Skip to main content

Intel SGX Application Architecture

Intel Software Guard Extensions (Intel SGX) provides hardware-based isolation to protect data while in use, leveraging secure enclaves that prevent unauthorized access and modification. This technology enables applications to confidentially process sensitive data, shielding it even from the operating system, hypervisor, and privileged users. Intel SGX applications are composed of a trusted part (the Enclave) and an untrusted part (the App). When an application needs to work with sensitive data, it creates an Enclave, which is placed in trusted memory. The App then invokes trusted functions to enter the Enclave, where the data can be accessed in cleartext within the protected environment.

Enclave and App Physical Isolation

  • Enclave: Runs in user mode (Ring 3) but is protected at the hardware level by the CPU, designed exclusively for storing and processing sensitive data while preventing unauthorized access.
  • App: A standard application running in an untrusted environment (user mode), responsible for creating, managing, and interacting with the Enclave. However, it cannot directly access the Enclave’s memory or its protected data.

Key Advantages:

  • Reduced Attack Surface: Even if the App, OS, or Hypervisor is compromised, sensitive data within the Enclave remains secure.
  • Computational Integrity: Malicious software cannot tamper with or modify the execution flow inside the Enclave, ensuring data integrity and trusted computation.

ECALL/OCALL Mechanism

SGX restricts direct access between the Enclave and the external environment. Instead, secure function calls facilitate controlled communication:

  • ECALL (Enclave Call - Entering the Enclave): The App invokes an Enclave function to execute a trusted computation within the protected environment.
  • OCALL (Outside Call - Exiting the Enclave): The Enclave requests the App to access external resources (such as file systems, networks, or system services) that it cannot directly interact with.

Key Advantages:

  • Minimized Trusted Computing Base (TCB): Only critical security-sensitive code runs within the Enclave, reducing the trusted code base and minimizing the attack surface.
  • Data Isolation & Confidentiality: Sensitive information is never exposed outside the Enclave, preventing leakage, unauthorized access, or memory inspection.

Conclusion

With Intel SGX Application Architecture, applications can confidentially process and store sensitive data, maintaining data integrity, confidentiality, and security even in hostile or compromised computing environments.