Downloads of the Papers

Funded by the European Commission within the Horizon 2020 Program

Project no. 645011 SERECA

Speciﬁc Targeted Research Project SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS http://www.serecaproject.eu/ Rolling Report on Dissemination, Communication, Standardization and Exploitation Activities updated D5.4

Due date: 15 January 2017 Submission date: 15 January 2017 Resubmission date: 1 July 2017

Start date of project: 1 March 2015

Document type: Report Work package: WP5 Coordinator: Prof. Christof Fetzer TU Dresden +49 351 463-39709 +49 351 463-39710 [email protected] Contributing partners: All Reviewers: Peter Pietzuch (IMP) Clement Escoffier (RH) Dissemination Level PU Public √ CO Confidential, only for members of the consortium (including the Commission Services) CI Classified, as referred to in Commission Decision 2001/844/EC Revision history: Version Date Authors Institution Description 0.1 2016/01/20 Salvatore D’Antonio EIPLI Initial draft 0.2 2016/01/22 Giovanni Mazzeo EPS Added contribution of EPSILON 0.3 2016/01/24 Karin Fetzer C&H Added contribution of C&H 0.4 2016/01/25 Sergeii Arnautov TUD Added contribution of TU Dresden 0.5 2016/01/26 David Goltzsche TUB Added contribution of TU Braunschweig 0.6 2016/01/28 Michele Fioretto EIPLI Second draft 1.0 2016/02/01 Salvatore D’Antonio EIPLI Final for internal review 1.1 2016/02/01 Martijn Verburg JC Add contribution of jClarity 1.2 2016/02/06 Peter Pietzuch IMP Add contribution of Imperial College 1.3 2016/02/11 Clement Escoffier RH Second review 1.4 2017/01/06 Martijn Verburg JC Added further contribution of jClarity 1.5 2017/01/12 Clement Escoffier RH Third review 1.6 2017/01/12 Peter Pietzuch IMP Fourth review 1.7 2017/06/08 Salvatore D’Antonio EIPLI Revision after review

Tasks related to this deliverable: Task No. Task description Partners involved○ T5.1 Dissemination Activities EPS∗, JC, RH, IMP, TUD, TUB, C&H, EIPLI T5.2 Communication Activities EIPLI∗, JC, RH, IMP, TUD, TUB, EPS T5.3 Exploitation JC∗, EPS, RH, IMP, TUD, TUB, EIPLI T5.4 Joint Workshop and Tutorials EPS∗, JC, RH, IMP, TUD, TUB T5.5 Standards EPS∗, JC, RH, IMP, TUD, TUB, EIPLI

○This task list may not be equivalent to the list of partners contributing as authors to the deliverable ∗Task leader Executive Summary

This deliverable reports the activities of Dissemination, Communication and Exploitation of the SERECA consortium. The consortium has developed a comprehensive plan, covering a number of activities (publication in top tier conferences and journals, presentations to a variety of stakeholders, participation in events organized by the EC, and more), which are implemented via multiple channels (Web site, social media, press, TV, and - importantly - human interaction). The target audience includes the scientiﬁc community, the industrial world, the local governments, and the public at large. Results demonstrate that the project has successfully raised awareness about its technical value - as well as its potential in terms of real take up - among stakeholders. Partners are very much involved in joint and individual exploitation plans, which they are pursuing with concrete actions, including funding of a start-up and enabling synergies between European Structural and Investment Funds, Horizon 2020 and other research, innovation and competitiveness-related Union programmes. The document is organized as follows: In Chapter1, an overview of the approach and the objectives of all DissCommEx is presented. Chapter2 focuses on Dissemination activities carried on by the consortium and in particular by EPSILON, leader of WP5. In Chapter3, the main actions in terms of collaboration are reported, particularly the workshop organized by SERECA in cooperation with other European projects doing research in the ﬁeld of cloud security. Chapter4 summarizes the main outputs of the last months of communication activities (which are presented in more detail in Deliverable D5.2). The aim of Chapter5 is to present the Exploitation plans that have been consolidated by the consortium and will be implemented in the next months. Chapter6 reports the strategy of the consortium in terms of standardization. Finally, Chapter7 concludes the deliverable with an overview of the main achievements and next actions.

i ii Contents

Executive Summaryi

1 Objectives and Approach1

2 Dissemination Activities3 2.1 Target Metrics...... 3 2.2 Dissemination Channels...... 4 2.2.1 Website...... 4 2.2.2 Scientiﬁc Publications...... 5 2.2.3 Academia-targeted Events...... 7 2.2.4 Industry-targeted Events...... 8

3 Collaboration Activities 13 3.1 Knowledge Exchange with SecureCloud project...... 13 3.2 The Data Protection, Security and Privacy (DPSP) Cluster...... 13 3.3 Joint Workshop 1: 1st Workshop of DPSP cluster...... 14 3.4 Joint Workshop 2: SysTEX Workshop...... 15

4 Communication Activities 19 4.1 Target Metrics...... 19 4.2 TV Interview...... 19 4.3 Press Releases and News...... 19 4.3.1 EPSILON’s Press Release...... 20 4.3.2 Cloud&Heat’s Press Release...... 21 4.3.3 jClarity’s Press Release...... 23 4.4 Social Media...... 23

5 Exploitation Activities 25 5.1 Positioning of SERECA Among Related initiatives...... 25 5.2 SERECA Value Proposition...... 27 5.3 Joint Exploitation plans...... 28 5.3.1 TU Dresden, jClarity and Cloud&Heat...... 28 5.3.2 EPSILON and EIPLI...... 29 5.4 Individual Exploitation Plans...... 30 5.4.1 TU Dresden...... 30 5.4.2 TU Braunschweig...... 33 5.4.3 Imperial College...... 34 5.4.4 Cloud&Heat...... 35

iii iv

5.4.5 EPSILON...... 37 5.4.6 Red Hat...... 40 5.4.7 jClarity...... 42 5.4.8 EIPLI...... 44

6 Standardization 45

7 Conclusions and Future Work 47 List of Tables

2.1 Overview of Dissemination Target Metrics ...... 3 2.2 Conferences/workshops at which SERECA was presented...... 9 2.3 Meetings with Industry...... 12

