September 22, 2019

202 words 1 min read

Secure Container with SGX: Protecting Secret in Cloud Environment

Secure Container with SGX: Protecting Secret in Cloud Environment

In cloud computing container is widely adapted, but its isolation is weak. It's important to protect secrets even from cloud service provider. Software Guard Extention(SGX) provides Trusted Execution …

Talk Title Secure Container with SGX: Protecting Secret in Cloud Environment
Speakers Isaku Yamahata (Software Engineer, Intel), Xiaoning Li (Chief Security Architect, Alibaba)
Conference KubeCon + CloudNativeCon
Conf Tag
Location Shanghai, China
Date Jun 23-26, 2019
URL Talk Page
Slides Talk Slides
Video

In cloud computing container is widely adapted, but its isolation is weak. It’s important to protect secrets even from cloud service provider. Software Guard Extention(SGX) provides Trusted Execution Environment(TEE) where only Intel and SGX implementation is trusted with untrusted OS/VMM/BIOS. It requires to modify applications which is sometimes difficult for various reasons. Ideally unmodified user binary can run in SGX enclave. In this talk, Library OS to allow unmodified binary to run within SGX TEE is introduced. It hooks system call by replacing shared library. Go is most popular language for cloud native applications with uniqueness to use static link. We enhanced Graphene LibOS to support golang binary and hardened it for production use. We will share our experience to add golang support to Graphene-SGX LibOS and our future plan.

comments powered by Disqus