Intel SGX (Software Guard Extensions)

Main article: DLP - Data Loss/Leak Prevention - Technologies for Preventing Leaks of Confidential Information

ON Intel SGX (Software Guard Extensions) is designed for protection source code data and against unauthorized access and modification. Developers can place their applications in function-enhanced processor enclaves or secure execution areas that increase safety even compromised platforms. Using the application layer of this trusted execution environment, developers can ensure the confidentiality identification of information and personal data, secure viewing of information Internet in and copyright protection, as well as strengthen endpoint protection or apply enhanced security features for storages secrets or data protection.

2020: Implementation in the Ice Lake platform as a security feature

September 15, 2020 Intel introduced security features for the future Ice Lake platform, based on the scalable Intel Xeon 3rd generation processor family. Intel extends security by incorporating the Intel Software Guard Extension (Intel SGX) into all Ice Lake platform products, as well as other technologies including Intel Total Memory Encryption (Intel TME), Intel Platform Firmware Resolution (Intel PFP's) enciphering and Integrity Accelerators. data

With Ice Lake capabilities, Intel customers can create more secure solutions and reduce risks associated with data privacy and compliance, such as in the medical or financial industries.

{{quote 'Data security is important when commercializing solutions. The capabilities of the presented platform based on the scalable 3rd generation Xeon processor family will help our customers solve important problems related to data, their privacy and integrity. This is another stage in the development of a partnership within the framework of the ecosystem we have created to introduce security innovations, "said Lisa Spelman, corporate vice president of the Data Platform Group and general manager of the Intel Xeon and Memory Group. }}

Intel SGX is a proven TEE technology for data centers with the smallest attack surface. It allows you to place up to 1 terabyte of code or data in isolated areas of memory called enclaves.

Microsoft Azure was the first major public cloud service to offer confidential computing. Our customers from financial institutions, government agencies and health care use confidential computing at Azure, "said Mark Russinovich, technical director at Microsoft Azure. - Azure provides confidential computing for virtual machines, containers, computer-based training and many other areas of activity. The latest generation Intel Xeon processors equipped with Intel SGX, with full memory encryption and cryptographic accelerator, will help our customers discover even more sensitive computing options.

Customers such as the University of California, San Francisco (UCSF), NEC, Magnet, and other organizations working in sectors of the economy where data is regulated have entrusted Intel with supporting its security strategy and are using Intel SGX technology. So, medical organizations can use the computing environment to preserve the confidentiality of information and protect patient data, for example, electronic medical records. In retail, Intel technology helps retailers securely process customer behavior and protect intellectual property. Intel SGX provides customers with multi-stakeholder collaborative computing capabilities that have been difficult to implement before because of privacy, security, and regulatory requirements.

Intel Total Memory Encryption (Intel TME) is included in the Ice Lake platform for better protection of all memory types. It allows you to encrypt all the memory that the Intel CPU has access to, including client credentials, encryption keys, and other technical and personal information located on the external bus. Intel has developed this feature to protect against hacking at the hardware level, such as reading information from a DIMM frozen in liquid nitrogen or connecting equipment for targeted attacks. To calculate the encryption key, Intel TME uses an enhanced random number generator built into the processor and does not require software, and encoding is performed according to the AES XTS standard created by the National Institute of Standards and Technology (NIST). This improves memory protection without the need to modify existing software.

One of Intel's goals is to reduce the impact of security features on system performance so customers don't have to choose between stronger protection and better performance. Ice Lake provides high cryptographic efficiency by supporting several industry-specific instructions in conjunction with algorithmic and software innovations. Intel has developed two fundamentally different computational methods - simultaneous execution of two algorithms, which are usually executed together, but sequentially, and parallel processing of several independent data buffers.

Experienced attackers can try to compromise or disable the built-in ON computer to intercept data or disable it. server To protect system firmware, Ice Lake uses Intel Platform Firmware Resolution (Intel PFR) technology built into a platform based on the scalable Intel Xeon processor family. It allows you to detect and eliminate attacks on the firmware before they have time to compromise it or disconnect the computer. Intel PFR uses Intel FPGA as the Root-of-Trust (Root-of-Trust) to test critical firmware loadable components before they run. Thus, you can enhance the protection of Flash BIOS, Flash BMC, SPI descriptor, Intel Management Engine and firmware of the power supply.

2019

SGX can be used to invisibly hide malware

On February 12, 2019, it became known that SGX could be used to invisibly hide malware under the guise of a legitimate application.

Intel's Software Guard Extensions (SGX) for code security is not secure in itself. According to a study by experts at the Graz University of Technology (Austria), SGX can be used to invisibly hide malware under the guise of a legitimate application.

Researchers managed to crack SGX using a long-known technique - return-oriented programming (ROP).

Return-oriented programming involves overwriting the stream stack so that the application does not perform its usual functions, but malicious ones. This can be achieved by combining portions of memory-stored unrelated instructions to manipulate software operations. It's like breaking into someone else's car with a mount from his trunk.

An attacker can change return addresses in the stack, and after completing a routine operation, the code will return not to where it should be, but to small sections of another code. These sections are followed by another section, and another section, making up a kind of patchwork blanket from instructions instructing the program to perform actions that it should not perform (for example, modify data).

In their report, experts at the Graz University of Technology described the technique of bypassing various security technologies (including ASLR) and executing arbitrary code that can steal information and carry out DoS attacks using SGX and ROP.

The closed area created by SGX uses the installed application for communication with the outside world. The technique developed by the researchers allows the closed zone to communicate with the OS under the guise of a normal process. As a result, malware is hidden from the eyes, but can do anything in its environment^[1].

Features. Specifications

(Data up to date as of February 2019)

• Privacy and: integration Amplification at the levels of,, operating system BIOS VMM, SMM or TEE - even in the presence of the "privileged." harmful ON

• Low training requirements: Familiar programming model for operating systems, integrated with the parent application and executed on the main processor.
• Remote Validation and Provisioning: The remote party has the ability to authenticate application enclaves and security keys, credentials, and other sensitive information in enclaves.
• Minimum potential for attacks: The CPU interface is the perimeter of possible attacks - all data, memory and I/O are outside this perimeter and encrypted.

Specifications

Notes