4.1 Overview of Communication Target Metrics ...... 19

v vi List of Figures

2.1 Website Statistics...... 4

3.1 Comparison between SERECA and SecureCloud...... 14 3.2 DPSP Workshop...... 16 3.3 SysTEX Workshop...... 17

4.1 EPSILON’s TV Interview...... 20 4.2 EPSILON’s Press Release...... 21

5.1 SERECA Exploitable Products...... 25 5.2 Comparison between SERECA and SecureCloud Projects...... 26 5.3 Cloud Challenges 2016...... 31 5.4 Usage of DevOps Tools...... 32 5.5 SCONE SWOT Analysis...... 33 5.6 Cloud&Heat SERECA SWOT Analysis...... 37 5.7 RiskBuster Value Proposition...... 39 5.8 RiskBuster SWOT Analysis...... 40 5.9 Obsidian SWOT Analysis...... 41 5.10 jClarity SWOT Analysis...... 43

vii viii 1 Objectives and Approach

The objective of SERECA Dissemination and Exploitation plan is to identify and organize the activities to be performed in order to promote the commercial exploitation of project’s results and the widest dissemination of knowledge from the project. The plan moves in two directions:

• towards the marketing activities to enhance the commercial potential of the system and

• towards the notiﬁcation of project’s results in the scientiﬁc, EC and general RTD sector.

Dissemination is a horizontal activity and concentrates on disseminating the results of SERECA project itself to a wide range of existing or potential stakeholders. The dissemination of SERECA’s results will highlight what type of needs the project respond to, which problems the proposed solutions will solve, and who can beneﬁts from SERECA output values. SERECA’s dissemination and exploitation strategy wants to reach two main target groups of users who can beneﬁt of the SERECA’s value proposition. These are:

• Industry - The technical achievements from the SERECA Project are expected to develop secure enclaves, a new technique that exploits secure commodity CPU hardware for cloud deployments, empowering applications to ensure their own security without relying on public cloud operators. Thus, the primary target for the SERECA Platform is organizations that run and maintain large server farms or that host cloud computing services such as Google, Amazon but also small and medium-sized enterprises. The consortium wants to share project outcomes with companies that may be interested to leverage some of the Unique Selling Points (USP)(5) provided in SERECA.

• Academic Researchers - SERECA partners published (and will publish) a number of research papers on different activities, which are part of an overall process of the SERECA platform development. The consortium wants to disseminate the researches with the academic community – through conferences or workshop – in order to make people aware of the possibilities coming from SERECA and also to get feedback on the studies conducted and on the results obtained. The ﬁndings of the SERECA Project will be directly applicable to research in cloud security but will also indirectly apply to other ﬁelds like Internet of Things, Cyper Physical Systems and Autonomous Driving.

Besides previous two groups of stakeholders – the most relevant ones – the consortium will also reach directly (i.e. through the website, TV interviews, press releases) or indirectly (i.e. through other companies interested in SERECA) the public at large audience.

1 2 2 Dissemination Activities

We present in this chapter all the dissemination and collaboration activities conducted until month 24 by the consortium and the dissemination plans for remaining part of the project.

2.1 Target Metrics

Table 2.1 summarizes the target metrics for the project by which dissemination success may be measured on an total basis over the course of the project as well as per period. These metrics were determined via discussions within the consortium as well as a comparison with projects of similar size and scope. The periodic dissemination results and subsequent measurement of these results against the target metrics will be presented in the Deliverables (D5.5, D5.6, D5.7, D6.6, and D6.7) and the Periodic Reports.

Target REF Task Dissemination Type Additional Details P1 P2 (total) 1 T5.1 Web Page Views 6743 Over duration of project 2139 4604 Over duration of project. Peer-reviewed Scientiﬁc 2 T5.1 6 Includes Journal, Workshop and 2 4 Publications Conference Papers and Posters 3 T5.4 Project workshops 2 Over duration of project 0 2 Industry-targeted Event Leadership (IAB Meeting) Includes Industrial Advisory 4 T5.1 12 2 10 or Participation (Invited Board (IAB) Meetings Talk, Poster or Booth) Science / Academia-targeted Event Includes European Community 5 T5.1 12 7 5 (Invited Talk, Poster or Events Booth) P1: Period 1 (1st year) - P2: Period 2 (2nd year) Table 2.1: Overview of Dissemination Target Metrics

3 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

2.2 Dissemination Channels

2.2.1 Website

One of the ﬁrst dissemination instruments put in place by EPSILON is the SERECA website.1 As already mentioned in D5.1, the project website is fundamental for all that concerns dissemination and exploitation activities. It is one of the main channels through which the consortium provides to the external audience: detailed project information, description of individual partner’s achievements as well as joint results, access to public deliverables. It is SERECA partners’ strong belief that it is fundamental to keep pushing with dissemination activities over the course and after the end of the project, so that the project can effectively make an impact and it may result in future opportunities, possibly in terms of industrial exploitation. The website does not include support for collaborative work among partners, since it was decided that more specialized tools – particularly a Gitlab repository, described in D6.1 – be used for this purpose. Due to its important role, the website has been made available since the beginning of the project and will be maintained for at least three years after the end of the project. The primary objectives of the project website are:

• To highlight results of the SERECA project and disseminate them.

• To act as a thrust for cooperation among related projects and initiatives.

• To raise awareness about the SERECA project among potential users.

Statistics of the project website from month 8 to month 24 are reported in Figure 2.1.

