The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX


Andrea Biondo and Mauro Conti, University of Padua; Lucas Davi, University of Duisburg-Essen; Tommaso Frassetto and Ahmad-Reza Sadeghi, Technische Universität Darmstadt


Intel Software Guard Extensions (SGX) isolate security-critical code inside a protected memory area called enclave. Previous research on SGX has demonstrated that memory corruption vulnerabilities within enclave code can be exploited to extract secret keys and bypass remote attestation. However, these attacks require kernel privileges, and rely on frequently probing enclave code which results in many enclave crashes. Further, they assume a constant, not randomized memory layout. In this paper, we present novel exploitation techniques against SGX that do not require any enclave crashes and work in the presence of existing SGX randomization approaches such as SGX-Shield. A key contribution of our attacks is that they work under weak adversarial assumptions, e.g., not requiring kernel privileges. In fact, they can be applied to any enclave that is developed with the standard Intel SGX SDK on either Linux or Windows.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Audio

@inproceedings {217636,
author = {Andrea Biondo and Mauro Conti and Lucas Davi and Tommaso Frassetto and Ahmad-Reza Sadeghi},
title = {The Guard{\textquoteright}s Dilemma: Efficient Code-Reuse Attacks Against Intel {SGX}},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-931971-46-1},
address = {Baltimore, MD},
pages = {1213--1227},
url = {},
publisher = {{USENIX} Association},