TUM Logo

Towards Memory Forensic in SGX Enclaves

Towards Memory Forensic in SGX Enclaves

Supervisor(s): Mathias Morbitzer
Status: finished
Topic: Others
Author: Lukas Heindl
Submission: 2023-02-15
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


In cloud environments there is a new party having full control over the code and the data,

the cloud provider. Thus, trusting the cloud provider is required in such an environment.

As the stored data might be sensitive, we want to eliminate this requirement. For that reason

mechanisms like Intel SGX exist. Intel SGX introduces the concept of enclaves to the cloud computing

environment. Code, as well as data used by an enclave is protected from everything different than the

enclave itself. Nevertheless, code running in the enclave might have vulnerabilities as well.

While there is a lot of work on how to detect an intrusion in a non-SGX environment, there is little work
on how to do this for SGX.
In this work, we developed methodology to analyze how memory is organized in such an enclave. We show
how we can find the stack of the running enclave. For the other two important sections, the code and the heap,
we also provide a basic analysis. Being able to access the different segments of the memory is the first step in
dynamically checking whether the current state is still valid.
The next step however, validating the retrieved data, is out of scope for this work.