Figure 2.1: Website Statistics

1http://www.serecaproject.eu

4 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

2.2.2 Scientific Publications During the second project period four papers were produced. Two papers were produced during the first period. All papers are published open access and are available at ZENODO 2 as well as on the SERECA public website 3. They are listed in reverse date order with the most recently published items first: TU Dresden – Symposium on Operating Systems Design and Implementation (OSDI), 2016.

Title: “SCONE: Secure Linux Containers with Intel SGX”

Authors: Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, and Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel O’Keeffe, and Mark L Stillwell, David Goltzsche, Dave Eyers, Rdiger Kapitza, Peter Pietzuch, Christof Fetzer

Abstract: In multi-tenant environments, Linux containers managed by Docker or Kubernetes have a lower resource footprint, faster startup times, and higher I/O performance compared to virtual machines (VMs) on hypervisors. Yet their weaker isolation guarantees, enforced through software kernel mechanisms, make it easier for attackers to compromise the conﬁdentiality and integrity of application data within containers. We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from outside attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead: SCONE offers a secure C standard library interface that transparently encrypts/decrypts I/O data; to reduce the performance impact of thread synchronization and system calls within SGX enclaves, SCONE supports user-level threading and asynchronous system calls. Our evaluation shows that it protects unmodiﬁed applications with SGX, achieving 0.6x1.2x of native throughput.

TU Braunschweig, TU Dresden, Imperial College – 17th ACM Middleware conference, 2016.

Title: “SecureKeeper: Conﬁdential ZooKeeper using Intel SGX”

Authors: Stefan Brenner, Colin Wulf, Matthias Lorenz, Nico Weichbrodt, David Goltzsche, Christof Fetzer, Peter Pietzuch, Rudiger¨ Kapitza

Abstract: Cloud computing, while ubiquitous, still suffers from trust issues, especially for applications managing sensitive data. Third-party coordination services such as ZooKeeper and Consul are fundamental building blocks for cloud applications, but are exposed to potentially sensitive application data. Recently, hardware trust mechanisms such as Intels Software Guard Extensions (SGX) offer trusted execution environments to shield application data from untrusted software, including the privileged Operating System (OS) and hypervisors. Such hardware support suggests new options for securing third-party coordination services. We describe SecureKeeper, an enhanced version of the ZooKeeper coordination service that uses SGX to preserve the conﬁdentiality and basic integrity of ZooKeepermanaged data. SecureKeeper uses multiple small enclaves to ensure

2https://zenodo.org/ 3http://www.serecaproject.eu/index.php/publications/papers

5 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

that (i) user-provided data in ZooKeeper is always kept encrypted while not residing inside an enclave, and (ii) essential processing steps that demand plaintext access can still be performed securely. SecureKeeper limits the required changes to the ZooKeeper code base and relies on Javas native code support for accessing enclaves. With an overhead of 11%, the performance of SecureKeeper with SGX is comparable to ZooKeeper with secure communication, while providing much stronger security guarantees with a minimal trusted code base of a few thousand lines of code.

TU Braunschweig, Imperial College – 21st European Symposium on Research in Computer Security, 2016 (ESORICS). Title: “AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves”

Authors: Nico Weichbrodt, Anil Kurmus, Peter Pietzuch and Rudiger¨ Kapitza

Abstract: Intels Software Guard Extensions (SGX) provide a new hardware-based trusted execution environment on Intel CPUs using secure enclaves that are resilient to accesses by privileged code and physical attackers. Originally designed for securing small services, SGX bears promise to protect complex, possibly cloud-hosted, legacy applications. In this paper, we show that previously considered harmless synchronisation bugs can turn into severe security vulnerabilities when using SGX. By exploiting use-after-free and time-of-check-to-time-of-use (TOCTTOU) bugs in enclave code, an attacker can hijack its control ﬂow or bypass access control. We present AsyncShock, a tool for exploiting synchronisation bugs of multithreaded code running under SGX. AsyncShock achieves this by only manipulating the scheduling of threads that are used to execute enclave code. It allows an attacker to interrupt threads by forcing segmentation faults on enclave pages. Our evaluation using two types of Intel Skylake CPUs shows that AsyncShock can reliably exploit use-after-free and TOCTTOU bugs.

TU Dresden – 16th ACM Middleware conference, 2015. Title: “VeCycle: Recycling VM Checkpoints for Faster Migrations”

Authors: Thomas Knauth, Christof Fetzer

Abstract: Virtual machine migration is a useful and widely used workload management technique. However, the overhead of moving gigabytes of data across machines, racks, or even data centers limits its applicability. According to a recent study by IBM, the number of distinct servers visited by a migrating VM is small; often just two. By storing a checkpoint on each server, a subsequent incoming migration of the same VM must transfer less data over the network. Our analysis shows that for short migration intervals of 2 hours on average 50% to 70% of the checkpoint can be reused. For longer migration intervals of up to 24 hours still between 20% to 50% can be reused. In addition, we compared different methods to reduce the migration traffic. We find that content-based redundancy elimination consistently achieves better results than relying on dirty page tracking alone. Sometimes the difference is only a few percent, but can reach up to 50% and more. Our empirical measurements with a QEMU-based prototype con rm the reduction in migration traffic and time.

6 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

TU Dresden – 34th IEEE Symposium on Reliable Distributed Systems, 2015 (SRDS).

Title: “ControlFreak: Signature Chaining to Counter Control Flow Attacks”

Authors: Sergei Arnautov, Christof Fetzer

Abstract: Many modern embedded systems use networks to communicate. This increases the attack surface: the adversary does not need to have physical access to the system and can launch remote attacks. By exploiting software bugs, the attacker might be able to change the behavior of a program. Security violations in safety-critical systems are particularly dangerous since they might lead to catastrophic results. Hence, safety-critical software requires additional protection. We present an approach to detect and prevent control flow attacks. Such attacks maliciously modify programs control flow to achieve the desired behavior. We develop ControlFreak, a hardware watchdog to monitor program execution and to prevent illegal control flow transitions. The watchdog employs chained signatures to detect any modification of the instruction stream and any illegal jump in the program even if signatures are maliciously modified.

