MAGE: Mutual Attestation for a Group of Enclaves without Trusted Third Parties

Intel Software Guard Extensions (SGX) local and remote attestation mechanisms enable an enclave to attest its identity (i.e., the enclave measurement, which is the cryptographic hash of its initial code and data) to an enclave. To verify that the attested identity is trusted, one enclave usually includes the measurement of the enclave it trusts into its initial data in advance assuming no trusted third parties are available during runtime to provide this piece of information. However, when mutual trust between these two enclaves is required, it is infeasible to simultaneously include into their own initial data the other's measurements respectively as any change to the initial data will change their measurements, making the previously included measurements invalid. In this paper, we propose MAGE, a framework enabling a group of enclaves to mutually attest each other without trusted third parties. Particularly, we introduce a technique to instrument these enclaves so that each of them could derive the others' measurements using information solely from its own initial data. We also provide a prototype implementation based on Intel SGX SDK, to facilitate enclave developers to adopt this technique.