An OCALL (Outside Call) is the inverse of an ECALL. While an ECALL allows the untrusted host to enter the enclave, an OCALL is the only mechanism for enclave code to request services from the untrusted operating system, such as file I/O, network access, or memory allocation. Because the enclave cannot directly execute system calls, an OCALL defines a narrow, developer-specified bridge to the outside world.
Glossary
OCALL

What is OCALL?
An OCALL is a strictly defined, controlled exit function that allows code executing inside a hardware-protected enclave to temporarily transfer execution to the untrusted host application to perform necessary system-level operations.
This transfer is a critical security boundary. The enclave must treat all data returned from an OCALL as potentially malicious, performing rigorous validation before use. The Trusted Computing Base (TCB) explicitly excludes the host OS, so an OCALL is a necessary but high-risk interface that must be minimized and carefully audited to prevent Iago attacks, where a malicious OS returns crafted values to compromise enclave logic.
Key Characteristics of OCALLs
OCALLs (Outside Calls) are the strictly controlled exit points that allow an enclave to temporarily transfer execution to the untrusted host application. They form the essential bridge for enclaves to interact with the operating system for I/O, memory management, and network access.
Controlled Host Transition
An OCALL is a strictly defined function call that temporarily exits the protected enclave memory region to execute code in the untrusted host application. Unlike arbitrary jumps, OCALLs enforce a predefined interface—the enclave developer explicitly declares which host functions are callable. The processor switches memory encryption contexts, ensuring enclave secrets remain inaccessible to the host during execution. Upon completion, control returns to the enclave via a corresponding ECALL or return mechanism.
System Call Proxy
Enclaves operate in user mode and lack direct kernel access. OCALLs serve as proxies for essential system calls:
- File I/O: Reading configuration files or writing logs to untrusted storage
- Network communication: Sending encrypted results to remote clients
- Memory allocation: Requesting additional host memory pages
- Time services: Obtaining wall-clock time from the untrusted OS Without OCALLs, enclaves would be computationally isolated but functionally inert.
Untrusted Return Validation
A critical security principle: the enclave must never trust data returned from an OCALL. The host application is untrusted and could be malicious—it may return corrupted buffers, spoofed timestamps, or malformed file contents. Enclave code must:
- Cryptographically verify any returned data against expected hashes
- Bounds-check all buffer lengths and pointer ranges
- Sanitize all inputs before using them in sensitive computations Failure to validate OCALL returns is a leading cause of enclave vulnerabilities.
Interface Definition Language (IDL)
OCALLs are defined in an Enclave Definition Language (EDL) file, which serves as the contract between trusted and untrusted code. The EDL specifies:
- Function signatures with exact parameter types
- Pointer directionality (
[in],[out],[user_check]) - Buffer size annotations for deep copy operations The Edger8r tool processes EDL files to generate proxy and bridge functions that handle the context switch, memory marshaling, and boundary checks automatically.
Performance Overhead
OCALLs incur significant latency compared to local function calls due to:
- Context switching: CPU transitions between enclave and non-enclave modes
- Memory copying: Parameters are deep-copied across the enclave boundary to prevent TOCTOU attacks
- TLB flushes: Translation lookaside buffer entries may be invalidated Typical OCALL overhead ranges from 8,000 to 12,000 CPU cycles per invocation. Minimizing OCALL frequency is critical for performance-sensitive workloads like real-time inference.
Attack Surface Expansion
Every OCALL represents a potential attack vector. Malicious host applications can:
- Return inconsistent data across multiple calls to confuse enclave logic
- Delay or drop OCALL responses to trigger timeout-based vulnerabilities
- Exploit Iago attacks: Manipulating return values of seemingly benign functions like
malloc()ortime()Defense requires treating the host as a Byzantine adversary—designing enclave logic that remains correct even under arbitrary host misbehavior.
OCALL vs. ECALL
Comparison of the two fundamental controlled transition functions that govern the bidirectional interface between an untrusted host application and a protected enclave in Intel SGX and similar TEE architectures.
| Feature | OCALL | ECALL |
|---|---|---|
Direction | Enclave → Host (Inside-Out) | Host → Enclave (Outside-In) |
Initiator | Trusted enclave code | Untrusted host application |
Execution context | Temporarily exits protected memory | Enters protected memory region |
Primary purpose | Request system services (I/O, networking, filesystem) | Invoke trusted functions on sensitive data |
Parameter passing | Enclave passes data to untrusted host | Host passes data into enclave |
Return value handling | Must validate all host-returned data as untrusted | Enclave returns trusted results to host |
Security risk | Host can corrupt or refuse service; data leakage via parameters | Interface is attack surface for enclave entry |
Attestation required |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about OCALLs, the controlled exit functions that allow trusted enclaves to interact with the untrusted host operating system.
An OCALL (Outside Call) is a strictly defined, controlled exit function that allows code executing inside a hardware-enforced Trusted Execution Environment (TEE) enclave to temporarily transfer execution control to the untrusted host application. The primary purpose of an OCALL is to request services that the enclave cannot perform itself—most critically, making system calls (e.g., file I/O, network access, memory allocation) to the host operating system. The mechanism works through a bridge: the enclave developer defines OCALL stubs in the trusted interface definition, and when invoked, the processor performs a controlled state transition, exiting the protected enclave memory region, executing the untrusted function, and then securely re-entering the enclave with the result. This ensures the enclave's protected memory remains isolated while still enabling necessary interaction with the outside world.
Related Terms
OCALLs are one half of the strictly defined interface between protected enclave code and the untrusted host. Explore the complementary mechanisms that form the complete enclave boundary.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us