Secure Container with SGX: Protecting Secret in Cloud Environment
In cloud computing container is widely adapted, but its isolation is weak. It's important to protect secrets even from cloud service provider. Software Guard Extention(SGX) provides Trusted Execution …
Talk Title | Secure Container with SGX: Protecting Secret in Cloud Environment |
Speakers | Isaku Yamahata (Software Engineer, Intel), Xiaoning Li (Chief Security Architect, Alibaba) |
Conference | KubeCon + CloudNativeCon |
Conf Tag | |
Location | Shanghai, China |
Date | Jun 23-26, 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
In cloud computing container is widely adapted, but its isolation is weak. It’s important to protect secrets even from cloud service provider. Software Guard Extention(SGX) provides Trusted Execution Environment(TEE) where only Intel and SGX implementation is trusted with untrusted OS/VMM/BIOS. It requires to modify applications which is sometimes difficult for various reasons. Ideally unmodified user binary can run in SGX enclave. In this talk, Library OS to allow unmodified binary to run within SGX TEE is introduced. It hooks system call by replacing shared library. Go is most popular language for cloud native applications with uniqueness to use static link. We enhanced Graphene LibOS to support golang binary and hardened it for production use. We will share our experience to add golang support to Graphene-SGX LibOS and our future plan.