security and confidential computing
play

Security and confidential computing axel simon office of the CTO - PowerPoint PPT Presentation

Aug 19, 2022 •13 likes •543 views

Security and confidential computing axel simon office of the CTO enarx.io The Problem The Need for Confidentiality and Integrity Banking & Finance Government & Public Sector Telco IoT HIPAA GDPR

  1. Security and confidential computing axel simon office of the CTO enarx.io

  2. The Problem

  3. The Need for Confidentiality and Integrity Banking & Finance ● Government & Public Sector ● Telco ● IoT ● HIPAA ● GDPR ● Sensitive enterprise functions ● Defense ● Human Rights NGOs ● ... ●

  4. Virtualization Stack Application Middleware Userspace Kernel Bootloader Hypervisor Firmware BIOS | EFI CPU | Management Engine

  5. Container Stack Application Middleware Userspace Container Engine Kernel Bootloader Hypervisor Firmware BIOS | EFI CPU | Management Engine

  6. Virtualization Stack as seen by xkcd (xkcd.com/2166)

  7. Trusted Execution Environments

  8. What’s a TEE? TEE Application Middleware Userspace Kernel Bootloader Hypervisor Firmware BIOS | EFI CPU | Management Engine

  9. What’s a TEE? TEE Application Middleware Userspace Kernel Bootloader Hypervisor Firmware BIOS | EFI Only the CPU has access CPU | Management Engine

  10. What’s a TEE? TEE Application Middleware Userspace Kernel What happens when Bootloader other layers try to access? Hypervisor Firmware BIOS | EFI Only the CPU has access CPU | Management Engine

  11. What’s a TEE? TEE Application Middleware Userspace Kernel What happens when Bootloader other layers try to access? Hypervisor Blocked by CPU Firmware BIOS | EFI Only the CPU has access CPU | Management Engine

  12. Trusted Execution Environments Host TEE TEE is a protected area within the host, for execution of sensitive workloads

  13. Trusted Execution Environments Host TEE TEE is a protected area within the TEE provides: host, for execution of sensitive Memory Confidentiality ● workloads Integrity Protection ● General compute ● HWRNG ●

  14. Trusted Execution Environments Host Tenant TEE Q. “But how do I know that it’s a TEE provides: valid TEE?” Memory Confidentiality ● Integrity Protection ● General compute ● HWRNG ●

  15. Trusted Execution Summary Attestation Host Tenant TEE Q. “But how do I know that it’s a TEE provides: valid TEE?” Memory Confidentiality ● A. Attestation Integrity Protection ● General compute ● HWRNG ●

  16. Trusted Execution Summary Attestation Host Tenant TEE Code + Data (Encrypted) Attestation includes: TEE provides: Diffie-Hellman Public Key Memory Confidentiality ● ● Hardware Root of Trust Integrity Protection ● ● TEE Measurement General compute ● ● HWRNG ●

  17. Trusted Execution Models Process-Based VM-Based Intel SGX (not upstream) AMD SEV ● ● RISC-V Sanctum (no hardware) IBM PEF (no hardware) ● ● Intel MKTME (no attestation¹) ● Not a TEE: TrustZone, TPM 1. Attestation is discussed here: https://patents.google.com/patent/US20190042463A1/en?oq=20190042463

  18. Trusted Execution: Process-Based PROS CONS Access to system APIs from Keep Unfiltered system API calls from Keep ● ● Application redesign required ● Untested security boundary ● Fantastic for malware ● Lock-in ●

  19. Trusted Execution: Virtual Machine-Based PROS CONS Strengthening of existing boundary Hardware emulation ● ● Run application on existing stacks Heavy weight for microservices ● ● Bidirectional isolation CPU architecture lock-in ● ● Limits malware Duplicated kernel pages ● ● Host-provided BIOS ●

  20. Introducing Enarx

  21. The Enarx 5-bullet overview Uses TEEs (SGX, SEV, etc.) for confidential workloads ●

  22. The Enarx 5-bullet overview Uses TEEs (SGX, SEV, etc.) for confidential workloads ● Easy development and deployment using Wasm ●

  23. The Enarx 5-bullet overview Uses TEEs (SGX, SEV, etc.) for confidential workloads ● Easy development and deployment using Wasm ● Strong security design principles ●

