Article ID: 000058898 Content Type: Product Information & Documentation Last Reviewed: 07/19/2021

Why are Nested ecalls Harmful from a Security Perspective?


Mitigate security vulnerabilities by preventing ocalls calling ecalls in Intel® Software Guard Extensions (Intel® SGX) applications.


Unable to find documentation on why nested ecalls can be harmful. A nested ecall is when an ecall calls an ocall and the ocall calls an ecall.


The Intel® Software Guard Extensions (Intel® SGX) Developer Guide explains:

You should be aware that when an OCall is made, it opens the door for nested ECalls. Once outside the enclave, an attacker trying to find vulnerabilities may invoke any ISV interface function exposed as an ECall to recursively call into the enclave. When an OCall is needed, you may reduce the surface attack blocking ISV interface functions such that nested ECalls are not allowed. For instance, you may store the state information (corresponding to the OCall in progress) inside the enclave. However, an enclave cannot depend on nested ECalls occurring in certain order during an OCall. Initially, nested ECalls (ECalls during an OCall) are allowed and only limited by the amount of stack reserved inside the enclave. However, ISVs should be aware that such constructs complicates the security analysis on the enclave. When the need for nested ECalls arises, the enclave writer should try to partition the application in a different manner. If nested ECalls cannot be avoided, the enclave writer should limit the ISV interface functions that may be called recursively to only those strictly required.

Related Products

This article applies to 2 products