A group of security researchers from Graz University of Technology recently disclosed detailed methods of deploying attacks from inside Intel’s SGX Security Enclave. The research paper received decent media attention probably due to recently discovered architecture vulnerabilities, such as Meltdown and Spectre. Researchers also released proof of concept (PoC) code for Linux that successfully escapes the securely enclosed environment.
Symantec researchers implemented a similar PoC on the Windows platform. This PoC was then used to prove that protection against such an attack is not only possible but already included in Symantec protection products for many years. Common belief is that it is practically impossible to detect SGX-escaping malware. Later on, we will explain why this claim is misleading and how our protection works.