SGX threat models

We’ve SGX breaks every 12 months or so, but the lastest SGX break compromised deveice keys. Intel’s response is kinda a joke / bullshit. Also, we’d some SGX projects in the ecosystem, so maybe worth discussing what using SGX securely requires.

Of course, SGX could still be used for minor things, like on-chain games. Can you use SGX securely in serious ways?

I’d contend that SGX can be used securely, but not in the standard SGX threat model. In other words, you cannot just trust that some SGX device signed that it ran this code with this code with this inout-output, because the SGX CPU doing the singing maybe an exfiltrated SGX key.

Instead, you should verify the specific SGX CPU keys doing the signing come from some whitelist of SGX CPU keys for whome you know the owner and the device’s history.

Imagine you’ve some parachain that employes SGX in some capasity, then the parachain should’ve an. on-chain whitelist of the SGX CPU key for each collator, and a signed statment by each colaltor operator that they purchased the CPU new, purchased the CPU relatively anonymously, and that the device never existed in an enviroment where it ran arbitrary code. In particular, the CPU should never have been used in a cloud enviroment.

If you take these steps, then you’re trust model becomes that each collator was unwilling or incapable of exfiltrating their SGX CPU key. That’s still not a great threat model.

Ideally, your parachain logic should enforce that multiple SGX CPUs from multiple collators to sign off on the block, before submission to polkadot. You’re now trusting that at least one of the signing collators were unwilling or incapable of exfiltrating their SGX CPU keys, which becomes reaosnable once enough sgn. You’ve a safety/soundness vs liveness trade off here, and more complex code, but at least this approach provides something like a decentralized threat model.

3 Likes

I think @marvin did a great job putting this recent exploit in perspective

Where I see Integritee fits into your stated requests:

The Integritee Network does independent remote attestation on its parachain which includes verifying the latest security patches have been applied. It acts as an immutable log of verified RA

Therefore, the Integritee network is useful to:

  • prove that a specific machine has correctly patched their platform before a specific date/block height in the past (this is relevant for the recent attack - which has been demonstrated on outdated platforms)
  • somehow argue that a the machine is still run by the same operator since some RA in the past (weak guarantee because one operator could just hand over access to the machine to someone else and leaving all state untouched)

I disagree that cloud setups must be avoided (virtualization should, however). Physical access to SGX machines opens the most severe attack vectors. For most use cases, ISO-certified datacenters offer better guarantees against such attacks. Also, whitelisting implies certain trust in operators.

I do agree with you that requiring agreement among multiple CPU’s&operators to take certain actions has potential.

Yes, if you limit the valuations even mildly, then you can always just accept SGX as is, or with minor fixes, like requiring updates or recent hardware.

At least in theory cloud providers create a major attack vector upon all blockchains. It’s humorous how bitcoin embraced this vulnerability by adopting mining pools. A few cloud nodes create less risks for proof-of-stake, but the risks looks serious for SGX. Anyways…

My point was:

SGX can still be used for strong things, if you run SGX in a decentralized threat model. In this model, with whitelisted CPU keys and legal contracts. In this, SGX merely “keeps the honest node operators honest”, but that’s important, especially in some scenarios.

Patching happens after a vulnerability is disclosed. A security model based on up to date patching is far from ideal.

For example, Junos had 0-day vulnerabilities from many years ago, and some of them likely remain undisclosed…

+trusting Intel hardware for privacy protection and secure computation