with enarx trusting untrusted systems

Towards a Safe and Secure Smart World

Trusting untrusted systems with Enarx

Mike BursellOffice of the CTO, Red Hat

axel simonOffice of the CTO, Red Hat

https://enarx.io

The Problem

The Need for Confidentiality and Integrity● IoT● Smart transport● Smart energy● Edge

● Routers● Pumping stations● Wind farms● Bus stops● Pico-cells● Drones● Smart meters

Virtualization Stack

Container Stack

https://xkcd.com/2166/

ConfidentialComputingConsortium

Confidential Computing Consortium

Linux Foundation project

Premier members

Confidential Computing Consortium

Linux Foundation project

Premier members

General members

Enarx: the Plan

Enarx: the Principles

Don’t trust the hostDon’t trust the host ownerDon’t trust the host operatorAll hardware cryptographically verifiedAll software audited and cryptographically verified

Trusted Execution Environments

TEE is a protected area within the host, for execution of sensitive workloads

TEE provides:● Memory Confidentiality● Integrity Protection● General compute● HWRNG

Trusted Execution Environments

TEE is a protected area within the host, for execution of sensitive workloads

How does Enarx use a TEE?

Enarx Keep

App + runtime

Open hybrid cloud and Enarx

Step 1: on premises

TrustedSemi-trustedUntrusted

Internal Internet

Internal dev

Step 1: on premises

Internal Internet

Internal dev

Owned host

Step 2: private cloud

Orchestrator

Image repository

Internal Internet

Internal dev

Owned host

Workload

Orchestrator

Workload

Image repository

Internal Internet

Internal dev

Owned host

Workload

Orchestrator

Workload

Image repository CheckVendor Image

repository

Internal Internet

Internal dev

Owned host

Workload

Step 3: public cloud

Orchestrator

Workload

Image repositoryVendor Image

repository

Internal Internet

Internal dev

CSP host

Workload

Step 4: hybrid cloud

Workload

repository

Internal Internet

Internal dev Orchestrator

Workload

CSP hostOwned host

Workload

Step 5: hybrid multicloud

Workload

repository

Internal Internet

Workload

CSP host

Owned host

How does Enarx fit here?

Enarx Keep

App + runtime

Untrusted host

Workload

Step 6: Enarx hybrid multicloud

Workload

repository

Internal Internet

Workload

CSP host

Owned host

Enarx Keep

New options for workloads with Enarx

Mix and match for different workload types & Enarx

repository

Internal Internet

Sensitive workload

CSP host

Owned host ? CSP host

repository

Internal Internet

CSP host

Owned host

Sensitive workload

CSP host

repository

Internal Internet

CSP host

Owned host

Sensitive workload

CSP host

Enarx Keep

Standard workload

Sensitive workload

repository

Internal Internet

Sensitive workload

CSP host

Owned host ? CSP host

Enarx Keep

Standard workload

Sensitive workload

Standard workload

repository

Internal Internet

WorkloadSensitive workload

CSP host

Owned host CSP host

Enarx Keep

On which technology do I build my application?

Introducing Enarx

Enarx is a Development Deployment Framework

Choose Your Language / Tools

Compile to WebAssembly

Develop Application

Choose Host

Instance Configuration

Enarx is a Development Deployment Framework(Example components)

Choose Your Language / Tools

Compile to WebAssembly

Develop Application

Choose Host

Instance Configuration

Dev tooling

IBM Cloud, Azure, AWS, ...Openshift

Enarx Project Principles

1. We don’t trust the host owner2. We don’t trust the host software3. We don’t trust the host users4. We don’t trust the host hardware

a. … with the exception of CPU + firmware

Enarx Design Principles

1. Minimal Trusted Computing Base2. Minimum trust relationships3. Deployment-time portability4. Network stack outside TCB5. Security at rest, in transit and in use6. Auditability 7. Open source8. Open standards 9. Memory safety

10. No backdoors

Enarx architectural componentsHost Client

Enarx runtime

Enarx host agent

Enarx client agent

Enarx architectural components

Enarx runtime

Enarx host agent

Enarx client agent

Enarx Keep - trustedMeasured and attestedWebAssembly+WASI runtimeInside a TEE instance

Enarx host agent - untrustedActs a proxy between Enarx client agent and:

● CPU/firmware● Enarx Keep

Enarx client agent - trustedWorks with orchestration/CLI Manages attestationApplies policyEncrypts and transports workload

Enarx architectural componentsHost Client

Orchestrator(e.g. Openshift/k8s,

Openstack)

Enarx runtime

Application

CPU + firmware

Enarx host agent

Enarx client agent

CLIKeep

Enarx Keep Architecture

VM-BasedKeep

Process-BasedKeep

Sanctum

WebAssembly

Language Bindings (libc, etc.)

W3Cstandards

Application

Enarx: the Fit

Don’t trust the hostDon’t trust the host ownerDon’t trust the host operatorAll hardware cryptographically verifiedAll software audited and cryptographically verified

Well suited to microservicesWell suited to sensitive data or algorithmsEasy development integrationSimple deploymentStandards based: WebAssembly (WASM)

The vision● IoT● Smart transport● Smart energy● Edge

● Routers● Pumping stations● Wind farms● Bus stops● Pico-cells● Drones● Smart meters

Allow sensitive applications to be:● Written using existing tools● Deployed simply● Take advantage of audited, open

source infrastructural components● Executed transparently on different

hardware● Run anywhere!

We Need Your Help!

Website: https://enarx.io

Code: https://github.com/enarx

Gitter: https://gitter.im/enarx/

Master plan: https://github.com/enarx/enarx/issues/1

License: Apache 2.0

Language: Rust

Daily stand-ups open to all! Check the website wiki for details.

Questions?

https://enarx.io

Enarx architectural components

Attestation

Code + Data(Encrypted)

Host Client

Orchestrator(e.g. Openshift/k8s,

Openstack)

Enarx runtime

Application

CPU + firmware

Enarx host agent

Enarx client agent

CLIKeep

Client/ host agent

Enarx attestation process diagram

Client Host

CLI / Orchestrator

Enarx client agent

Enarx host agent CPU/firmware Enarx Keep

1. Request workload placement

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

3. Create Keep, load Enarx runtime

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

4. Measurement of Keep + Enarx runtime

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

5. OK/not-OK

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

5. OK/not-OK

6. Code + Data (encrypted)

Client Host

CLI / Orchestrator

Enarx client agent

2. Request Keep

5. OK/not-OK

6. Code + Data (encrypted)

7. Load Code + Data into Keep

with enarx trusting untrusted systems

Documents

provable data possession at untrusted stores

privacy preservation over untrusted mobile networks

data staging on untrusted surrogates

trusting the people

ad trusting management

elijah: trusting god - helwys god_tg_… · elijah:...

trusting wikipedia

protecting data in untrusted locations

trusting models of controlled systems

haven: shielding applications from an untrusted …. e....

08 trusting gods goodness

encrypted databases for untrusted cloud

trusting godshow

trusting afghans their development

securing time in untrusted operating systems with timeseal

secure content distribution using untrusted servers

trusting the internet

trusting institutions - philarchive.org

trusting one’s judgement

secure personal content networking over untrusted...