SGX Community Day 2020

Intel Labs hosted the 2nd Annual SGX Community Day on July 14-15, 2020. Over 100 researchers and engineers attended, from Intel, other companies, universities, and the government. The talks highlighted current confidential computing deployments, a number of frameworks for running unmodified Linux applications, Rust and WebAssembly runtimes, attestation frameworks, as well as a number of privacy protection use cases with SGX.

Talk Subject About the Author

Azure Confidential Computing

Vikas Bhatia, Microsoft

Confidential computing allows users to upload code and data to the cloud and get back results with guaranteed privacy while ensuring that cloud providers cant see customers’ secrets even if cloud administrators are malicious or hackers have exploited bugs in the guest, host or hypervisor. In this session, we cover the capabilities provided by Azure for confidential computing such as the recently generally available VMs, supporting developer tooling and infrastructure services, and the strong ISV ecosystem. We will also cover use cases and app models that developers can adopt to design their cloud services to run at scale in the Azure confidential cloud

Vikas Bhatia is Head of Product for Azure Confidential Computing (ACC). Prior to ACC, Vikas lead the Product team for Project Rome in the Windows Developer Platform team. He has also done stints on Cloud Game Streaming, Xbox One and the C++ Compiler in DevDiv.

Graphene: A platform for unmodified Linux applications on SGX

Don Porter, University of North Carolina Chapel Hill

Graphene is a Library OS for running unmodified Linux applications on SGX, including multi-process applications. Graphene is open-sourced under the LGPL license and includes support for a wide range of Linux abstractions, including fork and inter-process communication (IPC). This talk summarizes the status of Graphene and development milestones over the past year, and the future roadmap for the project.

Graphene is available at https://grapheneproject.io/

Don Porter is an Associate Professor of Computer Science at the University of North Carolina at Chapel Hill. Porter's research interests broadly involve developing more efficient and secure computer systems. Porter earned a Ph.D. and M.S. from The University of Texas at Austin, and a B.A. from Hendrix College. He has received awards including the NSF CAREER Award, the Bert Kay Outstanding Dissertation Award from UT Austin, and Best Paper Awards at FAST 2016, EuroSys 2016, and RTNS 2018.

Occlum LibOS: where we are and where we are going to

Shoumeng Yan, Ant Financial

Occlum is a memory-safe, multi-process library OS (LibOS) for Intel SGX. As a LibOS, it enables legacy applications to run on SGX with little or even no modifications of source code, thus protecting the confidentiality and integrity of user workloads transparently. We will speak about the status of Occlum and its next steps.

Shoumeng Yan is a director at Ant Financial, leading the confidential computing R&D of the company. Before that, he was a senior staff research scientist at Intel Labs, with 10+ years experience in system, security, and programming languages. Shoumeng holds a Ph.D in CS.

SGX-LKL: A Linux-based Runtime System for SGX Enclaves

Peter Pietzuch, Imperial College London

When deploying existing Linux applications to run inside SGX enclaves, users want full compatibility with Linux combined with strong security properties. In this talk, I describe SGX-LKL, a runtime system for SGX enclaves that relies on a port of the Linux kernel to SGX. Similar to other embedded Linux systems, SGX-LKL runs a no-MMU architecture (LKL) of the Linux kernel, thus supporting an almost complete Linux system call interface. Disk I/O operations are protected by the existing dm-crypt/integrity/verity implementations for encrypted and integrity-protected disk volumes in Linux; network traffic from the enclave is encrypted transparently by Linux' in-kernel WireGuard VPN implementation. Due to its complete kernel support inside the enclave, SGX-LKL exposes an easy-to-secure thin host interface with only seven calls, similar to other paravirtualised VM designs. This is joint work with Microsoft Research.

Peter Pietzuch is a Professor at Imperial College London, where he leads the Large-scale Data & Systems (LSDS) group. He serves as the Director of Research in the Department of Computing, and is a Visiting Researcher with Microsoft Research. His work focuses on the design and engineering of scalable, reliable and secure large-scale software systems, with a particular interest in performance, data management and security issues. Before joining Imperial College London, he was a post-doctoral fellow at Harvard University. He holds PhD and MA degrees from the University of Cambridge.

