116 research outputs found
SGX-Aware Container Orchestration for Heterogeneous Clusters
Containers are becoming the de facto standard to package and deploy
applications and micro-services in the cloud. Several cloud providers (e.g.,
Amazon, Google, Microsoft) begin to offer native support on their
infrastructure by integrating container orchestration tools within their cloud
offering. At the same time, the security guarantees that containers offer to
applications remain questionable. Customers still need to trust their cloud
provider with respect to data and code integrity. The recent introduction by
Intel of Software Guard Extensions (SGX) into the mass market offers an
alternative to developers, who can now execute their code in a hardware-secured
environment without trusting the cloud provider.
This paper provides insights regarding the support of SGX inside Kubernetes,
an industry-standard container orchestrator. We present our contributions
across the whole stack supporting execution of SGX-enabled containers. We
provide details regarding the architecture of the scheduler and its monitoring
framework, the underlying operating system support and the required kernel
driver extensions. We evaluate our complete implementation on a private cluster
using the real-world Google Borg traces. Our experiments highlight the
performance trade-offs that will be encountered when deploying SGX-enabled
micro-services in the cloud.Comment: Presented in the 38th IEEE International Conference on Distributed
Computing Systems (ICDCS 2018
AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting
Remote computation has numerous use cases such as cloud computing, client-side web applications or volunteer computing. Typically, these computations are executed inside a sandboxed environment for two reasons: first, to isolate the execution in order to protect the host environment from unauthorised access, and second to control and restrict resource usage. Often, there is mutual distrust between entities providing the code and the ones executing it, owing to concerns over three potential problems: (i) loss of control over code and data by the providing entity, (ii) uncertainty of the integrity of the execution environment for customers, and (iii) a missing mutually trusted accounting of resource usage.
In this paper we present AccTEE, a two-way sandbox that offers remote computation with resource accounting trusted by consumers and providers. AccTEE leverages two recent technologies: hardware-protected trusted execution environments, and Web-Assembly, a novel platform independent byte-code format. We show how AccTEE uses automated code instrumentation for fine-grained resource accounting while maintaining confidentiality and integrity of code and data. Our evaluation of AccTEE in three scenarios – volunteer computing, serverless computing, and pay-by-computation for the web – shows a maximum accounting overhead of 10%
A Trusted and Privacy-Enhanced In-Memory Data Store
The recent advent of hardware-based trusted execution environments provides isolated
execution, protected from untrusted operating systems, allowing for the establishment
of hardware-shielded trust computing base components. As the processor provides such
a “shielded” trusted execution environment (TEE), their use will allow users to run appli cations securely, for example on the remote cloud servers, whose operating systems and
hardware are exposed to potentially malicious remote attackers, non-controlled system
administrators and staff from the cloud providers. On the other hand, Linux containers
managed by Docker or Kubernetes are interesting solutions to provide lower resource
footprints, faster and flexible startup times, and higher I/O performance, compared with
virtual machines (VM) enabled by hypervisors. However, these solutions suffer from soft ware kernel mechanisms, easier to be compromised in confidentiality and integrity as sumptions of supported application data. In this dissertation we designed, implemented
and evaluated a Trusted and Privacy-Enhanced In-Memory Data Store, making use of a
hardware-shielded containerised OS-library to support its trust-ability assumptions. To
support large datasets, requiring data to be mapped outside those hardware-enabled con tainers, our solution uses partial homomorphic encryption, allowing trusted operations
executed in the protected execution environment to manage in-memory always-encrypted
data, that can be or not mapped inside the TEE.Os recentes avanços de ambientes de execução confiáveis baseados em hardware fornecem execução isolada, protegida contra sistemas operativos não confiáveis, permitindo o
estabelecimento de componentes base de computação de confiança protegidos por hardware. Como o processador fornece esses ambientes de execução confiável e "protegida"
(TEE), o seu uso permitirá que os utilizadores executem aplicações com segurança, por
exemplo em servidores cloud remotos, cujos sistemas operativos e hardware estão expostos a atacantes potencialmente maliciosos assim como administradores de sistema não
controlados e membros empregados dos sistemas de cloud. Por outro lado, os containers
Linux geridos por sistemas Docker ou Kubernetes são soluções interessantes para poupar
recursos físicos, obter tempos de inicialização mais rápidos e flexíveis e maior desempenho de I/O (interfaces de entrada e saída), em comparação com as tradicionais máquinas
virtuais (VM) activadas pelos hipervisores. No entanto, essas soluções sofrem com software e mecanismos de kernel mais fáceis de comprometerem os dados das aplicações na
sua integridade e privacidade.
Nesta dissertação projectamos, implementamos e avaliamos um Sistema de Armazenamento de Dados em Memória Confiável e Focado na Privacidade, utilizando uma
biblioteca conteinerizada e protegida por hardware para suportar as suas suposições de
capacidade de confiança. Para oferecer suporte para grandes conjuntos de dados, exigindo assim que os dados sejam mapeados fora dos containers seguros pelo hardware,
a solução utiliza encriptação homomórfica parcial, permitindo que operações executadas no ambiente de execução protegido façam gestão de dados na memória que estão
permanentemente cifrados, estando eles mapeados dentro ou fora dos containers seguros
SGXIO: Generic Trusted I/O Path for Intel SGX
Application security traditionally strongly relies upon security of the
underlying operating system. However, operating systems often fall victim to
software attacks, compromising security of applications as well. To overcome
this dependency, Intel introduced SGX, which allows to protect application code
against a subverted or malicious OS by running it in a hardware-protected
enclave. However, SGX lacks support for generic trusted I/O paths to protect
user input and output between enclaves and I/O devices.
