tions is important for ensuring appropriate separation of concerns between
applications and infrastructure.
Securing Execution
While information management is
important, let’s not forget about computation. Whereas cryptographic
tools can help secure data, it is equally
important to secure the computation itself. As containers have risen in
popularity as a software distribution
and lightweight execution environment, it is important to understand
their security implications—not only
for isolation among users, but also for
protection from platform and system
administrators.
SCONE: Secure Linux
Containters with Intel SGX
S. Arnautov et al.
Operating Systems Design and Implementation
16 (Nov. 2016) 689–703; https://www.usenix.
org/system/files/conference/osdi16/osdi16-
arnautov.pdf
SCONE implements secure application execution inside Docker (www.
docker.com) using Intel SGX, (https://
software.intel.com/en-us/sgx), assuming one trusts Intel SGX and a relatively
small TCB (trusted computing base)
of SCONE. Note that system calls cannot be executed inside an SGX enclave
itself and require expensive enclave exits. The ingenuity of SCONE is in making existing applications work with acceptable performance without source
code modification, which is important
for real-world adoption.
While this paper is quite detailed and
instructive, here is a very brief summary
of how SCONE works: An application
is compiled against the SCONE library,
which provides a C standard library interface. The SCONE library provides
“shielding” of system calls by transparently encrypting/decrypting application
data. To reduce the performance degradation, SCONE also provides a user-level
threading implementation to maximize
the time threads spend inside the enclave. Further, a kernel module makes
it possible to use asynchronous system
calls and achieve better performance;
two lock-free queues handle system call
requests and responses, which minimizes enclave exits.
Integration with Docker allows for
easy distribution of packaged software.
The target software is included in a
Docker image, which may also contain
secret information for encryption/de-cryption. Thus, Docker integration requires protecting the integrity, authenticity, and confidentiality of the Docker
image itself, which is achieved with a
small client that is capable of verifying
the security of the image based on a
startup configuration file. Finally, the
authors show SCONE can achieve at
least 60% of the native throughput
for popular existing software such as
Apache, Redis, and memcached.
While technologies such as Intel
SGX do not magically make applications immune to software flaws (as
has been demonstrated by Spectre
( https://bit.ly/2MzW0Xb) and Foreshadow (https://foreshadowattack.eu),
hardware-based security is a step in the
right direction. Computing resources
on the edge may not have physical protections as effective as those in cloud
datacenters, and consequently, an adversary with physical possession of the
device is a more significant threat in
edge computing.
For practitioners, SCONE demonstrates how to build a practical secure
computation platform. More importantly, SCONE is not limited to edge
computing; it can also be deployed
in existing cloud infrastructures and
elsewhere.
A Utility Provider
Model of Computing
Commercial offerings from existing
service providers, such as Amazon’s
AWS IoT GreenGrass and AWS Snowball Edge, enable edge computing with
on-premises devices and interfaces
that are similar to current cloud offerings. While using familiar interfaces
has some benefits, it is time to move
away from a “trust based on reputation” model.
Is there a utility-provider model that
provides verifiable security without necessarily trusting the underlying infrastructure or the provider itself? Verifiable security not only makes the world
a more secure place, it also lowers the
barrier to entry for new service providers that can compete on the merits of
their service quality alone.
The following paper envisions a cooperative utility model where users pay
a fee in exchange for access to persistent
The key lesson for
practitioners is that
choosing the right
level of abstractions
is important
for ensuring
appropriate
separation of
concerns between
applications and
infrastructure.