  24. The Enarx 5-bullet overview Uses TEEs (SGX, SEV, etc.) for confidential workloads ● Easy development and deployment using Wasm ● Strong security design principles ● Cloud-native → Openshift, kubernetes ●

  25. The Enarx 5-bullet overview Uses TEEs (SGX, SEV, etc.) for confidential workloads ● Easy development and deployment using Wasm ● Strong security design principles ● Cloud-native → Openshift, kubernetes ● Open source: project , not production-ready (yet) ●

  26. Enarx Where do we want to be?

  27. What’s the full picture? “Server” “Client” Attestation Host handshake CPU + firmware Tenant Workload Enarx Keep delivery Workload runs (encrypted) 27

  28. Enarx Architecture Application Language Bindings (libc, etc.) WASI W3C standards WebAssembly Process-Based VM-Based SGX SEV Keep Keep Sanctum PEF MKTME

  29. Enarx Architecture Application Language Bindings (libc, etc.) WASI W3C standards WebAssembly Process-Based VM-Based SGX SEV Keep Keep Intel AMD

  30. Breaking things down with SGX Application Process-Based SGX Keep

  31. Breaking things down with SGX Application Process-Based Keep SGX

  32. Breaking things down with SGX Application Process-Based Keep SGX

  33. CONFIDENTIAL Designator SGX demo

  34. Breaking things down with SEV Application VM-Based SEV Keep

  35. Breaking things down with SEV Application VM-Based Keep SEV

  36. Breaking things down with SEV Application VM-Based Keep SEV

  37. CONFIDENTIAL Designator SEV demo

  38. Where we’d like to be Application Process-Based VM-Based Keep Keep SGX SEV

  39. Where we’d like to be Application Process-Based VM-Based Keep Keep SGX SEV

  40. Where we’d like to be Same binary Application Application Process-Based VM-Based Keep Keep SGX SEV

  41. Where we’d like to be Where we are Same binary Application Application Process-Based VM-Based Keep Keep SGX SEV

  42. CONFIDENTIAL Designator

  43. CONFIDENTIAL Designator

  44. Layers - process-based Keep Application WASI Trusted via Enarx Keep Measurement WASM (JIT) Enarx Shim Loader Silicon architecture-dependent Silicon architecture-dependent Distrusted Kernel Root of Trust CPU (Intel)

  45. Layers (now) - process-based Keep Application Enarx Shim Loader Kernel CPU (Intel)

  46. Layers - VM-based Keep Application WASI Trusted via Enarx Keep Measurement WASM (JIT) Enarx Shim Loader (VMM) Silicon architecture-dependent Silicon architecture-dependent Distrusted Kernel Root of Trust CPU (AMD)

  47. Layers (now) - process-based Keep Application Enarx Shim Loader (VMM) Kernel CPU (AMD)

  48. Where we’d like to be Where we are Same binary ELF static-PIE binary ELF static-PIE binary Enarx Enarx Shim Shim Loader Loader (VMM) Kernel Kernel CPU (Intel) CPU (AMD)

  49. Where we’d like to be next One binary Wasm binary WASI WASM (JIT) Enarx Enarx Shim Shim Loader Loader (VMM) Kernel Kernel CPU (Intel) CPU (AMD)

  50. We are an open project ● Code ✓ GitHub ● Wiki ✓ GitHub ● Design ✓ GitHub ● Issues & PRs ✓ GitHub ● Chat ✓ Rocket.Chat (Thank you!) ● CI/CD resources ✓ Packet.io (Thank you!) ● Stand-ups ✓ Open to all ● Diversity ✓ Contributor Covenant CofC 50

  51. We Need Your Help! Website: https://enarx.io Daily stand-ups open to all! Check the website wiki for details. Code: https://github.com/enarx License: Apache 2.0 Language: Rust 51

  52. We Need Your Help! Website: https://enarx.io Daily stand-ups open to all! Check the website wiki for details. Code: https://github.com/enarx License: Apache 2.0 Language: Rust 52

  53. Questions? https://enarx.io

Recommend

SECURITY AND CUSTOMER EXPERIENCE IN SELF SERVICE A brief history NCR Confidential - Use

SECURITY AND CUSTOMER EXPERIENCE IN SELF SERVICE A brief history NCR Confidential - Use

SECURITY AND CUSTOMER EXPERIENCE IN SELF SERVICE A brief history NCR Confidential - Use and Disclose Solely Pursuant to Company Instructions NCR Confidential NCR Confidential friction Experience = + confusion NCR Confidential NCR

967 views • 60 slides
Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings Increase Building Security Improperly delivered packages are at risk for theft. Drafting of residents through gates and doors cannot be

376 views • 13 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data Networked information systems: PCs store passwords, e-mail, finances,... Businesses rely on computing infrastructure Military &

1.18k views • 102 slides
ECA SERVICES - CONFIDENTIAL Decades of Excellence OEM and high-performance computing

ECA SERVICES - CONFIDENTIAL Decades of Excellence OEM and high-performance computing

ECA SERVICES - CONFIDENTIAL Decades of Excellence OEM and high-performance computing specialists FOUNDED 1984 35 years experience in computing infrastructure EMPLOYEES Supply, design, implementation, integration, customisation,

342 views • 12 slides
Quantum Computing and the Forest SDK Robert Smith 2 February 2019 Rigetti Computing Proprietary

Quantum Computing and the Forest SDK Robert Smith 2 February 2019 Rigetti Computing Proprietary

Quantum Computing and the Forest SDK Robert Smith 2 February 2019 Rigetti Computing Proprietary and Confidential a quick poll Rigetti Computing Proprietary and Confidential Rigetti Computing Proprietary and Confidential Rigetti Computing, in

582 views • 24 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device generates, stores and processes security-critical information 2 PUFs: Myth, Fact or Busted? CHES 2012 However: Cryptographic secrets can be leaked

443 views • 26 slides
Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Computer S ecurity: Principles and Practice Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and Multilevel Security First Edition by William S tallings and Lawrie Brown Lecture slides by Lawrie

636 views • 40 slides
the balance CONFIDENTIAL No stone to be unturned CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL

the balance CONFIDENTIAL No stone to be unturned CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL

CONFIDENTIAL HR Operational costs How to keep the balance CONFIDENTIAL No stone to be unturned CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL Stores incentive programs Immediate rewarding of results achievements and Quarterly payments for

463 views • 12 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
Visual Security Keeping your information strictly confidential 3M TM Privacy Filters for Netbooks,

Visual Security Keeping your information strictly confidential 3M TM Privacy Filters for Netbooks,

Visual Security Keeping your information strictly confidential 3M TM Privacy Filters for Netbooks, Laptops and Desktop Monitors 3 Visual Security wherever you go It doesnt take an IT security expert to gain total access to someones

358 views • 11 slides
Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes & Training

Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes & Training

Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes & Training and Awareness Information Security Coordinator Engineer Five Computing Security Tips Back to the Basics Patching Antivirus and

342 views • 11 slides
Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Security & Privacy in

749 views • 39 slides
Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive

Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive

Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive Computing? One Vision of Pervasive Computing PHYSICAL INTEGRATION Coffee Shop Personal Network Change route! My location? L o c a t i

318 views • 20 slides
SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson Research Security / Lund University 1 2020-02-28 B. Smeets LiTH course Goal of this lecture Understand trusted computing and its purpose Threats

1.42k views • 65 slides
SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson Research Security / Lund University 1 2019-03-01 B. Smeets LiTH course Goal of this lecture Understand trusted computing and its purpose Threats

794 views • 66 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The Open University, GB http://www.umlsec.org Challenge: Security Security is holistic property: Attackers often circumvent (not: break) mechanisms.

639 views • 36 slides
Cloud Computing SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a

Cloud Computing SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a

Cloud Security & Cryptography I Cloud Computing SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a vital resource Enterprises, governments, scientists, consumers, Computing is manageable at small

955 views • 51 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Enabling Grids for E-sciencE Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination

1.05k views • 39 slides
Stage 1: Data Due Diligence / RFP Data Confidential Personal Financial Not confidential

Stage 1: Data Due Diligence / RFP Data Confidential Personal Financial Not confidential

Stage 1: Data Due Diligence / RFP Data Confidential Personal Financial Not confidential Customer Proprietary Stage 2: Implementation Partner Contract Use restrictions Consents & ownership Security Liability

395 views • 6 slides

More recommend