EPSILON – 15th International Conference on Intelligent Software Methodologies, Tools and Techniques (SOMET2016).

Title: “A Secure Cloud-Based SCADA Application: the Use Case of a Water Supply Network”

Authors: Gianfranco Cerullo, Rosario Cristaldi, Giovanni Mazzeo, Gaetano Papale, and Luigi Sgaglione

Abstract: Cloud computing paradigm is gaining more and more momentum, to the extent that it is no more confined to its initial application domains, i.e. use by enterprises and businesses willing to lower costs or to increase computing capacity in a flexible manner. In particular, increasing interest is recently being paid to the huge potentials - in terms of benefits for the society at large - that might result from the adoption of cloud computing technology by critical infrastructure (CI) operators. This is of course putting special emphasis on the need for dependable and trustworthy security mechanisms in cloud technology based services, since a critical infrastructure is vital for essential functioning of a country. Incidental or deliberate damages to a CI have serious impacts on the economy, and possibly make essential services unavailable to the communities it serves. In this paper we present the proof-of concept of a cloud-based Water Supply Network Monitoring (WSNM) application, named RiskBuster (RB), that ensures the confidentiality and integrity of SCADA monitoring data collected from dam sensors and stored in the cloud by using the innovative Intel Software Guard eXtension (SGX) technology.

2.2.3 Academia-targeted Events European Community Events The aim of this section is to provide information about EC events where SERECA was presented in the second period of the project. Concertation Meeting in Bruxelles. On the 25th of March 2015, the project has been presented to the CloudWATCH Concertation meeting in Bruxelles, which looks at future directions for software services

7 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4 and Cloud computing in Europe.4 The aim of the concertation meeting was to promote collaboration and exchange among EU projects in order to learn about the latest activities of all active projects of Unit E2 (Calls 5, 8 & 10, CIP and EU-Japan), network and discover partners from different consortia and also understand the fundamental changes from FP7 to H2020 and explore new opportunities arising from it. An EPSILON representative participated also to a competition with other European projects (One Minute Madness) where the ability consisted in introducing the project in just one minute. The conference gathered around 1000 attendees. The participants involved were mostly practitioners from Small and Medium Enterprises (SME) and researchers. Europe Day in Tufara. EPSILON participated to the “Europe Day” in Tufara (IT) on the 9th of May 2015, where institutional representatives gave speeches on main Europe-related topics, and particularly on the possibilities arising from EU-funding programs for accessing R&D as well as structural funds as well as on the need for greater awareness of the beneﬁts that EU-fundings could have on the Italian economy. SERECA was presented during this event, in order to show an example of research EU-funded project. The type of audience in this speciﬁc event was mainly political, with little knowledge of technological aspects but deep understanding of the strategic implications. It was our belief that showing a successful example of an H2020 call was useful to the community.

Workshops and Conferences The SERECA project was presented at the scientiﬁc events listed in Table 2.2.

2.2.4 Industry-targeted Events This section presents all the activity of dissemination conducted by SERECA partners with industries of different ﬁelds (i.e. IT, Banking). We report events where SERECA was invited for talks on the achieved results or where SERECA was presented during meetings of industrial partners with their customers. All events are resumed in table 2.3 Cloud&Heat presented the SERECA project during two meetings with customers in the energy market in October 2015. The customers were EWE 5 and BTB 6. TU Braunschweig gave a talk at the Winter School on Operating Systems 7 about trusted execution with Intel SGX and its application in the SERECA project in February 2016. jClarity has presented the SERECA roadmap with several of their customers in the ﬁnancial services and technology markets. These discussions are commercially sensitive and so most of their customers are not yet willing to be named but customers initially visited included a Tier 1 Investment Bank and Adaptavist 8 the world’s leading Atlassian product suite consultancy. Subsequently in late 2016 further discussions were held with a multi billion dollar online travel company in the US and the UK’s leading property.

4http://www.cloudwatchhub.eu/turning-cloud-research-innovative-software-services 5https://www.ewe.com/en 6http://www.btb-berlin.de/en/ 7http://wsos2016.tugraz.at 8http://www.adaptavist.com

8 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

In particular jClarity is holding discussions with all of its customers who are currently requiring the on-premise version of its Application Performance Analysis Service (Illuminate). These discussions have the goal of persuading these on-premise customers to use the publicly hosted (SaaS) version of Illuminate. In the late 2016 discussions, it became apparent that customers were interested in the SERECA platform for internal applications as well and have asked jClarity to keep them up to date with the consortiums progress.

Red Hat contributes development and results from SERECA around Eclipse Vert.x to the upstream project. The contributions are discussed with the project community and integrated in the main code base.

Partner(s) Date Conference/Workshop Outcome Involved Received expressions of interest 2015-03-25 NetFutures2015 EPS from 10+ SMEs 34th IEEE Symposium on Good feedback received on 2015-09-28 Reliable Distributed Systems TUD SERECA Control ﬂow integrity (SRDS) mechanisms from 5+ researchers 16th ACM Middleware 2015-12-08 TUD 3 citations conference Informed the top 10-15 Winter School on on Operating operating systems research 2016-02-22 TUB Systems groups in Germany about SGX and the mission of SERECA 2016-02-23 DPSP Workshop EPS, EIPLI See Section 3.3 Conference on Intelligent Good feedback received on 2016-09-12 Software Methodologies, Tools EPS SERECA hardening mechanisms and Techniques (SOMET) from 10+ researchers 21st European Symposium on 2016-09-28 Research in Computer Security TUB, IMP 4 citations (ESORICS) 4 meetings with industry (see USENIX Symposium on table 2.3), 4 citations, Paper is TUD, TUB, 2016-11-04 Operating Systems Design and on the reading list of the IMP Implementation (OSDI) University of Utah and Wayne as well as TUD, TUB and IMP TUD, TUB, 2016-12-12 SysTEX See Section 3.3 IMP 17th ACM Middleware 2016-12-12 TUB 1 citation conference

Table 2.2: Conferences/workshops at which SERECA was presented

9 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

This improves the security of the Eclipse Vert.x project but also provide new building blocks such as secure services or features required to build micro-service systems.

