Forensic Science International: Digital Investigation,
Volume 39, December 2021, N°301313
Volume 39, December 2021, N°301313
Software Guard eXtensions (SGX) is a hardware-based technology that introduces unobservable portions of memory, called enclaves, that physically screens software components from system tampering. Enclaves can be used to run arbitrary programs (including malicious code), but their actual impact on digital forensics and incident response remains unknown. In our work, we propose a methodical study of what information can be retrieved from an SGX machine and how to use this information to infer the enclaves interfaces and structure layout.
We tested our techniques over a dataset of 45 SGX applications and we showed the practicality of our techniques in a real-product use-case and on two malware-enclaves.
Type:
Journal
Date:
2021-07-19
Department:
Sécurité numérique
Eurecom Ref:
6761
Copyright:
© Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in Forensic Science International: Digital Investigation,
Volume 39, December 2021, N°301313 and is available at : http://doi.org/10.1016/j.fsidi.2021.301313
Volume 39, December 2021, N°301313 and is available at : http://doi.org/10.1016/j.fsidi.2021.301313
See also:
