Secure hardware enclaves improve confidentiality by isolating code and keys from an untrusted operating system, but their protection against side-channel attacks is limited. Victor Costan and Srinivas Devadas at MIT explain that enclave architectures like Intel SGX assume a strong logical isolation model while leaving microarchitectural channels outside that threat model. This gap makes private keys stored in enclaves vulnerable in practice when attackers control the platform or its scheduler.
Design limits and attacker capabilities
Threat model mismatch is central. Enclaves protect against direct extraction by privileged software, yet CPU components such as caches, branch predictors, and speculative execution units are shared resources whose behaviors can be observed indirectly. Paul Kocher at Cryptography Research documented how timing variations reveal secret-dependent computation long before enclave technology existed. Yuval Yarom and Katrina Falkner at the University of Adelaide demonstrated high-resolution cache techniques that have been adapted to enclave contexts, proving that microarchitectural leakage is practical under real-world conditions.
Causes, demonstrated consequences, and mitigations
The root causes include shared microarchitectural state, attacker control of scheduling or memory mapping, and cryptographic implementations that are not constant-time. Researchers have shown that attackers can infer cryptographic keys by monitoring cache usage patterns or forcing page faults to learn memory access sequences. Consequences extend beyond technical compromise: financial and privacy harms for users, regulatory exposure for cloud providers, and geopolitical risk when enclaves are used to protect sensitive data across territorial boundaries. Intel Corporation and other vendors have issued mitigations such as microcode updates, process isolation recommendations, and guidance to adopt constant-time algorithms, but these are often partial and performance-sensitive.
In practice, reliability depends on a layered approach: hardware improvements that reduce shared-state leakage, software that implements side-channel-resistant cryptography, and operational controls that restrict attacker influence over the host. For high-value private keys, relying solely on current enclave technology without additional mitigations is not foolproof. Combining formal cryptographic best practices with vendor patches and independent threat assessments yields the strongest protection available today.