Intel SGX

Version: 1.0

Authors: David Cervigni

Executive Summary

This section contains an executive summary of the identified threats and their mitigation status

There are 4 unmitigated threats without proposed operational controls.

Threat ID	CVSS	Always valid?
IntelSGX. MALICIOUS_OS_MANIPULATION	6.4 (Medium)	Yes
IntelSGX. HARDWARE_EXPLOIT	6.4 (Medium)	Yes
IntelSGX. ATTESTATION_SPOOFING	6.4 (Medium)	Yes
IntelSGX. ENCLAVE_SIDE_CHANNEL	4.2 (Medium)	Yes

Threats Summary

This section contains an executive summary of the threats and their mitigation status

There are a total of 4 identified threats of which 4 are not fully mitigated by default, and 4 are unmitigated without proposed operational controls.

Threat ID	CVSS	Valid when (condition)	Fully mitigated	Has Operational countermeasures
IntelSGX. MALICIOUS_OS_MANIPULATION	6.4 (Medium)	Always valid	❌	No
IntelSGX. HARDWARE_EXPLOIT	6.4 (Medium)	Always valid	❌	No
IntelSGX. ATTESTATION_SPOOFING	6.4 (Medium)	Always valid	❌	No
IntelSGX. ENCLAVE_SIDE_CHANNEL	4.2 (Medium)	Always valid	❌	No

Intel SGX - scope of analysis

Overview

NOTE: this is an example of threat model created by training an LLM

This document outlines potential threats to Intel SGX (Software Guard Extensions), focusing on threats to enclave integrity, confidentiality, and availability. It includes countermeasures to mitigate these threats.

Intel SGX security objectives

Data Security:

Enclave Confidentiality

System Integrity:

Enclave Integrity

Trust Assurance:

Platform Trust

Diagram: Details:

Enclave Confidentiality (`ENCLAVE_CONFIDENTIALITY`)

Ensure the confidentiality of data and code within SGX enclaves, protecting them from unauthorized access.

Priority: High

Attack tree:

Enclave Integrity (`ENCLAVE_INTEGRITY`)

Ensure the integrity of the data and execution within SGX enclaves, preventing unauthorized modifications.

Priority: High

Attack tree:

Platform Trust (`PLATFORM_TRUST`)

Maintain trust in the hardware root of trust and the integrity of SGX attestation mechanisms.

Priority: High

Attack tree:

Intel SGX Threat Actors

Actors, agents, users and attackers may be used as synonymous.

A malicious or compromised operating system attemp[...] (`MALICIOUS_OS`)

Description:: A malicious or compromised operating system attempting to subvert the SGX enclaves.
In Scope as threat actor:: Yes

Attackers targeting the hardware or firmware to by[...] (`HARDWARE_ATTACKERS`)

Description:: Attackers targeting the hardware or firmware to bypass SGX protections.
In Scope as threat actor:: Yes

Attackers exploiting side channels to infer sensit[...] (`SIDE_CHANNEL_ACTORS`)

Description:: Attackers exploiting side channels to infer sensitive information from SGX enclaves.
In Scope as threat actor:: Yes

Assumptions

PRIVILEGED_ATTACKER: Attackers may have elevated privileges (e.g., OS-level or hypervisor control).

SIDE_CHANNEL_RISK: Side-channel attacks are a known class of threats, exploiting physical or timing-based information.

Intel SGX Attack tree

Intel SGX Threats

Note This section contains the threat and mitigations identified during the analysis phase.

Side-Channel Attacks (`ENCLAVE_SIDE_CHANNEL`)

Threat actors:

SIDE_CHANNEL_ACTORS

Threat Description

Attackers monitor cache timing, memory access patterns, or power consumption during enclave execution to infer sensitive information, such as cryptographic keys.

Impact

Leakage of sensitive information through side-channel analysis, such as cache timing or power consumption.
ENCLAVE_CONFIDENTIALITY

CVSS

Base score: 4.2 (Medium)
Vector:CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Counter-measures for ENCLAVE_SIDE_CHANNEL

CONSTANT_TIME_EXECUTION Constant-Time Execution

Ensure that critical enclave operations, especially cryptographic routines, execute in constant time to minimize timing variations.

Countermeasure in place? ❌ Public and disclosable? ✔

Privileged OS Attacks (`MALICIOUS_OS_MANIPULATION`)

Threat actors:

MALICIOUS_OS

Threat Description

A malicious or compromised OS can attempt to inspect, modify, or inject data into enclave memory through controlled interrupts or debugging tools.