10 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Partners Ref. Meeting with Industry Outcome Involved The SERECA project received valuable technical feedback during the IAB meeting. Overall the technical experts were extremely positive about the timeliness of the project, its initial technical innovations related to enclave application support and partitioning, and the quality of the scientific output. Specific feedback from the experts was to focus on the 1 1st IAB meeting All protection of data integrity in addition to confidentiality using enclaves. They also stressed the importance of techniques for preventing vulnerabilities in enclave code. This feedback directly informed the hardening techniques that were developed as part of the SERECA secure container support and the SERECA application partitioning framework. Persuading these on-premise customers to use Tier 1 Investment Bank, 2 JC the publicly hosted (SaaS) version of Adaptavist Illuminate. They will investigate utilising aspects of the Travel Company, Property 3 JC SERECA platform for their own internal Portal applications. Pilot project for ruggedised, mobile, secure 4 Envirotech, Norway C&H deployment in a TEU-sized container to commence in Q4 2016. Pilot project for a secure, distributed, private 5 Innogy, Germany C&H cloud managed by C&H to commence in Q2 2017. The Shield Lab was interested in the SERECA project and in our SCONE work. A Huawei Shield Lab 6 TUD delegation of 6 people from Asia visited Prof. visited, Germany Fetzers group. Prof. Fetzer gave an overview of the SERECA project and SCONE.

11 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Partners Ref. Meeting with Industry Outcome Involved Prof. Fetzer presented an overview of SERECA to the SGX team at Intel. Dr. 7 Intel Lab, Hillsboro, USA TUD, TUB Knauth presented our SCONE work. Intel is interested in using SCONE inside their research lab. Google Cloud Security TUD, TUB, Prof. Fetzer (TUD) presented SCONE to the 8 Team IMP Google team via Google Hangouts. Prof. Fetzer presented SCONE to Alexis Cloud Native Computing Richardson the chair of CNCF. The question 9 TUD, JC Foundation (CNCF) that was discussed is if SCONE could become a component of the CNCF. Prof. Pietzuch gave a presentation at the Alan Turing Institute, the UK national institute for Alan Turing Institue, UK 10 IMP data science, to help set a research agenda that (http://www.turing.ac.uk) involves trusted execution technology for securing data-intensive applications. A delegation from Huawei visited Prof. Pietzuch’s group. Prof. Pietzuch gave a 11 Huawei visited, UK IMP presentation about the SERECA project and the SGX-related research work at Imperial.

Table 2.3: Meetings with Industry

12 3 Collaboration Activities

SERECA participates in alliances of EU funded projects that encourage collaboration between research projects. In particular, SERECA has joint to the Data Protection, Security and Privacy (DPSP) Cluster 1. The cluster was created to increase the collaboration between European projects in the ﬁeld of Security. Aim of the DPSP cluster is to seek synergies between projects of the the H2020 call and to join efforts towards greater impact. The main objectives are:

• Maximize the impact of EU-funded research and innovation project results

• Ensure the market orientation and adoption of EU-funded research and innovation project results

• Help deﬁne the research and innovation needs in H2020

The collaboration within the DSPS cluster has led to the organization of SERECA’s first joint workshop (on February 2016) with the goal of strengthening the potential cooperation directions and start an actual exchange of information and outputs. After the successful exchange during the first workshop, SERECA decided to organize, on December 2016, a second joint workshop in collaboration with SecureCloud2 and the sponsorship of Intel. Compared to the first workshop, the second one had a more specific focus: in fact, it covered topics related to the use of novel hardware extensions to secure cloud applications. The Secure Guard Extension (SGX) (the Intel’s ISA extension leveraged in SERECA) was the most covered one. Around ten researchers presented their work by showing how their solutions that leverage additional hardware features will enable the implementation of trustworthy systems. The two joint workshops, overviewed in the rest of this section, will be more deeply described in deliverables D5.6 and D5.7.

3.1 Knowledge Exchange with SecureCloud project

3.2 The Data Protection, Security and Privacy (DPSP) Cluster

The DPSP Cluster was born with the aim to seek synergies between European projects in the field of security and to join efforts towards greater impact. The idea behind is to find, through the collaboration of the participant projects, possible dissemination and exploitation paths to follow. In this way, the impact on the research communities or on specific market branch will be much more relevant and effective. The DPSP Cluster aims to serve as instrument to ease the achievement of market impact of the participating projects. The participants to the DPSP cluster are the following:

1https://eucloudclusters.wordpress.com/data-protection-security-and-privacy-in-the-cloud/ 2https://www.securecloudproject.eu

13 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Figure 3.1: Comparison between SERECA and SecureCloud

• Representatives of EU-funded research and innovation projects (preferably Technical Managers, Project Managers or research leaders) in the areas of Data Protection, Security and Privacy in the Cloud, including of course, related Cooperation and Support Actions.

• Representatives of market orientation Advisory Group (AB). The AB group will be composed of a limited set of investors (business angels, etc.), consultancy companies on innovation transfer, business models creation, etc.

3.3 Joint Workshop 1: 1st Workshop of DPSP cluster

SERECA co-organized the ﬁrst workshop of the DPSP cluster. The workshop was held in Napoli (IT) on 23rd of February 2016. A great result was achieved: more than 100 people participated to the workshop. The participants projects (SPECS3, COCO Cloud4, SERECA, MUSA5 and CLIPS6) presented their researches and the work done during their project life. Some of these, including our, showed a demo of pilot applications use cases. Panel sessions took place aiming at:

• Understand how to maximize the impact of EU-funded research and innovation project results in the areas of Data Protection, Security and Privacy in the Cloud. The participant projects found synergies in the methods, tools and solutions. New collaboration in the organization of joint dissemination events, such as joint Workshops and conferences, or joint papers, were born.

