Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jessie Frazelle on SCONE: Secure Linux Containers with Intel SGX

Jessie Frazelle on SCONE: Secure Linux Containers with Intel SGX

Containers are the latest infrastructure trend. In 2016, the [SCONE paper](https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf) was written and presented at the [USENIX Symposium on Operating Systems Design and Implementation](https://www.usenix.org/conference/osdi16). It outlined how to use Intel Secure Enclaves (https://en.wikipedia.org/wiki/Software_Guard_Extensions) to guard containers against attack. Containers are built on the kernel primitives cgroups and namespaces with additional LSM (Linux Security Module) layers on top, such as AppArmor, SELinux, and seccomp. Intel SGX protects code from modification by using protected areas of memory known as enclaves. With containers and adoption of cloud on the rise, this paper continues to be on the cutting edge of what is to come. Some cloud providers are now starting to expose hardware specific features like GPU and SGX, which would make running containers with Intel's SGX trusted execution a reality in the cloud. With Intel's SGX, you can have a container's process shielded from access by other programs. We'll explore how realistic this is today and in the future as well as what benefits this would have to the security of containers.

66402e897ef8d00d5a1ee30dcb5774f2?s=128

Papers_We_Love

October 09, 2017
Tweet

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. What does this mean for the future? - Azure turned

    on SGX for “Confidential Computing” [link] - Based on Haven paper and a few others - Maybe in the future we can use this in the cloud as well.