Scone Community Edition: New and Upcoming Features

Christof Fetzer, TU Dresden

The SCONE community version provides free access to most features of the SCONE confidential compute platform. The SCONE Configuration and Attestation Service (CAS) supports a policy-based provisioning of secrets to applications. These policies permit us to install SCONE apps with standard deployment mechanisms. In particular, one can use helm to deploy confidential SCONE apps to Kubernetes. In the latest SCONE release, we extended the CAS policy to simplify building multi-party confidential computing across different sites that are using different SCONE CAS instances. While we recommend to use the SCONE cross-compiler to build confidential applications, SCONE also supports transparent runtime encryption of applications on Alpine Linux. The next SCONE release will add support for runtime encryption of glibc-based applications. In an upcoming release, SCONE CAS will add support for SGX Graphene in the sense that transparent attestation and secret provisioning will be available not only for SCONE-based but also for SGX Graphene-based applications.

Christof Fetzer's research focuses on Confidential and Dependable Computing. He is a founder of Cloud&Heat, SIListra Systems, and Scontain. He has been a Professor at TU Dresden, Germany since 2004. Dr. Fetzer received his PhD from the University of California, San Diego.

Anjuna Enterprise Enclaves - a cross-platform lift-and-shift solution for harnessing secure enclaves

Yan Michalevsky, Anjuna

Secure enclaves are positioned to become the standard for securing enterprise applications and data. Using secure enclaves is both time-consuming and expensive when one needs to rewrite or recompile applications with vendor-specific SDKs. Anjuna Enterprise Enclaves brings a lift-and-shift approach to harness the power of memory encryption technologies such as Intel SGX and AMD SEV without requiring changes to the applications or operations.

In this talk we show how Anjuna provides protection for data in-use, at-rest and in-transit while enabling disaster recovery, software updates and access to shared data from multiple hosts using centralized encryption-policy management.

Yan Michalevsky, CTO and co-founder of Anjuna, holds a Ph.D. from Stanford University, where his research focused on applied security and privacy, advised by Prof. Dan Boneh. Formerly, accumulated more than 15 years of industry experience as an engineering team lead and software engineer at several companies. His research has been presented at academic conferences, such as Usenix Security and MobiCom, as well as at practitioner-oriented security conferences, such as BlackHat and the RSA Conference and has been covered by popular media outlets, including the BBC, Wired, Engadget, and KQED TV.

Fortanix Enclave Manager

Nehal Bandi, Fortanix

simplifying and automating management of Intel® SGX applications and infrastructure Fortanix Enclave Manager(EM) enables simplified management of Intel® SGX applications and infrastructure with single "pane of glass” across on-premise and cloud. EM can work with existing applications, enclave-native applications, and pre-packaged application to run in an Intel SGX in minutes. EM enforces security policies including identity verification and attestation to ensure the integrity and confidentiality of data, code, and applications.

Nehal Bandi is an early engineer at Fortanix Inc and currently leads product and solutions for Fortanix RunTime Encryption platform. Prior to Fortanix, Nehal has held technology and leadership roles at companies such as Oracle Corp, Citrix System. He is one of co-founders of Graphene LibraryOS project which was started at Stony Brook University.

Rust Enclave Development Platform Update

Jethro Beekman, Fortanix

An interactive update on the Fortanix Enclave Development Platform for Rust.

Jethro G. Beekman is Technical Director at Fortanix, where he is defining next-generation cloud computing security. Jethro received his M.S. and Ph.D. degrees in Electrical Engineering and Computer Sciences from the U.C. Berkeley in 2014 and 2016, respectively. Before that, he received his B.Sc. degree in Electrical Engineering from the University of Twente, The Netherlands, in 2011. His current research interests include cloud security, secure enclaves, side-channel countermeasures, as well as network and hardware security.

Teaclave: A Universal Secure Computing Platform

Mingshen Sun, Baidu

Apache Teaclave (incubating) is an open source universal secure computing platform, currently undergoing incubation at the Apache Software Foundation. Teaclave is provided as a function-as-a-service platform, which uses Intel SGX to serve the most security-sensitive tasks with hardware-based isolation, memory encryption and attestation. In this talk, we will discuss some highlights of Teaclave, its implementation and internal design, talk about the roadmap and current progress. Finally, we will introduce the Teaclave community and call for contributors in an open source way.

