SGX-PFS provides protected file API for SGX enclaves. The API is similar to its libc's counterpart (fopen, fread, fwrite, etc.), but offers the extra protection required by SGX enclaves: the protected files are encrypted and saved on the untrusted disk during a write operation, and they are verified for confidentiality and integrity during a read operation. SGX-PFS also offers freshness in the sense that a protected file of SGX-PFS cannot be partially rolled back to older versions. A protected file is also guaranteed to be consistent regardless of any crashes.

For our discussion, we first define a snapshot as the persistent state of a system at a point of time. For example, the snapshots of a Docker container are the file changes in the container saved with "docker commit". An enclave can also have snapshots. If an enclave uses protected files of SGX-PFS to persist its states, then these protected files constitute the snapshot of the enclave.

With snapshots defined, we can then explain transient snapshots. Transient snapshots of an enclave are those that are not expected by the application logic inside the enclave. Having unexpected content, and transient snapshots may cause unexpected behaviors of the enclave. In the worst case, unexpected behaviors can lead to security loopholes.

Exploiting transient snapshots to attack enclaves is possible due to three factors.

1. Transient snapshots can be generated by enclaves. To maximize performance, the storage I/O stack, either in normal environments or SGX environments, generally gives users few guarantees on the ordering and timing of writes. For example, the I/O elevator in an OS kernel (including a library OS for SGX) may reorder or merge I/O writes to block devices. As another example, according to the POSIX standard, file writes may not persist on the disk until calling the fsync or fdatasync system call. Consequently, the storage I/O stack may produce intermediate on-disk states that are neither visible nor expected by users---or in our words, transient snapshots. This conclusion also applies to SGX-PFS.

2. Transient snapshots can be captured by the adversary. Transient snapshots are not a security issue in normal environments simply because they are usually not accessible to adversaries. But in SGX environments, the adversary can control everything beyond enclaves, including monitoring every I/O operation and saving every bit of on-disk data. Thus, the adversary can capture the snapshots of an enclave at an arbitrary time, including the snapshots of every protected file of SGX-PFS.

3. Transient snapshots can be replayed by the adversary. After capturing a snapshot of an enclave, the adversary can start new instances of the enclave with that snapshot. For SGX-PFS, different snapshots of a protected file share the same root key; the enclave cannot differentiate between them. So snapshots of protected files can be replayed.

After observing the fact that an enclave generates transient snapshots, the adversary can capture and replay transient snapshots in an attempt to cause unexpected behaviors of the application logic inside the enclave. This is what we call a transient snapshot attack.

Check our attack demo and PoC code on GitHub for more details.