Lun Wang

1. How does SGX prevent against an attacker who modifies a bit in memory? (Say the attacker mounts a rowhammer attack that modifies a certain region in memory and flips a security-critical bit.)

When a page is inside EPC, it is almost impossible for the attacker to launch a rowhammer attack because in Figure 3, the EPC is isolated from other memory by PRM reserved for HW use. When a page is evicted out of EPC, the enclave will do a integrity check when reloading it and any modification will be detected.