Mingshen Sun works at Baidu and is a member of Apache Teaclave (incubating) PPMC (Podling Project Management Committee). He leads, maintains and actively contributes to several open source projects including Teaclave, MesaPy, Rust OP-TEE TrustZone SDK, etc. Please visit his homepage for more information.

Enarx - WebAssembly, TEEs and strong security assertions

Mike Bursell, Redhat Nathaniel McCallum, Redhat

Enarx is an open source project to provide a platform- independent, strongly attested WebAssembly runtime across TEEs. SGX is one of the project's first targets, and we will give a brief architectural overview and project update (with brief demo, time permitting).

Mike Bursell: Mike Bursell joined Red Hat in August 2016 in the Office of the CTO, following roles working on security, virtualisation and networking. After training in software engineering, he specialised in distributed systems and security, and has worked in architecture and technical strategy for the past few years. His responsibilities at Red Hat include security strategy, external and internal visibility, and thought leadership. He is one of the co-founders of the Enarx project. Nathaniel McCallum: Nathaniel McCallum is a Sr. Principal Engineer at Red Hat where he works on security and cryptography technologies. This has included projects such as MIT Kerberos, FreeIPA, FreeOTP, Clevis, Tang and Enarx. McCallum is a regular presenter at conferences such as Linux Security Summit, Open Source Summit, DevConf, FOSDEM, Storage Developers Conference, Ping Identity Summit and Flock.

WASM in SGX: A Narrow Waist for Confidential Computing

Mic Bowman, Intel

WASM, originally designed for sandboxed execution of web applications on a client, provides a flexible, language independent execution environment for dynamically loaded confidential applications running in SGX. In this talk, I describe our experience running the Web Assembly Microruntime (WAMR) WASM interpreter in SGX and some potential directions for performance optimizations through verified code provenance.

Mic Bowman is a senior principal engineer in Intel Labs and leads the decentralized computing research group. Mic has spent over 20 years working on large-scale databases and distributed systems. Among other roles he served as a member of the Hyperledger Technical Steering Committee for several years contributing to various aspects of architecture definition and evaluation of technologies for privacy and confidentiality. He is currently working on methods for improving the security, scalability, and privacy of distributed ledgers. He received his PhD in Computer Science from the University of Arizona.

The Tale Continues: Pitfalls and Best Practices for SGX Shielding Runtimes

Jo Van Buluck and Fritz Alder, KU Leuven

This talk will present our ongoing work on analyzing the security requirements for popular SGX shielding runtimes (published at ACM CCS 2019) and follow-up work on a subtle yet persisting issue with x87 FPU and SSE floating-point control registers. We analyzed the wide range of today's SGX runtimes from both industry and research and uncovered a wide and re-occurring vulnerability landscape. This talk explicitly sets out to identify common pitfalls and constructive recommendations for best practices for enclave ABI and API sanitization. We conclude with an abstract overview of shielding responsibilities and argue that proper enclave hygiene is instrumental to the success of the emerging SGX ecosystem.

Jo Van Bulck (@jovanbulck) is a PhD candidate at imec-DistriNet, KU Leuven (BE). His research explores microarchitectural security limitations along the hardware-software interface, with particular attention to privileged side-channel attacks in trusted execution environments. Over the past years, Jo has worked on several innovative side-channel and transient-execution attack vectors for Intel SGX processors. Key results include Foreshadow, SGX-Step, Nemesis, ZombieLoad, Plundervolt, and LVI. Fritz Alder (@FritzAlder) is a PhD student at imec-DistriNet at KU Leuven (BE), working on improving the guarantees of TEEs and extending their applicability across the computing spectrum. Recent work includes SGX cloud deployments and real-time availability guarantees for embedded TEEs.

Attestation Challenges/Gaps and Cloud Deployments

Ilhan Gurel, Ericsson

Attestation is a process of measuring code and data; and reporting these measurements as digitally signed to a requesting entity, which can evaluate these measurements further according to known values. While attestation plays an important role as evidence of trust, there are known challenges and gaps with respect to how attestation can be achieved in cloud deployments. The talk will provide an overview of attestation, its key ingredients, existing attestation solutions such as TPM based platform and key attestation, the gaps and challenges especially in cloud deployments, finally how Intel SGX attestation capabilities can address some of these challenges.

