Designing a Provenance Analysis for SGX Enclaves

Abstract

SGX enclaves are trusted user-space memory regions that ensure isolation from the host, which is considered malicious. However, enclaves may suffer from vulnerabilities that allow adversaries to compromise their trustworthiness. Consequently, the SGX isolation may hinder defenders from recognizing an intrusion. Ideally, to identify compromised enclaves, the owner should have privileged access to the enclave memory and a policy to recognize the attack. Most importantly, these operations should not break the SGX properties. In this work, we propose SgxMonitor, a novel provenance analysis to monitor and identify compromised enclaves. SgxMonitor is composed of two elements: (i) a technique to extract contextual runtime information from an enclave, and (ii) a novel model to recognize enclaves' intrusions. Our evaluation shows that SgxMonitor successfully identifies enclave intrusions against state-of-the-art attacks without undermining the SGX isolation. Our experiments did not report false positives and negatives during normal enclave executions, while incurring a marginal overhead that does not affect real use cases deployment, thus supporting the use of SgxMonitor in realistic scenarios.