Securing DDS with Intel SGX: Part 3 – Hardened DDS Services

This is Part 3 in a six‑blog series on this topic. If you’re new to this series, please read the previous blogs here.

In Part 2, I demonstrated how to create a hardened endpoint using RTI Connext DDS Micro + Security, SCONE, and Intel SGX. While compelling, we have yet to explore a practical solution that incorporates SGX natively. Part 1 suggested that DDS + SGX is more likely to appear in a server room than on a traditional Industrial Internet of Things (IIoT) endpoint. In this installment, we focus on real‑world deployments of SGX‑hardened DDS applications through the lens of DDS services.

Many DDS services are prime targets for security hardening. They subscribe to multiple topics, which means they must hold more of the ephemeral keys used for encryption. These keys reside in application memory, and a skilled attacker can extract them or, more effectively, read or modify data while it is in plain text just before or after decryption. Encryption alone does not help if the data is exposed in memory.

Figure 1: Attack Surface in DDS Environments

Our architecture, introduced in Part 1, allows DDS‑protected packets to arrive on the wire, be routed into SGX protected space before decryption, and then operated on securely. Since the CPU can view the data only in plain text inside the enclave, there is no need for exotic operations such as homomorphic encryption. This design yields a clear advantage: encrypted data travels across the network, enters a protected enclave, is decrypted, processed, and then re‑encrypted for outbound traffic.

Because DDS already secures wire traffic, the same approach enables a heterogeneous network where non‑SGX applications can communicate with SGX‑enabled ones—including DDS services—without compromising security.

Consider the RTI Routing Service. The OMG DDS Security specification mandates that the routing service operate on clear data, even momentarily, and it retains all the temporary keys from every endpoint it has communicated with. When positioned at the network edge, it becomes a high‑value target for attackers.

Figure 2: RTI Routing Service Provides a Protected Space for Applications Running in SGX Environments

SCONE offers built‑in, transparent support for encrypted file stores and attestation. By leveraging these features, we can store the private keys used for identity inside a protected space that is inaccessible to root or any other user. This approach extends to all data that the application writes to disk.

Figure 3: DDS and RTI Routing Service is Protected in SCONE Environments

For example, we can securely store DDS communications for authorized replay. SCONE also provides native TLS support for secure communication between authorized SCONE containers, such as SQLite.

With these tools, we can build an infrastructure where data remains protected at all times—even against a malicious system administrator or external attacker. However, the application must first verify its own integrity before accessing trusted services, network connections, or secure stores. This is the purpose of the attestation service.

The attestation service performs remote verification that an application is unmodified, authentic, and running on a genuine SGX CPU. Although originally provided exclusively by Intel, the ecosystem is evolving. Remote attestation may appear daunting, but in practice it is a one‑time operation that persists across reboots. It uses ISA instructions with cryptographic integrity guarantees, seals the resulting values to disk, and allows them to be reused for proving the application’s authenticity to remote partners. This capability is especially valuable in distributed systems where trust between remote components is essential.

SCONE supplies its own attestation service. Enterprise license holders can manage it locally; non‑enterprise users can rely on SCONE’s global attestation service, which will be examined in later posts.

In the next article, I will evaluate the cost of implementing security in DDS‑SGX environments.