3http://www.specs-project.eu 4http://www.coco-cloud.eu 5http://www.musa-project.eu 6http://www.clips-project.eu

14 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

• Discuss the market orientation and adoption of EU-funded research and innovation project results in the areas of Data Protection, Security and Privacy in the Cloud in order to deﬁne valid exploitation strategies.

• Deﬁne the research and innovation needs in H2020 in the areas of Data Protection, Security and Privacy in the Cloud.

SERECA participated to the workshop with EPSILON and EIPLI representatives. Results achieved were: 1) The definition of best dissemination and exploitation strategies of SERECA’s unique selling points through the identification of market needs in the field of security; 2) The dissemination of initial project results and of the approach adopted by the consortium to secure sensitive cloud applications, with the example of one of the two use cases, the Water Supply Network Monitoring (WSNM). Two presentations were given by EPSILON and EIPLI: one aimed at presenting an overview of SERECA, while the other one focused on describing the pilot application for the WSNM use case. In this regard, EPSILON showed to the audience how the security mechanisms used in SERECA will allow the cloudification of the WSNM application and so how the security requirements imposed EIPLI (the use case provider) will be met. Finally, SERECA participated also to the workshop’s poster session (see Figure 3.2b) Outcome: EPSILON and EIPLI – during the DPSP workshop – disseminated SERECA to both the research community and the SMEs. Two main achievements were obtained. First, spreading the word on SERECA technologies by showing the improvement of security through the developed hardening mechanisms. Second, EPSILON got feedback on the RiskBuster pilot application useful to test the water and find out what is the best strategy to follow for an exploitation of the product.

3.4 Joint Workshop 2: SysTEX Workshop

TU Dresden, TU Braunschweig, and Imperial College organized the ﬁrst SERECA Workshop (T5.4) in the form of the 1st Workshop on System Software for Trusted Execution (SysTEX 2016) 7. SysTEX was organized as a side event of the premier conference ACM/IFIP/USENIX Middleware 2016 8 in Trento, Italy in December 2016. Middleware is a major forum for the discussion of innovations and recent advances in the design, construction and use of middleware systems. The scope of the conference is the design, implementation, deployment, and evaluation of distributed system platforms and architectures for computing, storage, and communication environments. The organization of SysTEX 2016 was a joint work with the SecureCloud9 H2020 EU project . The SysTEX workshop focused on system software and middleware that puts novel hardware for trusted execution execution including but not limited to Intel Software Guard Extensions (SGX) or ARM TrustZone in use and highlights how possible additional hardware features will enable the implementation of trustworthy systems. Topics of interest highlighted by the call for paper included:

7https://systex.ibr.cs.tu-bs.de/index.html 8http://2016.middleware-conference.org/ 9https://www.securecloudproject.eu/

15 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

(a) (b)

Figure 3.2: DPSP Workshop

• Architecture, applications and implementation technologies for trusted platforms and trustworthy infrastructures

• Middleware for distributed trusted execution

• OS support for trusted execution

• Usability and end-user interactions with trusted platforms

• Limitations of trusted computing

• Usability and user perceptions of trustworthy systems and risks

• Use case studies of trusted execution

• Validation and performance evaluation of trusted hardware

The program committee was chaired of (SERECA members in bold):

• Pascal Felber, University of Neuchtel, Switzerland

• Christof Fetzer, TU Dresden, Germany

16 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Figure 3.3: SysTEX Workshop

•R udiger¨ Kapitza, TU Braunschweig, Germany

• Peter Pietzuch, Imperial College, United Kingdom

The program committee consisted of 13 experts of the targeted research fields from Europe as well as the US. Outcome: Eleven submission were received by the deadline. Each paper was reviewed by at least four experts and due to the high quality ten papers could be accepted. This resulted in a program for a full workshop day from 9am to 6pm. Furthermore, the organizers where abled to win two researchers from Intel for the workshop. Ittai Anati (Intel, Israel) gave an invited keynote with the title ”TEE - More than just a secure container. The importance of TCB updates”. This keynote was very interesting because it presented original material regarding the internals of the SGX supported remote attestation infrastructure. As a further guest Matthias Schunter (Intel, Germany) also attended the workshop. Overall the workshop was well received with approximately 40 attendants. All presentations received a considerable amount of questions (approx. between 3-10). As of today 13th of January 2017, one month after the workshop the ACM digital library where the proceedings of SysTEX 10 have been published report already 848 downloads of the papers. As a comparison, another workshop named ARM (Adaptive and Reflective Middleware) that was co-located with SysTEX reports only 279 downloads. In sum this first SysTex workshop can be counted as a success both in terms of papers and attendees.

10http://dl.acm.org/citation.cfm?id=3007788

17 18 4 Communication Activities

4.1 Target Metrics

Table 4.1 summarizes the target metrics for the project by which communication success may be measured on an total basis over the course of the project as well as per period. These metrics were determined via discussions within the consortium as well as a comparison with projects of similar size and scope. The periodic communication results and subsequent measurement of these results against the target metrics will be presented in the Deliverables (D5.5, D5.6, D5.7, D6.6, D6.7) and Periodic Reports.

4.2 TV Interview

An EPSILON representative gave a TV interview1 conducted by an Italian TV channel (Canale21). The project was described in its main features without going too deep inside technological aspects, because the audience of this interview was mainly composed by the public at large, including people with limited knowledge of computer technology topics. The interview is available in the news section of the project web site.

