enarx
play

Enarx Protection for data in use Mike Bursell Office of the CTO - PowerPoint PPT Presentation

Dec 31, 2023 •818 likes •1.05k views

Enarx Protection for data in use Mike Bursell Office of the CTO https://enarx.io Nathaniel McCallum Sr. Principal Engineer Trusted Execution Environments Trusted Execution Environments Host TEE TEE is a protected area within the host,

  1. Enarx Protection for data in use Mike Bursell Office of the CTO https://enarx.io Nathaniel McCallum Sr. Principal Engineer

  2. Trusted Execution Environments

  3. Trusted Execution Environments Host TEE TEE is a protected area within the host, for execution of sensitive workloads

  4. Trusted Execution Environments Host TEE TEE is a protected area within the TEE provides: host, for execution of sensitive Memory Confidentiality ● workloads Integrity Protection ● General compute ● HWRNG ●

  5. Trusted Execution Environments Host Tenant TEE Q. “But how do I know that it’s a TEE provides: valid TEE?” Memory Confidentiality ● Integrity Protection ● General compute ● HWRNG ●

  6. Trusted Execution Summary Attestation Host Tenant TEE Q. “But how do I know that it’s a TEE provides: valid TEE?” Memory Confidentiality ● A. Attestation Integrity Protection ● General compute ● HWRNG ●

  7. Trusted Execution Summary Attestation Host Tenant TEE Attestation includes: TEE provides: Diffie-Hellman Public Key Memory Confidentiality ● ● Hardware Root of Trust Integrity Protection ● ● TEE Measurement General compute ● ● HWRNG ●

  8. Trusted Execution Summary Attestation Host Tenant TEE Code + Data (Encrypted) Attestation includes: TEE provides: Diffie-Hellman Public Key Memory Confidentiality ● ● Hardware Root of Trust Integrity Protection ● ● TEE Measurement General compute ● ● HWRNG ●

  9. Introducing Enarx

  10. Enarx Principles 1. We don’t trust the host owner 2. We don’t trust the host software 3. We don’t trust the host users 4. We don’t trust the host hardware a. … but we’ll make an exception for CPU + firmware

  11. Enarx Design Principles 1. Minimal Trusted Computing Base 2. Minimum trust relationships 3. Deployment-time portability 4. Network stack outside TCB 5. Security at rest, in transit and in use 6. Auditability 7. Open source 8. Open standards 9. Memory safety 10. No backdoors

  12. Enarx Architecture Application Language Bindings (libc, etc.) WASI W3C standards WebAssembly Process-Based VM-Based SGX SEV Keep Keep Sanctum PEF MKTME

  13. Enarx is a Development Deployment Framework Choose Your Develop Compile to Language / Tools Application WebAssembly Choose Host Instance Configuration

  14. Abstracts HW Abstracts Linux Abstracts Protocol Bare Metal Virtual Machine Container Serverless Abstracts Common OS APIs Just enough legacy support to enable trivial application portability. Homogeneity to enable radical deployment-time portability. No interfaces which accidentally leak data to the host. Bridges process-based and VM-based TEE models. No operating system to manage.

  15. Process flow

  16. Overview (AMD example) “Server” “Client” Attestation Host handshake AMD firmware Tenant Code + data Secure VM delivery Code runs (encrypted) 16

  17. Enarx architectural components Host Client Enarx Application Code + Data client CLI Keep (Encrypted) agent 1, 5 Enarx runtime 6 1, 5 3,7 Orchestrator Client/ Enarx host (e.g. Openshift/k8s, host agent 2, 4 agent Openstack) comms Attestation CPU + firmware 17

  18. Enarx attestation process diagram CLI / Enarx client Enarx host CPU/firmware Enarx Keep Orchestrator agent agent 1. Request workload placement 2. Request Keep 3. Create Keep, load Enarx runtime 4. Measurement of Keep + Enarx runtime 5. OK/not-OK 6. Code + Data (encrypted) 7. Load Code + Data into Keep Client Host

  19. Enarx Status

  20. Current Status 1. SEV: Fully attested demo w/ custom assembly. a. Ketuvim: KVM library with SEV support 2. SGX: Fully attested demo w/ data delivery. 3. PEF: Ongoing discussions with POWER team. 4. WASM/WASI: Demo with some basic WASI functions.

