Intel Software Guard Extensions (SGX) Is Mighty Interesting

By Rich

I am in a bit over my head here, but take a look at the first two presentations at the Workshop on Hardware and Architectural Support for Security and Privacy. Intel is preparing to introduce a new capability in their processors to support use of secure encrypted memory spaces on commodity CPUs. Their objective is to provide applications with a secure ‘enclave’ (their term) with a protected memory and execution space. It’s called Intel Software Guard Extensions (SGX).

small robot

This could be significant – especially for battling malware and cloud computing. Think secure key management in the cloud with hardware-enforced sandboxes on endpoints. Developers will need to code their software to use the feature, so this isn’t an overnight fix. However…

  • It seems like a powerful tool to battle malware on endpoints, especially if operating system manufacturers leverage the capability in Windows and OS X to further improve their sandboxes. And imagine a version of Java or Flash that’s fully isolated.
  • This could offer material improvements to hypervisor security – for example by eliminating memory parsing attacks. And encrypted memory should mean volatile memory (RAM) is even protected from cloud administrators trying to peek at encryption keys.
  • HSM vendors should also keep an eye on this because it might offer comparable security to hardware-based key managers (but probably not for key generation and a few other important pieces, for those who need them). Think of virtual HSMs and key managers that run within the cloud, without the worry of keys being compromised in memory.

It looks extremely interesting but I freely admit that some of it is over my head. But if I am reading right, the long-term potential to improve security is impressive.

No Related Posts

From the papers it seems that the purpose of SGX is to protect a piece of security critical code, i.e. the one within the enclave, from the rest of the system, and not the other way around. Hence, sandboxing and Java/Flash isolation, which essentially tries to protect the rest of the system from a the execution of a potentially malicious piece of code, doesn’t seem as an appropriate use case for SGX to me.

By Nikos

I did not get much from Intel’s website on this , any idea which series of processors would support this ?

By Sashank Dara

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.