4.3 Press Releases and News

Press releases, one of the main communication channels, describe the goals/results of the project in simple, jargon free language and whenever possible highlight the beneﬁts to the region/country and the importance for the local partner of being part of a EU consortium. They target the local or national press of the partner entrusted with this task. Press releases were issued by project’s industrial partners (EPSILON, jClarity, Cloud&Heat and Red Hat) which present to the external audience results obtained during the ﬁrst months of the project. In the rest of this section, each partner’s press release will be better presented.

1https://youtu.be/t5xs3w8pcZM

Target REF Task Communication Type Additional Details P1 P2 (total) 1 T5.2 TV Interviews 1 Over duration of project 1 0 2 T5.2 Press Releases 3 Over duration of project 3 0 3 T5.2 Twitter Follower TBD Over duration of project 0

Table 4.1: Overview of Communication Target Metrics

19 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Figure 4.1: EPSILON’s TV Interview

4.3.1 EPSILON’s Press Release

EPSILON published the initial press release in “Il Denaro”2 on Saturday 23 May 2015 (see Figure 4.2). The article has been issued both on the printed newspaper and on the ofﬁcial website.

The Journal

The newspaper “Il Denaro” is the official journal of the “Unione Industriali di Napoli”3, the local branch of “Confindustria”4, the general confederation of the Italian Industry. In total, Confindustria represents 115.000 companies and 4.300.000 employees. The journal is sold both with “il Sole 24 ore” which is the first economic newspaper in Italy for sales numbers. Hence, the target audience of this journal are principally industrials and investors that could see advantages in using technologies offered by SERECA . They could appreciate the innovation in terms of security and so rely on cloud computing more than they did before. This will result in the main objective of SERECA project: to be a thrust for the adoption of cloud computing when there is a lack of confidence in this technology.

Content of the Press Release The content of the press release published is divided in three main sections:

• In a ﬁrst section, the problem of security in Cloud computing has been introduced and also the impact that nowadays this situation has on companies over the world.

• In a second section, it has been brieﬂy described the project goal and what types of funds receives (i.e. Horizon 2020)

2http://ildenaro.it/ 3http://www.unindustria.na.it/Unindustria/ 4http://www.conﬁndustria.it/

20 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Figure 4.2: EPSILON’s Press Release

• Finally, the third section is dedicated to explain the role of EPSILON in SERECA and so how the pilot application will contribute in validating the project.

Obviously, the language used in the article is simple and clear in order to make it accessible to everyone.

4.3.2 Cloud&Heat’s Press Release

Cloud&Heat published on the Company Website5 and to the press distribution list6 of their PR agency HOSCHKE & CONSORTEN Public Relations GmbH. The press release contains a description of states participation in the project and illustrates the beneﬁts to the local region Saxony.

Content of the Press Release Cloud&Heat unterstutzt¨ EU-Forschungsprojekt SERECA zur Datensicherheit in der Cloud

Dresden, 20. Juli 2015. Die Cloud&Heat Technologies GmbH unterstutzt¨ als einer von acht renommierten Forschungspartnern das EU-Projekt SERECA (Secure Enclaves for REactive Cloud Applications). Dabei handelt es sich um eine Initiative, die das Ziel hat, fur¨ mehr Datensicherheit in der Cloud zu sorgen und so eines der großten¨ Hindernisse bei der Verbreitung von Cloudlosungen¨ zu beseitigen. Denn obwohl die Cloud kostenefﬁziente und nachhaltige Ressourcen fur¨ die Datenverarbeitung bereitstellen kann, zogern¨ viele Unternehmen, diese Losungen¨ zu nutzen, weil sie die Sicherheit ihrer

5https://www.cloudandheat.com/static/pdf/pr/20150720-SERECA-de.pdf 6Picked up, e.g., by Wind Journal (http://www.windjournal.de/alle-artikel/cloud heat unterstuetzt eu forschungsprojekt sereca zur datensicherheit in der cloud-85271).

21 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Daten und die fur¨ die jeweilige Branche notwendigen Compliance-Richtlinien nicht gewahrleistet¨ sehen. Um die hohen Anforderungen sicherheitsrelevanter Anwender wie beispielsweise Banken und Versorger erfullen¨ zu konnen,¨ sind neue und einfach umsetzbare Losungen¨ gefragt. Gemeinsam mit etablierten Forschungspartnern wie dem Imperial College London und der Universitat¨ Dresden arbeitet Cloud&Heat im Rahmen von SERECA daran, gesicherte Enklaven fur¨ die Cloud zu entwickeln und einzusetzen. Mit dieser neuen Methode wird auf Basis von Standard-CPU-Hardware eine sichere Cloudumgebung generiert. Sie sorgt dafur,¨ dass jede einzelne Anwendung ihre Sicherheit unabhangig¨ vom genutzten Cloudanbieter selbst gewahrleisten¨ kann. Gesicherte Enklaven unterstutzen¨ außerdem die gesetzeskonforme Datenlokalisierung, indem sie es den Anwendungen ermoglichen,¨ eine Vielzahl von Cloud-Rechenzentren sicher zu uberbr¨ ucken.¨ Damit sorgen gesicherte Enklaven fur¨ mehr Datenintegritat,¨ Datenverfugbarkeit¨ und -vertraulichkeit in der Cloud. “Cloud&Heat bringt umfassendes Wissen in der Gestaltung, dem Aufbau und dem Betrieb von Mikro- Daten-Rechenzentren sowie Erfahrungen als Cloud-Anbieter in das SERECA-Projekt mit ein”, erlautert¨ Ren Marcel Schretzmann, Grunder¨ und CEO. “Unsere Aufgabe ist es, die neu geschaffene Infrastruktur im Hinblick auf die technologischen Anforderungen und die Anwendungspraxis zu optimieren.” Davon sollen besonders datenintensive und hochinteraktive Anwendungen wie das Internet der Dinge oder cyber-physische Systeme proﬁtieren, die mit sensiblen personlichen¨ Daten agieren.

