PDF Middleware ’23
Attack
If the software’s configuration that is not reflected in the enclave measurement (§ 3.3) dictates the to-be-loaded program, the adversary can simply start a report server implementation.
- Is it correct? Yes, at least for SCONE.
Defense
The basic idea behind our solution is that system software adds an additional page, the instance page (see Figure 5), to the enclave dynamically during enclave construction. This page, in particular, contains an attestation token, and the verifier’s cryptographic identity. The attestation token is unique and generated by the verifier in a previous step.
- How can SinClave ensure that such token is securely protected (i.e., not leaked to the adversary)?