Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of Graph Search.
Publication
Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of Graph Search.
SGX enclaves are trusted user-space memory regions that ensure isolation from the host, which is considered malicious. However, enclaves may suffer from vulnerabilities that allow adversaries to compromise their trustworthiness. Consequently, the SGX isolation may hinder defenders from recognizing an intrusion. Ideally, to identify compromised enclaves, the owner should have privileged access to the enclave memory and a policy to recognize the attack. Most importantly, these operations should not break the SGX properties. In this work, we propose SgxMonitor, a novel provenance analysis to monitor and identify compromised enclaves. Sgx-Monitor is composed of two elements: (i) a technique to extract contextual runtime information from an enclave, and (ii) a novel model to recognize enclaves' intrusions. Our evaluation shows that SgxMonitor successfully identifies enclave intrusions against state-of-the-art attacks without undermining the SGX isolation. Our experiments did not report false positives and negatives during normal enclave executions, while incurring a marginal overhead that does not affect real use cases deployment, thus supporting the use of SgxMonitor in realistic scenarios.