Preventing rollback attacks on Intel SGX using Conclave SDK

Conclave Feb 18 2022 By: Sneha Damle




Preventing Rollback Attacks on Intel SGX using Conclave SDK
Sneha Damle
Sneha Damle Senior Developer Evangelist, Conclave
Share this post:

As you can see in the image above, imagine a scenario where the loving husband has promised to gift his wife an exciting gift every month, each one better than the last. But the wife is very forgetful, and hence puts a note on the fridge to remind her what the last gift was.

And because she knows her husband is a trickster, she signs the note so she knows she wrote it and he didn’t write it himself. But she fails to realise that nothing stops him waiting until she’s asleep and then taking YESTERDAY’s note out of the trash can and putting it back on the fridge. When she wakes up, she correctly sees that HER note is on the fridge. But she completely fails to spot that it is an OLD one. He’s literally rolled back her state.

Intel Software Guard Extensions (SGX) enables you to execute applications in a secure memory, called enclave, that guarantees confidentiality, security, and integrity of your application state — even when the host is malicious. Intel SGX does not provide any built-in support to prevent rollback attacks. And applications running under this model can prove to their users that this is the case, which makes it possible to develop solutions that can give strong privacy assurances to their users. But nothing in life is free, and there are some new problems that come along with this power. One of them is known as a rollback attack. This blog post will discuss how Conclave can handle rollback attacks using Intel SGX. But before we jump into this, let us first understand the need for Intel SGX and what is a rollback attack

Let’s take a simple use case. Congestion at the airport causes delayed flights leading to additional costs incurred by the airline. There must be an efficient way to allocate/reallocate the remaining takeoff and landing slots available that day to maximise the number of passengers who do get to their destinations, using the information provided by the airlines like the total number of passengers flying, airline routes, airline timings, etc; all of which are shared by multiple airlines. However, airlines are reluctant to share such sensitive information with the airport authorities because of concerns regarding data privacy, information leakage to other airlines, or compliance constraints.

Intel SGX can handle situations where multiple parties wish to share sensitive information without disclosing information to other participants or needing a central broker.

By using remote attestation, an enclave can provide robust assurance to a remote party about the precise software being run inside the enclave. Additionally, SGX provides a security mechanism called sealing that allows each enclave to encrypt and authenticate data for persistent storage to protect enclave data across executions. Through these security mechanisms (isolation, sealing, attestation), SGX enables the development of various applications and online services with hardened security.

Conclave is an application development platform that can be used to build enclaves. Access to this enclave memory is blocked by everyone, even privileged software like kernel and BIOS. Thus code and data on the enclave can’t be read/ tempered by anyone, not even by the owner of the computer in which it runs.

Conclave builds on SGX to give developers a toolkit to build enclaves using high-level languages like Java.

What is a Rollback Attack?

Let us first try to understand what a rollback attack is in the context of our enclave based application.

As we saw above, sealing does help to prevent any malicious host from reading any persisted encrypted data by enclave. After a platform reboot, the malicious host replaces the latest sealed state with an older one in a typical rollback attack. There is no way the enclave can detect this easily as the enclave does not have persistent inbuilt capabilities. The enclave doesn’t have access to a trusted time or a monotonic counter to detect the state’s rewound.

As you can see in the below figure, this depicts a series of events that shows how a host gives the enclave an old state and thus performs a rollback attack.

Rollback Attack on the Enclave
Rollback Attack on the Enclave

Current solutions to prevent rollback attacks

The SGX architecture does support the use of monotonic counters (monotonic counters allow trusted applications to detect offline storage data rollback attacks), which the enclave can use to prevent rollback attacks. However, this counter’s value to the non-volatile memory is very slow, thus limiting its adoption. More importantly, this memory allows only a limited number of write operations, thus rendering this useless. Monotonic counters (monotonic counters allow trusted applications to detect offline storage data rollback attacks) can be used to prevent the rollback attack, but SGX systems available today do not support them. They need to be provided by a separate TEE and securely made available to Intel SGX enclaves. Also, this counter’s value to the non-volatile memory is very slow, thus limiting its adoption. More importantly, this memory allows only a limited number of write operations, thus rendering this useless.

Conclave’s use of the persistent map to prevent rollback attacks

Conclave uses a map data structure to persist any data type and avoid rollback attacks. Let’s take a look at how this map can prevent rollback attacks.

A client connects to the enclave to perform some computation. Conclave provides persistent capabilities which enable enclaves to save files/data onto persistent storage. Since enclaves do not have access to persistent storage, it usually delegates this task of storing data to the host. After an enclave restart, it requests the host’s last saved state.

A malicious host at this point can perform a rollback attack wherein it gives the enclave an old state. The enclave has no way of detecting this, and it thinks it is dealing with the latest state.

To prevent a rollback attack, the enclave attaches some extra hidden data along with the map (which contains data to be persisted) and sends it (map with the hidden data) to the client, along with the enclave’s belief about the last seen piece of such data which the client keeps track of. If the host restarts the enclave with an older version of the map, the clients will detect a mismatch.

Conclave provides an EnclaveClient class, a client implementation that handles rollback prevention automatically and it keeps track of this extra hidden data (this data that’s sent is called the enclave’s state id and in the EnclaveClient it is the lastSeenStateId property). If there is a rollback, then this data will not match, and the client will throw an exception (by default).


Security architectures like Intel SGX do require protection against rollback attacks where the malicious host can violate the integrity of the enclave state by replaying an old persisted state. In this blog post, we saw how Conclave SDK prevents rollback attacks and lets the conclave developer focus on writing the business logic.

Sneha Damle
Sneha Damle Sneha Damle is a Developer Evangelist at R3, an enterprise blockchain software firm working with a global ecosystem of more than 350 participants across multiple industries from both the private and public sectors to develop on Corda, its open-source blockchain platform, Corda Enterprise, a commercial version of Corda for enterprise usage, and Conclave, a confidential computing platform.

Leave a Reply

Subscribe to our newsletter to stay up to date on the latest developer news, tools, and articles.