  21. We Need Your Help! Website: https://enarx.io Code: https://github.com/enarx Master plan: https://github.com/enarx/enarx/issues/1 License: Apache 2.0 Language: Rust 21

  22. Questions? https://enarx.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and confidential computing axel simon office of the CTO enarx.io The Problem The

Security and confidential computing axel simon office of the CTO enarx.io The Problem The

Security and confidential computing axel simon office of the CTO enarx.io The Problem The Need for Confidentiality and Integrity Banking & Finance Government & Public Sector Telco IoT HIPAA GDPR

543 views • 53 slides
Trusted Execution Environments on Mobile Devices ACM CCS 2013 tutorial Jan-Erik Ekberg, Trustonic

Trusted Execution Environments on Mobile Devices ACM CCS 2013 tutorial Jan-Erik Ekberg, Trustonic

Trusted Execution Environments on Mobile Devices ACM CCS 2013 tutorial Jan-Erik Ekberg, Trustonic Kari Kostiainen, ETH Zurich N. Asokan, University of Helsinki and Aalto University What is a TEE? Processor, memory, storage, peripherals

1.23k views • 112 slides
! Apps Apps RAM ! Ring 0 - 2 OS / Hypervisor OS / Hypervisor Remote Attestation Protected

! Apps Apps RAM ! Ring 0 - 2 OS / Hypervisor OS / Hypervisor Remote Attestation Protected

Keystone : An Open Framework for Architecting Trusted Execution Environments Dayeol Lee , David Kohlbrenner, Shweta Shinde, Krste Asanovic, Dawn Song Dept. of Electrical Engineering and Computer Sciences University of California, Berkeley

599 views • 30 slides
The Origins of Silicon Valley: Why and How It Happened Paul Wesling, H-P (retired), IEEE Life

The Origins of Silicon Valley: Why and How It Happened Paul Wesling, H-P (retired), IEEE Life

The Origins of Silicon Valley: Why and How It Happened September 25, 2019 Lehigh Valley Section, IEEE at Lehigh University The Origins of Silicon Valley: Why and How It Happened Paul Wesling, H-P (retired), IEEE Life Fellow

1.08k views • 38 slides
United Nation-South Africa Symposium on Basic Space Science Technology Panel Discussion on

United Nation-South Africa Symposium on Basic Space Science Technology Panel Discussion on

United Nation-South Africa Symposium on Basic Space Science Technology Panel Discussion on Fostering Cost effective and need-driv iven Space program in in Afric ica towards reduction in in satell llit ite mis ission cost By: Quansah

512 views • 25 slides
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia

1.1k views • 51 slides
OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File System ELC Europe 2017, 23.10.2017 Marc Kleine-Budde <mkl@pengutronix.de> Slide 1 - http://www.pengutronix.de - 2017-10-23 Overview ARM

1.06k views • 18 slides
Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related RISC-V Task Groups 2 About the TEE Task Group One of the most popular groups (112 registered members) Regular conference calls / mailing list

675 views • 13 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August

Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August

Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August 11, 2020 Marcel Busch , Johannes Westphal, Tilo Mller Friedrich-Alexander-University Erlangen-Nrnberg, Germany Motivation TEEs are the backbone

696 views • 35 slides
https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small,

https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small,

https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small, description: https://ggle.io/3DVI ripped, torn or missing? Would you like to show your McIntyre school spirit at school events or when volunteering?

527 views • 19 slides
Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37

Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37

Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37 Introduction to SAT and QBF Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT Inprocessing Clausal Proofs for QBF Preprocessing

919 views • 48 slides
Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19

Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19

Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19 Pandemic Bryan E-Xin Tan, M.D. PGY-3 Internal Medicine Rochester General Hospital No Conflict of Interest Necessity of 45-day Transesophageal RESULTS

250 views • 8 slides
& Trusted Computing Erik Poll Digital Security Radboud University Nijmegen Classic

& Trusted Computing Erik Poll Digital Security Radboud University Nijmegen Classic

Hardware Security Trusted Execution Environments (TEEs) & Trusted Computing Erik Poll Digital Security Radboud University Nijmegen Classic hardware-backed security solutions smartcard for users HSM (Hardware Security Module) in

774 views • 63 slides
NSF Mid-Scale Proposal: CE Interface Hardware John Jablonski, Michael Mooney Colorado State

NSF Mid-Scale Proposal: CE Interface Hardware John Jablonski, Michael Mooney Colorado State

NSF Mid-Scale Proposal: CE Interface Hardware John Jablonski, Michael Mooney Colorado State University DUNE APA Workshop June 11 th , 2019 1 Scope Scope Scope of CE interface hardware package covers fabrication and quality control of

582 views • 18 slides
Everything You Need to Know to Make Money in Coin-Op Golden Tee Golf A Case Study Elaine A.

