Inferensys

Glossary

OCALL

A controlled exit function that allows an enclave to temporarily transfer execution to the untrusted host application to make necessary system calls, returning results to the protected environment.
Control room desk with laptops and a large orchestration network display.
ENCLAVE INTERFACE

What is OCALL?

An OCALL is a strictly defined, controlled exit function that allows code executing inside a hardware-protected enclave to temporarily transfer execution to the untrusted host application to perform necessary system-level operations.

An OCALL (Outside Call) is the inverse of an ECALL. While an ECALL allows the untrusted host to enter the enclave, an OCALL is the only mechanism for enclave code to request services from the untrusted operating system, such as file I/O, network access, or memory allocation. Because the enclave cannot directly execute system calls, an OCALL defines a narrow, developer-specified bridge to the outside world.

This transfer is a critical security boundary. The enclave must treat all data returned from an OCALL as potentially malicious, performing rigorous validation before use. The Trusted Computing Base (TCB) explicitly excludes the host OS, so an OCALL is a necessary but high-risk interface that must be minimized and carefully audited to prevent Iago attacks, where a malicious OS returns crafted values to compromise enclave logic.

ENCLAVE EXIT FUNCTIONS

Key Characteristics of OCALLs

OCALLs (Outside Calls) are the strictly controlled exit points that allow an enclave to temporarily transfer execution to the untrusted host application. They form the essential bridge for enclaves to interact with the operating system for I/O, memory management, and network access.

01

Controlled Host Transition

An OCALL is a strictly defined function call that temporarily exits the protected enclave memory region to execute code in the untrusted host application. Unlike arbitrary jumps, OCALLs enforce a predefined interface—the enclave developer explicitly declares which host functions are callable. The processor switches memory encryption contexts, ensuring enclave secrets remain inaccessible to the host during execution. Upon completion, control returns to the enclave via a corresponding ECALL or return mechanism.

02

System Call Proxy

Enclaves operate in user mode and lack direct kernel access. OCALLs serve as proxies for essential system calls:

  • File I/O: Reading configuration files or writing logs to untrusted storage
  • Network communication: Sending encrypted results to remote clients
  • Memory allocation: Requesting additional host memory pages
  • Time services: Obtaining wall-clock time from the untrusted OS Without OCALLs, enclaves would be computationally isolated but functionally inert.
03

Untrusted Return Validation

A critical security principle: the enclave must never trust data returned from an OCALL. The host application is untrusted and could be malicious—it may return corrupted buffers, spoofed timestamps, or malformed file contents. Enclave code must:

  • Cryptographically verify any returned data against expected hashes
  • Bounds-check all buffer lengths and pointer ranges
  • Sanitize all inputs before using them in sensitive computations Failure to validate OCALL returns is a leading cause of enclave vulnerabilities.
04

Interface Definition Language (IDL)

OCALLs are defined in an Enclave Definition Language (EDL) file, which serves as the contract between trusted and untrusted code. The EDL specifies:

  • Function signatures with exact parameter types
  • Pointer directionality ([in], [out], [user_check])
  • Buffer size annotations for deep copy operations The Edger8r tool processes EDL files to generate proxy and bridge functions that handle the context switch, memory marshaling, and boundary checks automatically.
05

Performance Overhead

OCALLs incur significant latency compared to local function calls due to:

  • Context switching: CPU transitions between enclave and non-enclave modes
  • Memory copying: Parameters are deep-copied across the enclave boundary to prevent TOCTOU attacks
  • TLB flushes: Translation lookaside buffer entries may be invalidated Typical OCALL overhead ranges from 8,000 to 12,000 CPU cycles per invocation. Minimizing OCALL frequency is critical for performance-sensitive workloads like real-time inference.
06

Attack Surface Expansion

Every OCALL represents a potential attack vector. Malicious host applications can:

  • Return inconsistent data across multiple calls to confuse enclave logic
  • Delay or drop OCALL responses to trigger timeout-based vulnerabilities
  • Exploit Iago attacks: Manipulating return values of seemingly benign functions like malloc() or time() Defense requires treating the host as a Byzantine adversary—designing enclave logic that remains correct even under arbitrary host misbehavior.
ENCLAVE INTERFACE COMPARISON

OCALL vs. ECALL

Comparison of the two fundamental controlled transition functions that govern the bidirectional interface between an untrusted host application and a protected enclave in Intel SGX and similar TEE architectures.

FeatureOCALLECALL

Direction

Enclave → Host (Inside-Out)

Host → Enclave (Outside-In)

Initiator

Trusted enclave code

Untrusted host application

Execution context

Temporarily exits protected memory

Enters protected memory region

Primary purpose

Request system services (I/O, networking, filesystem)

Invoke trusted functions on sensitive data

Parameter passing

Enclave passes data to untrusted host

Host passes data into enclave

Return value handling

Must validate all host-returned data as untrusted

Enclave returns trusted results to host

Security risk

Host can corrupt or refuse service; data leakage via parameters

Interface is attack surface for enclave entry

Attestation required

OCALL EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about OCALLs, the controlled exit functions that allow trusted enclaves to interact with the untrusted host operating system.

An OCALL (Outside Call) is a strictly defined, controlled exit function that allows code executing inside a hardware-enforced Trusted Execution Environment (TEE) enclave to temporarily transfer execution control to the untrusted host application. The primary purpose of an OCALL is to request services that the enclave cannot perform itself—most critically, making system calls (e.g., file I/O, network access, memory allocation) to the host operating system. The mechanism works through a bridge: the enclave developer defines OCALL stubs in the trusted interface definition, and when invoked, the processor performs a controlled state transition, exiting the protected enclave memory region, executing the untrusted function, and then securely re-entering the enclave with the result. This ensures the enclave's protected memory remains isolated while still enabling necessary interaction with the outside world.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.