KryptoGuard™ - Intel® SGX - SQLite

A feasibility study of KryptoGuard™ brand leveraging Intel® SGX using SQLite

​In the last post I mentioned I will take a scenario to explain how KryptoGuard™ brand leverages Intel® SGX to better protect sensitive data.  This post is dedicated towards just that.

As part of the feasibility study, I wanted to take a database application and provide it the security and benefit of running in the context of an Intel® SGX enclave.   I chose a database software because, more often than not, that's were sensitive data find's its home.  And within that, I chose SQLite for a proof of concept because, it makes for a perfect fit, as it is one of the light weight, low foot print open database that has withstood the test of time. 
The very nature of doing anything security centric dictates opting for the smallest possible attack surface.  Intel® SGX provides that at hardware level by reducing the attack surface to CPU boundary.  It makes sense for us to follow suite by doing the same at software level as well.  And for that SQLite makes for a good candidate.

To be able to store certain kinds of sensitive data, businesses are required to abide by relevant regulations.  And encryption becomes a mandatory requirement in such cases.  It so happens, Intel® SGX's in-built cryptography can be leveraged to enforce that requirement more easily.  Leveraging it not only helps meet a need, it also helps make the process simpler.  To that end I wanted to enlist Intel® SGX's FS API to demonstrate how easy it is to encrypt and secure a database and SQLite design was a seamless fit to demonstrate that as well.

Intel® SGX provides PSW and SDK software to exercise its hardware feature.  SQLite design made it easier for me to use both of their software in a mutually complimentary way to show the added security enjoyed by an SQLite database while storing, loading and processing sensitive data, all within an enclave, out of reach from any other layers of software, including higher privilege software!  To state for clarity, I refer to SQLite software running within an enclave, powered by Intel® SGX, as trusted SQLite and otherwise as classic SQLite.

It is important to note that the database created with trusted SQLite can only be reopened and processed by trusted SQLite.  Thus it enjoys all the security provided by Intel® SGX.  For example, that database cannot be opened in a hex editor to get to its content in obtuse ways because of it being encrypted (leveraging Intel® SGX in our case) along with other Intel® SGX features like sealing, as and when appropriate.

Also, if a classic SQLite database were to be reopened in the same environment, it is susceptible to memory scrapping attacks.  Where as, a trusted SQLite database, which can only be loaded within the same trusted environment is not susceptible to similar attacks.  This is because, sensitive database data are earmarked as Intel® SGX resources when loaded by trusted SQLite.  Hardware level access control checks are applied to such resources upon its access in memory.  So, when a memory scrapper software tries to access it, hardware level access checks by Intel® SGX forbids such software from gaining access to the sensitive data irrespective of the privilege at which the scrapper runs, as it is not a code running within the expected enclave to pass those checks.
​
As you might have inferred from the above, Intel® SGX not only protects data in-memory at hardware level, it also provides the added benefit of making data at rest protection simpler in this case!  This should fairly explain why I chose SQLite to demonstrate the use of Intel® SGX in protecting sensitive data, which aligns with our KryptoGuard™ brand goals and the use cases we target.