This work presents SGXIO, a generic trusted path architecture for SGX,
allowing user applications to run securely on top of an untrusted OS, while at
the same time supporting trusted paths to generic I/O devices. To achieve this,
SGXIO combines the benefits of SGX's easy programming model with traditional
hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure
debug enclaves to behave like secure production enclaves. SGXIO surpasses
traditional use cases in cloud computing and makes SGX technology usable for
protecting user-centric, local applications against kernel-level keyloggers and
likewise. It is compatible to unmodified operating systems and works on a
modern commodity notebook out of the box. Hence, SGXIO is particularly
promising for the broad x86 community to which SGX is readily available.Comment: To appear in CODASPY'1
Personal Data Management Systems: The security and functionality standpoint
International audienceRiding the wave of smart disclosure initiatives and new privacy-protection regulations, the Personal Cloud paradigm is emerging through a myriad of solutions offered to users to let them gather and manage their whole digital life. On the bright side, this opens the way to novel value-added services when crossing multiple sources of data of a given person or crossing the data of multiple people. Yet this paradigm shift towards user empowerment raises fundamental questions with regards to the appropriateness of the functionalities and the data management and protection techniques which are offered by existing solutions to laymen users. These questions must be answered in order to limit the risk of seeing such solutions adopted only by a handful of users and thus leaving the Personal Cloud paradigm to become no more than one of the latest missed attempts to achieve a better regulation of the management of personal data. To this end, we review, compare and analyze personal cloud alternatives in terms of the functionalities they provide and the threat models they target. From this analysis, we derive a general set of functionality and security requirements that any Personal Data Management System (PDMS) should consider. We then identify the challenges of implementing such a PDMS and propose a preliminary design for an extensive and secure PDMS reference architecture satisfying the considered requirements. Finally, we discuss several important research challenges remaining to be addressed to achieve a mature PDMS ecosystem
Blockchain based Resource Governance for Decentralized Web Environments
Decentralization initiatives such as Solid and ActivityPub aim to give data
owners more control over their data and to level the playing field by enabling
small companies and individuals to gain access to data, thus stimulating
innovation. However, these initiatives typically employ access control
mechanisms that cannot verify compliance with usage conditions after access has
been granted to others. In this paper, we extend the state of the art by
proposing a resource governance conceptual framework, entitled ReGov, that
facilitates usage control in decentralized web environments. We subsequently
demonstrate how our framework can be instantiated by combining blockchain and
trusted execution environments. Through blockchain technologies, we record
policies expressing the usage conditions associated with resources and monitor
their compliance. Our instantiation employs trusted execution environments to
enforce said policies, inside data consumers' devices.} We evaluate the
framework instantiation through a detailed analysis of requirements derived
from a data market motivating scenario, as well as an assessment of the
security, privacy, and affordability aspects of our proposal
Performance principles for trusted computing with intel SGX
Accepted manuscript version of the following article Gjerdrum, A.T., Pettersen, R., Johansen, H.D. & Johansen, D. (2018). Performance principles for trusted computing with intel SGX. Communications in Computer and Information Science, 864. © Springer International Publishing AG, part of Springer Nature 2018. Published version available at https://doi.org/10.1007/978-3-319-94959-8_1.Cloud providers offering Software-as-a-Service (SaaS) are increasingly being trusted by customers to store sensitive data. Companies often monetize such personal data through curation and analysis, providing customers with personalized application experiences and targeted advertisements. Personal data is often accompanied by strict privacy and security policies, requiring data processing to be governed by non-trivial enforcement mechanisms. Moreover, to offset the cost of hosting the potentially large amounts of data privately, SaaS companies even employ Infrastructure-as-a-Service (IaaS) cloud providers not under the direct supervision of the administrative entity responsible for the data. Intel Software Guard Extensions (SGX) is a recent trusted computing technology that can mitigate some of these privacy and security concerns through the remote attestation of computations, establishing trust on hardware residing outside the administrative domain. This paper investigates and demonstrates the added cost of using SGX, and further argues that great care must be taken when designing system software in order to avoid the performance penalty incurred by trusted computing. We describe these costs and present eight specific principles that application authors should follow to increase the performance of their trusted computing systems
HasTEE: Programming Trusted Execution Environments with Haskell
Trusted Execution Environments (TEEs) are hardware-enforced memory isolation
units, emerging as a pivotal security solution for security-critical
applications. TEEs, like Intel SGX and ARM TrustZone, allow the isolation of
confidential code and data within an untrusted host environment, such as the
cloud and IoT. Despite strong security guarantees, TEE adoption has been
hindered by an awkward programming model. This model requires manual
application partitioning and the use of error-prone, memory-unsafe, and
potentially information-leaking low-level C/C++ libraries.
We address the above with \textit{HasTEE}, a domain-specific language (DSL)
embedded in Haskell for programming TEE applications. HasTEE includes a port of
the GHC runtime for the Intel-SGX TEE. HasTEE uses Haskell's type system to
automatically partition an application and to enforce \textit{Information Flow
Control} on confidential data. The DSL, being embedded in Haskell, allows for
the usage of higher-order functions, monads, and a restricted set of I/O
operations to write any standard Haskell application. Contrary to previous
work, HasTEE is lightweight, simple, and is provided as a \emph{simple security
library}; thus avoiding any GHC modifications. We show the applicability of
HasTEE by implementing case studies on federated learning, an encrypted
password wallet, and a differentially-private data clean room.Comment: To appear in Haskell Symposium 202
- …