This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the operational data lifecycle: at rest, in use, and in transit. SGX shrinks the trusted computing base (and therefore the attack surface) of the application to only the hardware on the CPU chip and the portion of the application's software that is executed within the protected enclave. The SDK enables SGX integration into existing C/C++ codebases while still ensuring program support for legacy and non-Intel platforms. This paper is the first published work to walk through the step-by-step process of Intel SGX integration with examples and performance results from an actual cryptographic application produced in a standard Linux development environment.
展开▼
