Questions for IT Professionals to Consider as New Vulnerabilities Are Reported

  • What is the severity of the vulnerability? Learn about CVSS score.

  • Is a patch available from the vendor and applied in my network?

  • What are the attack vectors required to execute? Am I vulnerable for those?

  • Does my application code leverage BKMs for attack resistance?

  • Is the attack code available? Has it been found in the wild?

author-image

作者

Understanding Intel® Software Guard Extensions (Intel® SGX)

Today, security solutions provide encryption when data is in storage and when it is sent across the network, but data can still be vulnerable when it is being actively processed in memory. The Common Vulnerabilities and Exposures (CVE) database1, for example currently contains over 11,000 potentially exploitable vulnerabilities, 34 percent still without mitigations. Intel® SGX, by bypassing a system’s operating system (OS) and virtual machine (VM) software layers, provides significant additional protection against many of these kinds of attacks and adds data security and addresses the need for more confidential computing. It provides a hardware-based security solution that utilizes encryption to change how memory is accessed, providing enclaves of protected memory to run your application and its data. Intel® SGX also allows you to seek verification of the application and the hardware it is running.

What Is a Side-Channel Attack, and Should I Be Worried?

Side-channel attacks are based on using information such as power states, emissions and wait times directly from the processor to indirectly infer data use patterns. These attacks are very complex and difficult to execute, potentially requiring breaches of a company’s data center at multiple levels: physical, network and system.

Hackers typically follow the path of least resistance. Today, that usually means attacking software. While Intel® SGX is not specifically designed to protect against side channel attacks, it provides a form of isolation for code and data that significantly raises the bar for attackers. Intel continues to work diligently with our customers and the research community to identify potential side-channel risks and mitigate them. Despite the existence of side-channel vulnerabilities, Intel® SGX remains a valuable tool because it offers a powerful additional layer of protection.

Should I Trust Intel® SGX?

Intel® SGX is the most tested, researched, and deployed hardware-based data center trusted execution environment (TEE), with the smallest available attack surface within the system. If you have strict data privacy and security requirements, Intel® SGX offers a clear strategic advantage.

And the good news for customers protected by Intel® SGX is that in addition to helping defend against the myriad of more common software-based attacks, Intel® SGX’s attestation mechanisms also allow you to request verification that your application has not been compromised and that the processor it is running on has the latest security updates.

Intel® SGX protects against thousands2 of known and unknown threats, many of which still do not otherwise have mitigations. Your code and data remain significantly more protected with Intel® SGX than without it.

常见问题解答

常见问题解答

Intel® SGX adds another layer of defense by helping reduce the attack surface. Intel® SGX helps protect code and data from attack by malicious software and privileged escalations while that data is being processed. Developers can create trusted execution environments (TEEs) directly within the processor/memory domain.

Side-channel attacks are designed to gather external information from the processor such as power states, emissions and wait times in the attempt to infer data activity and values.3

Hackers typically follow the path of least resistance. Today, that usually means attacking software. While Intel® SGX is not specifically designed to protect against side channel attacks, it provides a form of isolation for code and data that raises the bar for attackers.

How Intel® SGX addresses security vulnerabilities:

  • Collaboration: Ongoing collaboration with researchers and partners, including our founder role in the Confidential Computing Consortium, helps us identify and mitigate vulnerabilities quickly.
  • Hardened security: Intel® SGX is designed to be regularly updated to be continuously hardened against attacks.
  • Verification: Intel® SGX enables applications to request verification that they are running on patched and uncompromised systems.