Intel SGX Remote Attestation is Not Sufficient

In this paper, we argue that SGX Remote Attestation provided by Intel is not sufficient to guarantee confidentiality and integrity for running unmodified applications in the cloud. In particular, we demonstrate cases where:

• A dishonest service provider instantiates both a valid enclave running on real hardware, as well as the same enclave running in a software simulator in parallel, is always able to respond correctly to Remote Attestation queries, all the while running the enclave inside a software simulator with full access to enclave's internal state.
• A dishonest service provider rewinds the "enclave's tape" and replays computation even though the data is encrypted with platform specific seal-keys. This is a form of replay attack.
• A dishonest service provider runs multiple instances of the same enclave in parallel and launches chosen cipher-text attacks on the protocol.

This talk will also discuss the details about Remote Attestation mechanism: - What keys are embedded inside each SGX hardware, and what's the protocol for providing proof of knowledge? Are these protocols zero-knowledge, as claimed by Intel? - How the EPID's zero-knowledge proof of knowledge works, what anonymity guarantees it provides, and can it be replaced with other simpler schemes where platform anonymity is not a concern. - What key-exchanges take place between Intel Attestation Service, Software Vendor's own service, Intel Provided Platform Enclaves (e.g., launch enclave, etc.), and the enclave itself.