Hardware-Aided Trusted Computing
Logging, debugging and error management in Confidential Computing
Challenges around maintaining confidentiality and integrity when logging
<p>Debugging applications is an important part of the development process. However, error messages and general logging can leak sensitive data, and in some cases even compromise your whole stack, as developers worldwide have recently learned from the log4j vulnerability.</p>
<p>With Confidential Computing, the world gets much more complicated, as every piece of information that a malicious entity on the host (including the host itself!) can gather may be leaking vital information about your workload. This talk details some of the problems that arise, and discusses some options to address them whilst considering real life workloads and application lifecycles.</p>
Log entries and other error messages can be very useful, but they can also provide information to other parties - sometimes information which you’d prefer they didn’t have. This is particularly true when you are thinking about Confidential Computing: running applications or workloads in environments where you really want to protect the confidentiality and integrity of your application and its data.
This talk examines some of the issues that we need to consider when designing Confidential Computing frameworks, the applications we run in them, and their operations. Designers and architects of the TEE infrastructure and even, to a lesser extent, of potential workloads themselves, need to consider very carefully the impact of host gaining access to messages associated with the workload and the infrastructure components. It is, realistically, infeasible to restrict all communication to levels appropriate for deployment, so it is recommended that various profiles are created which can be applied to different stages of a deployment, and whose use is carefully monitored, logged (!) and controlled by process.
Additional information
| Type | devroom |
|---|
More sessions
| 2/5/22 |
<p>A brief introduction to the room and to the sessions.</p>
|
| 2/5/22 |
<p>Intel SGX provided a mechanism to better isolate user-level software from attackers. However, attackers will still use various methods to attack SGX and user’s Enclaves. And user’s code inside Enclave may also have bugs, which can be leveraged by the attackers. We are from intel SGX SDK team, we have conducted security analysis and pen-test for SGX Enclave (based on SGX SDK) during the past 10+ years. We want to summarize some past exploits we encountered in our daily work and what's the ...
|
| 2/5/22 |
<p>Gramine (formerly called "Graphene") is a lightweight library OS, designed to run a single Linux application in an isolated environment. Currently, Gramine runs on Linux and Intel SGX enclaves on Linux platforms. With Intel SGX support, Gramine can secure a critical application in a hardware-encrypted memory region and protect the application from a malicious system stack with minimal porting effort ("lift and shift" approach).</p> <p>Several major events happened to the Gramine project in ...
|
| 2/5/22 |
<p>The Enarx project reached a huge milestone: its first official release, featuring WebAssembly runtime. WebAssembly and Confidential Computing are a great match because WebAssembly offers developers a wide range of language choices, it works across silicon architectures, and it provides a sandboxed environment. This presentation will highlight the benefits of WebAssembly to Confidential Computing and showcase some demos.</p>
|
| 2/5/22 |
<p>Short break.</p>
|
| 2/5/22 |
<p>Veracruz is a framework for designing and deploying privacy-preserving computations amongst a group of mutually mistrusting individuals. Veracruz uses strong isolation technologies, such as AWS Nitro Enclaves, Arm CCA Realms, and the high-assurance seL4 hypervisor, to provide a safe, neutral ground, within which a sandboxed WebAssembly program executes. Recent enhancements to Veracruz have made it possible to support larger, more complex privacy-preserving computations: we have adopted the ...
|
| 2/5/22 |
<p>The confidentiality and integrity guarantees offered by Intel SGX enclaves can be easily thwarted if the enclave has not been properly designed. Its interface with the untrusted software stack is a perhaps the largest attack surface that adversaries can exploit; unintended interactions with untrusted code can expose the enclave to memory corruption attacks, for instance.</p> <p>We have proposed a notion, called orderliness, that embodies good practice set out by academic papers and the ...
|
