.
  4. If the secrets match, the enclave returns the data to the untrusted application.
Additional information

Refer to the Sealed Data section in the Intel SGX SDK Developer Reference Guide for Windows* for more information on preventing replay attacks.

Related articles

Unable to find Alternatives to Monotonic Counter Application Programming Interfaces (APIs) in Intel® Software Guard Extensions (Intel® SGX) for Linux* to Prevent Sealing Rollback Attacks

Related Products

This article applies to 1 products

Intel® Software Guard Extensions (Intel® SGX)

Need more help?

Contact support

Disclaimer

1

All postings and use of the content on this site are subject to Intel.com Terms of Use.