SGAxe: How SGX Fails in Practice

Intel’s Software Guard Extensions (SGX) promises an isolated execution environment, protected from all software running on the machine. A significant limitation of SGX is its lack of protection against side-channel attacks. In particular, recent works have shown that transient-execution attacks can leak arbitrary data from SGX, breaching SGX’s confidentiality. However, less work has been done on the implications of such attacks on the SGX ecosystems. In this work we start from CacheOut, a recent confidentiality attack on SGX, which allows the retrieval of an enclave’s memory contents. We show how CacheOut can be leveraged to compromise the confidentiality and the integrity of a victim enclave’s long-term storage. By using the extended attack against the Intel-provided and signed architectural SGX enclaves, we retrieve the secret attestation key used for cryptographically proving the genuinity of enclaves over the network, allowing us to pass fake enclaves as genuine. Finally, we analyze the impact of our attack on two proposed SGX applications, the Signal communication app and Town Crier, an SGX-based blockchain application.