Understanding Intel® Software Guard Extensions (Intel® SGX)
Today, security solutions provide encryption when data is in storage and when it is sent across the network, but data can still be vulnerable when it is being actively processed in memory. The Common Vulnerabilities and Exposures (CVE) database1, for example currently contains over 11,000 potentially exploitable vulnerabilities, 34 percent still without mitigations. Intel® SGX, by bypassing a system’s operating system (OS) and virtual machine (VM) software layers, provides significant additional protection against many of these kinds of attacks and adds data security and addresses the need for more confidential computing. It provides a hardware-based security solution that utilizes encryption to change how memory is accessed, providing enclaves of protected memory to run your application and its data. Intel® SGX also allows you to seek verification of the application and the hardware it is running.
What Is a Side-Channel Attack, and Should I Be Worried?
Side-channel attacks are based on using information such as power states, emissions and wait times directly from the processor to indirectly infer data use patterns. These attacks are very complex and difficult to execute, potentially requiring breaches of a company’s data center at multiple levels: physical, network and system.
Hackers typically follow the path of least resistance. Today, that usually means attacking software. While Intel® SGX is not specifically designed to protect against side channel attacks, it provides a form of isolation for code and data that significantly raises the bar for attackers. Intel continues to work diligently with our customers and the research community to identify potential side-channel risks and mitigate them. Despite the existence of side-channel vulnerabilities, Intel® SGX remains a valuable tool because it offers a powerful additional layer of protection.
Should I Trust Intel® SGX?
Intel® SGX is the most tested, researched, and deployed hardware-based data center trusted execution environment (TEE), with the smallest available attack surface within the system. If you have strict data privacy and security requirements, Intel® SGX offers a clear strategic advantage.
And the good news for customers protected by Intel® SGX is that in addition to helping defend against the myriad of more common software-based attacks, Intel® SGX’s attestation mechanisms also allow you to request verification that your application has not been compromised and that the processor it is running on has the latest security updates.
Intel® SGX protects against thousands2 of known and unknown threats, many of which still do not otherwise have mitigations. Your code and data remain significantly more protected with Intel® SGX than without it.