Ilhan Gurel works as an expert on trusted HW and SW technologies in the CTO organization at Ericsson. Ilhan works on HW and SW security as well as practical use of cryptography in his role at Ericsson.

SafeTrace: Privacy Preserving Contact Tracing using SGX

Can Kisagun, Enigma

SafeTrace is a privacy preserving contact tracing API that ensures digital contact tracing applications protect end-user privacy. Leveraging Trusted Execution Environments (Intel SGX), SafeTrace API allows users and health authorities to share location and infection information in a privacy-preserving manner. Unlike Bluetooth Low Energy method pushed by Google and Apple, which only allows individual reporting (users receive individual reports showing whether they have been in close spatiotemporal proximity with a diagnosed patient), SafeTrace also enables collective analysis that enables health authorities and crisis response teams to identify hot spots for virus spread.

Can Kisagun - Enigma Co-founder and Chief Product Officer Can (pronounced “John”) sits at the intersection of technology and business and runs non-development workstreams at Enigma. Can is very intrigued with the idea of empowering individuals through privacy and exploring new business models through decentralization. Prior to Enigma, Can has been immersed in the blockchain ecosystem and founded Eximchain, a blockchain based supply chain solution. Previously, Can was a consultant at McKinsey & Company for 3 years. Can holds an MBA degree from MIT Sloan School of Management. Can also holds a BSc in Industrial Engineering degree from Northwestern University.

MC²: A Platform for Secure Collaborative Learning

Rishabh Poddar, UC Berkeley

We introduce MC² -- a platform that enables multiple data owners to jointly train models on their collective data, while preserving the privacy of their individual data. To execute the computation, MC2 provides support for both cryptographic protocols as well as hardware enclaves; this talk focuses on the latter. MC2 exposes familiar APIs to the clients, who jointly orchestrate the end-to-end training pipeline within a cluster of enclaves in the cloud. In addition, MC2 fortifies the enclave execution against attacks that exploit memory access pattern leakage, using novel data-oblivious algorithms that prevent such leakage by design.

Rishabh Poddar is a PhD candidate at UC Berkeley, advised by Raluca Ada Popa. His research focuses on privacy-preserving systems for data analytics and machine learning, using both cryptographic protocols and secure hardware. His work has been published at top-tier security conferences such as Usenix Security and IEEE S&P, as well as top systems conferences such as NSDI and VLDB.

Securing Telecom Core with Intel SGX

Somnath Chakrabarti, Intel

Traditional telecom networks represent high performance network infrastructure with very high data rates and throughput. As link capacities continue to increase, technologies that deliver high packet rate on proprietary hardware keep pushing the complexity and cost of core network functions. Unable to keep up with this trend, the telecom industry is slowly migrating towards open platforms on premise as well as in the cloud and embracing scale-out patterns for performance. However, “protection of data in-use” against various threats is still a big concern for open platform based network functions especially in the cloud environment and It is somewhat assumed in the industry that security vulnerabilities can be overcome on commodity hardware with a heavy compromise on performance. In this talk, we will discuss how the high performance secure packet processing design pattern is being adopted in production telecom networks. We will also discuss about the challenges, gaps and new system architecture to meet necessary security and performance requirements in 5G telco networks

Somnath Chakrabarti is a security researcher at Intel Labs. He is one of the Intel® Software Guard Extensions (Intel® SGX) architects and has made significant contributions to various SGX architectural extensions. He conducts research on next-generation data center security and emerging cloud computing paradigms and currently focussing on security foundations for next-generation secure 5G/Telco core infrastructure

Autarky: Closing controlled channels with self-paging enclaves

Meni Orenbach, Technion

As the first widely-deployed secure enclave hardware, Intel SGX shows promise as a practical basis for confidential cloud computing. However, side channels remain SGX’s greatest security weakness. In particular, the “controlled-channel attack” on enclave page faults exploits a longstanding architectural side channel and still lacks effective mitigation. We propose Autarky: a set of minor, backward-compatible modifications to the SGX ISA that hide an enclave’s page access trace from the host, and give the enclave full control over its page faults. A trusted library OS implements an enclave self-paging policy. We prototype Autarky on current SGX hardware and the Graphene library OS, implementing three paging schemes: a fast software oblivious RAM system made practical by leveraging the proposed ISA, a novel page cluster abstraction for application-aware secure self-paging, and a rate-limiting paging mechanism for unmodified binaries. Overall, Autarky provides a comprehensive defense for controlled-channel attacks which supports efficient secure demand paging and adds no overheads in page-fault free execution.