Impact

Exploitation of OS-level control to manipulate enclave memory or execution, potentially leading to enclave compromise.
ENCLAVE_INTEGRITY

CVSS

Base score: 6.4 (Medium)
Vector:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Counter-measures for MALICIOUS_OS_MANIPULATION

MEMORY_ENCRYPTION Encrypted Memory and Integrity Checks

Leverage SGX's memory encryption engine to ensure data confidentiality and integrity, even under malicious OS control.

Countermeasure in place? ✔ Public and disclosable? ✔

Hardware Vulnerabilities (`HARDWARE_EXPLOIT`)

Threat actors:

HARDWARE_ATTACKERS

Threat Description

Attackers exploit flaws in the SGX implementation (e.g., speculative execution vulnerabilities) to extract sensitive data from enclaves.

Impact

Exploitation of vulnerabilities in the SGX hardware or firmware to bypass protections, leading to unauthorized access to enclave data.
PLATFORM_TRUST
ENCLAVE_CONFIDENTIALITY

CVSS

Base score: 6.4 (Medium)
Vector:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Counter-measures for HARDWARE_EXPLOIT

MICROCODE_UPDATES Microcode Updates

Ensure systems are patched with the latest microcode updates from Intel to mitigate hardware vulnerabilities.

Countermeasure in place? ✔ Public and disclosable? ✔

Fake Attestation Responses (`ATTESTATION_SPOOFING`)

Threat actors:

MALICIOUS_OS

Threat Description

Attackers intercept and manipulate attestation requests or responses to make compromised enclaves appear legitimate.

Impact

Undermining the trust in SGX attestation by presenting fake attestation responses, potentially leading to trust in compromised enclaves.
PLATFORM_TRUST

CVSS

Base score: 6.4 (Medium)
Vector:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Counter-measures for ATTESTATION_SPOOFING

REMOTE_ATTESTATION_VALIDATION Validate Remote Attestation Responses

Ensure attestation responses are validated against trusted Intel attestation servers.

Countermeasure in place? ✔ Public and disclosable? ✔

Requests For Information

Operational Security Hardening Guide

Seq	Countermeasure Details

Testing guide

This guide lists all testable attacks described in the threat model

Seq	Attack to test	Pass/Fail/NA

Intel SGX

Executive Summary

Threats Summary

Intel SGX - scope of analysis

Overview

Intel SGX security objectives

Enclave Confidentiality (ENCLAVE_CONFIDENTIALITY)

Enclave Integrity (ENCLAVE_INTEGRITY)

Platform Trust (PLATFORM_TRUST)

Intel SGX Threat Actors

A malicious or compromised operating system attemp[...] (MALICIOUS_OS)

Attackers targeting the hardware or firmware to by[...] (HARDWARE_ATTACKERS)

Attackers exploiting side channels to infer sensit[...] (SIDE_CHANNEL_ACTORS)

Assumptions

Intel SGX Attack tree

Intel SGX Threats

Side-Channel Attacks (ENCLAVE_SIDE_CHANNEL)

Counter-measures for ENCLAVE_SIDE_CHANNEL

Privileged OS Attacks (MALICIOUS_OS_MANIPULATION)

Counter-measures for MALICIOUS_OS_MANIPULATION

Hardware Vulnerabilities (HARDWARE_EXPLOIT)

Counter-measures for HARDWARE_EXPLOIT

Fake Attestation Responses (ATTESTATION_SPOOFING)

Counter-measures for ATTESTATION_SPOOFING

Requests For Information

Operational Security Hardening Guide

Testing guide

Keys classification

Enclave Confidentiality (`ENCLAVE_CONFIDENTIALITY`)

Enclave Integrity (`ENCLAVE_INTEGRITY`)

Platform Trust (`PLATFORM_TRUST`)

A malicious or compromised operating system attemp[...] (`MALICIOUS_OS`)

Attackers targeting the hardware or firmware to by[...] (`HARDWARE_ATTACKERS`)

Attackers exploiting side channels to infer sensit[...] (`SIDE_CHANNEL_ACTORS`)

Side-Channel Attacks (`ENCLAVE_SIDE_CHANNEL`)

Privileged OS Attacks (`MALICIOUS_OS_MANIPULATION`)

Hardware Vulnerabilities (`HARDWARE_EXPLOIT`)

Fake Attestation Responses (`ATTESTATION_SPOOFING`)