Everything You Need to Know to Make Money in Coin-Op Golden Tee Golf A Case Study Elaine A.

Everything You Need to Know to Make Money in Coin-Op Golden Tee Golf A Case Study Elaine A. Hodgson President/CEO Incredible Technologies, Inc. The video game industry originally started with coin-operated video games. Consumer games

117 views • 7 slides
Keeping Up With Coach Training Rachel Maruno, Sr. Manager Coach Training Megan Pak, Sr.

Keeping Up With Coach Training Rachel Maruno, Sr. Manager Coach Training Megan Pak, Sr.

Keeping Up With Coach Training Rachel Maruno, Sr. Manager Coach Training Megan Pak, Sr. Coordinator Coach Training (EAST) Emily Mock, Coordinator Coach Training (WEST) Agenda Whats new? Registration Process Preparing for Training

490 views • 11 slides
How To Get A New Shirt Make it yourself: How To Get A Shirt Make it yourself: Get if

How To Get A New Shirt Make it yourself: How To Get A Shirt Make it yourself: Get if

How To Get A New Shirt Make it yourself: How To Get A Shirt Make it yourself: Get if from a store or factory: How To Get A Shirt Make it yourself: Get if from a store or factory: Have someone give it to you: How To Get A

282 views • 10 slides
Dimensionality Reduction & Embedding (part 2/2) Prof. Mike Hughes Many ideas/slides

Dimensionality Reduction & Embedding (part 2/2) Prof. Mike Hughes Many ideas/slides

Tufts COMP 135: Introduction to Machine Learning https://www.cs.tufts.edu/comp/135/2019s/ Dimensionality Reduction & Embedding (part 2/2) Prof. Mike Hughes Many ideas/slides attributable to: Emily Fox (UW), Erik Sudderth (UCI) 2 What

998 views • 52 slides
Scalaz-Stream Masterclass Rnar Bjarnason, Verizon Labs @ runarorama NEScala 2016 , Philadelphia

Scalaz-Stream Masterclass Rnar Bjarnason, Verizon Labs @ runarorama NEScala 2016 , Philadelphia

Scalaz-Stream Masterclass Rnar Bjarnason, Verizon Labs @ runarorama NEScala 2016 , Philadelphia Scalaz-Stream (FS2) F unctional S treams for S cala https://github.com/functional-streams-for-scala/fs2 Disclaimer This library is

1.16k views • 93 slides
Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la

Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la

Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la scurit des systmes dinformation 23 Mai 2019 Until now Security features are made on specific devices Payment Identity Travel

560 views • 26 slides
Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott Shenker + * Internet Exchange Points Global Transit / Hyper Giants National Large Content, Consumer, Hosting CDN

729 views • 20 slides
Iteratees in C the lightning talk pesco @khjk.org 30C3, Hamburg, 27-30.12.2013 Wat?

Iteratees in C the lightning talk pesco @khjk.org 30C3, Hamburg, 27-30.12.2013 Wat?

Iteratees in C the lightning talk pesco @khjk.org 30C3, Hamburg, 27-30.12.2013 Wat? Iteratees are stream processors. Programming model / API to allow reasoning about I/O Origin: functional programming Challenge: Do it without

374 views • 10 slides
Preprocessing and Inprocessing Techniques in SAT Armin Biere Institute for Formal Models and

Preprocessing and Inprocessing Techniques in SAT Armin Biere Institute for Formal Models and

Preprocessing and Inprocessing Techniques in SAT Armin Biere Institute for Formal Models and Verification Johannes Kepler University Linz, Austria joint work with Marijn Heule and Matti J arvisalo WorKer11 3rd Workshop on Kernelization

1.03k views • 49 slides

More recommend