Meni Orenbach is a Ph.D. candidate in the Accelerated Computing Systems Lab led by Prof. Mark Silberstein at the Technion - Israel Institute of Technology. His work focuses on runtime and compiler techniques to improve the performance and security of hardware-based Trusted Execution Environments, particularly focusing on SGX enclaves. Meni received his BSc. and MSc. from the Technion in 2009 and 2015 respectively.

Mage: Mutual Attestation for a Group of Enclaves without Trusted Third Parties

Yinqian Qian, Ohio State Universtiy

Intel Software Guard Extensions (SGX) local and remote attestation mechanisms enable an enclave to attest its identity (i.e., the enclave measurement, which is the cryptographic hash of its initial code and data) to an enclave. To verify that the attested identity is trusted, one enclave usually includes the measurement of the enclave it trusts into its initial data in advance assuming no trusted third parties are available during runtime to provide this piece of information. However, when mutual trust between these two enclaves is required, it is infeasible to simultaneously include into their own initial data the other’s measurements respectively as any change to the initial data will change their measurements, making the previously included measurements invalid. In this paper, we propose Mage, a framework enabling a group of enclaves to mutually attest each other without trusted third parties. Particularly, we introduce a technique to instrument these enclaves so that each of them could derive the others’ measurements using information solely from its own initial data. We also provide a prototype implementation based on Intel SGX SDK, to facilitate enclave developers to adopt this technique.

Prof. Yinqian Zhang is an Associate Professor of the Department of Computer Science and Engineering at The Ohio State University. His research interests span across multiple domains of computer security, including cloud security, mobile security, IoT security, software security, trusted computing, user authentication, etc. His research has been frequently published at top-tier security venues, such as IEEE S&P, ACM CCS, USENIX Security, and NDSS. Prof. Zhang was a recipient of the Google Ph.D. Fellowship in Security in 2013, CAREER Award from the National Science Foundation in 2018, Lumley Research Award and Outstanding Teaching Award from the Ohio State University in 2019, and Rising Star Award from the Association of Chinese Scholars in Computing in 2019.

How infeasible the malware deployment in SGX is in real-life

Kubilay A Kuecuek, University of Oxford

Besides Intel's SGX technology, there are long-lasting discussions on how trusted computing technologies can be used to cloak malware. The past research showed example methods using Flicker, TPM, and recently integrating with enclaves. There is, however, an ambiguity on whether SGX itself helps to cloak malware, or the additional engineering work outside SGX's ecosystem forcefully attaches malware-behaviour into the enclave. In this talk, we will evaluate what malware aims in real-life, and the state-of-art techniques in malware evasion. Comparing to a non-SGX malware, we discuss that the SGX does not increase the existing attack surface, does not provide any new infection point, does not contribute any new methods to stealthy of malware. We describe 20 points in 20 minutes why a forced-malware using SGX weakens its' existing abilities. The rising disadvantages with SGX on maintenance and malware security (in the eyes of malware authors) make enclaves a bad choice to achieve a successful malware campaign.

Kubilay Ahmet Küçük is a Research Associate in Computer Science at the University of Oxford. His research interests include the problems with confidential remote computation, and system architectures with TPM, TEEs, ARM TZ, seL4, IoT and IIoT. He received PhD studentship from Intel (2015-2017) while his DPhil at University of Oxford. He completed projects focusing on private algorithms in SGX enclaves and SGX with many-party applications in Prof. Andrew Martin's Systems Security group. Before Oxford, he was a research assistant at ETH Zürich in D-MAVT Simulation Group, working with Prof. Wegener and Dr. Weikert. At ETH, he led the software engineering in two CTI/InnoSuisse funded projects in Industry 4.0 domain. He holds a degree in Computer Engineering.