How does local attestation in Intel SGX make sure code in the Enclave in safe?

Question

I read through the 'Local Attestation' sample code. I got the idea that local attestation can construct a secure channel for transmitting private data. However, I didn't see anything related to checking the code and make sure the code running in the Enclave is safe. For example, if Enclave 2 is trying to connect Enclave 1, how will Enclave 1 make sure Enclave 2 will not leak any private information it received from Enclave 1?

Answer 1

The goal of attestation in SGX is, citing Intel's original paper, to provide "a mechanism by which another party can gain confidence that the correct software is securely running within an enclave on an enabled platform".

From your original question, I identify three main flaws:

1. The goal of attestation is not to create a secure channel for transmitting data.
2. The basic local attestation is a one-sided process. Enclave 1 proofs his identity to Enclave 2.
3. Generally, when talking abot Trusted Execution Environments (like SGX) you always trust what's loaded inside an enclave. This is, SGX won't protect against a malicious application running inisde an enclave.

Through the attestation process, Enclave 2 can validate all the code and data running in Enclave 1. Observe that, if the symmetric process is followed as well, both Enclaves can validate the code and data running in the other enclave. Additionally, and since you brought it, there's a mechanism to exchange a shared secret through this local attestation process that enables establishing a secure channel among two attestated enclaves.

But in short, you must trust what you load inside the enclave.

Answer 2

In order to do this you have to check the identity of the peer enclave (this is done here and here in the LocalAttestation sample).

The Local Attestation sample ensures the secure channel is established between two enclaves (enclaves protect the code they're running), and before using the secure channel you should check you're communicating with a trusted enclave, that is an enclave running code you trust, or signed by a trusted author.

The function doing this identity verification is defined here.