|
|
|
|
|
|
by mdriley
2147 days ago
|
|
|
SGX is a tool in the toolbox, but it solves a different problem: isolating a small section of especially privileged code from the rest of a larger, less-trusted application. The sandbox described in the article is trying to do roughly the opposite: protect the main application from an isolated section of untrusted code. Also, SGX requires extreme care in deployment due to side-channel attacks, see e.g. https://software.intel.com/security-software-guidance/insigh... SEV is also interesting, but requires code to run in a separate VM -- which satisfies my requirement above that it at least be in a different process. |
|
|