Uber¨ SERECA: Das Projekt SERECA lauft¨ vom 01.03.2015 bis 28.02.2018 und wird durch Horizon 2020, das neue EU-Rahmenprogramm fur¨ Forschung und Innovation, gefordert.¨ Zum Konsortium gehoren¨ die Technische Universitat¨ Dresden, die Technische Universitat¨ Braunschweig, das Imperial College London, die Cloud&Heat Technologies GmbH, Epsilon S.r.l., Red Hat, jClarity und Ente per lo Sviluppo dellIrrigazione e la Trasformazi one Fondiaria in Puglia, Lucania ed Irpinia. Mehr Informationen unter www.serecaproject.eu.

Uber¨ Cloud&Heat: Die Cloud&Heat Technologies GmbH ist ein Anbieter cloudbasierter Rechenleistungen, deren Abwarme¨ zum Heizen von Gebauden¨ und zum Erwarmen¨ von Wasser genutzt wird. Die Cloud-Server werden direkt in den zu beheizenden Immobilien installiert. Damit verbindet Cloud&Heat die Markte¨ fur¨ Server- Rechenleistungen und Warme¨ und ist eine efﬁziente Green-Tech-Alternative. Dieses Zusammenspiel der okologischen¨ und okonomischen¨ Vorteile wurde 2013 mit dem Sachsischen¨ Umweltpreis ausgezeichnet und in die Finalrunde des Innovationspreis der Deutschen Wirtschaft berufen. Das Unternehmen wurde 2011 unter dem Namen AoTerra GmbH in Dresden gegrundet,¨ seit April 2014 tragt¨ es den Namen Cloud&Heat. Weitere Informationen unter: www.cloudandheat.com

Pressekontakt fur¨ weitere Informationen: Cloud&Heat Technologies GmbH Christof Kaplanek / Christina Siebels Hoschke & Consorten Public Relations GmbH Telefon: 040 36 90 50 - 38 / - 58 E-Mail: [email protected] / [email protected]

22 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

4.3.3 jClarity’s Press Release The jClarity’s press release has been published through following media channels:

• The register7

• InfoQ8

• Dzone9

• The serverside10

• Java magazine11

Content of the Press Release JClarity is pleased to be part of the EU Horizon 2020 project to deliver Secure Reactive Enclaves in the cloud computing space. Data security from the CPU through to the application is a definite requirement from our customers in financial services, defense and other regulated industries. We envisage that with the completion of the SERECA project that the final piece of the cloud puzzle will have been completed and that all organizsations will be able to shift to the cloud with even stronger security than what they currently have on premise. Organizations will be confident in using cloud services such as jClaritys illuminate to be able to scale out and monitor their businesses in a technically provable secure fashion.

4.4 Social Media

During the course of the project – to reach the widest possible audience –, the SERECA consortium decided to adopt an additional mean for delivering the information to external stakeholders and potential users: Social Media. The consortium is using a Twitter (https://twitter.com/SERECA4) and a Facebook account to disseminate a number of different activities, as:

• Participation at EU/non-EU events - to inform the followers about the project being present at events, such as industry and academic forums

• Updates on project outcomes - to share the outcomes produced by the project like deliverables and/or published research papers

• New website article being made available - to increase the number of views on website articles, we will tweet links to the webpage

7http://www.theregister.co.uk/ 8http://www.infoq.com/ 9http://www.dzone.com/links/index.html 10http://www.theserverside.com/ 11http://www.oracle.com/technetwork/java/javamagazine/index.html

23 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

• Organization of workshops - to let people know about events organized by SERECA’s partners

• Details of SERECA meetings - to let stakeholders know about plenary meetings

Regarding Twitter, the consortium will use frequently two types of hashtag: those related to European projects (#H2020, #EU, #FP7, #SMEInstrument, #Research), and those related to cloud security (#Cloud, #cloudsecurity, #DevOps, #BigData, #IoT, #cybersecurity).

24 5 Exploitation Activities

This chapter surveys the exploitation activities and plans made by the SERECA consortium. Partners have moved on the different areas of an exploitation strategies to: facilitate further use of results, make use of the results, concretize the most important values. Hence, we provided an initial Data Management Plan (DMP) in D6.2, we produced new relevant research activities, and we planned to bring specific products in specific market segments. In a first section, we present the activities of joint exploitation. Then, we show individual exploitation plans carried out by each partner including an analysis of the targeted market segments. Figure 5.1 shows the SERECA products that the consortium would like to exploit. These are part of the SERECA infrastructure and are result of specific WPs (see Figure 5.1b)

(a) (b)

Figure 5.1: SERECA Exploitable Products

5.1 Positioning of SERECA Among Related initiatives

Other initiatives (e.g. , papers or European projects) are exploring the possibility of securing applications running in untrusted cloud with Intel SGX. What makes SERECA different from the others is the vast array of facilities SGX-enabled offered to a final developer, which can be leveraged in a semi-transparent way. A first remarkable difference with several other works is that in SERECA we do not use the SDK provided by Intel. In fact, Intel provides an SDK to facilitate the implementation of simple enclaves. It features an interface definition language together with a code generator and a basic enclave library. Unlike SERECA,

25 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4 the SDK misses support for system calls and offers only restricted functionality inside the enclave. We developed, instead, a libc library SGX enabled that support a shielded execution of system calls. Haven [1] aims to execute unmodified legacy Windows applications inside SGX enclaves by porting a Windows library OS to SGX. Relative to the limited EPC size of current SGX hardware, the memory requirements of a library OS are large. In addition, porting a complete library OS with a TCB containing millions of LOC also results in a large attack surface. By using only a modified C standard library, in SERECA we target the demands of Linux containers, keeping the TCB small and addressing current SGX hardware constraints. GrapheneOS [3] is another example of a library OS ported in SGX. Unlike Haven, in this case the TCB is kept small as we do with our secure containers. However, the performances provided are still low and the usable functionalities are limited. Our secure containers developed in SERECA keep the overhead limited. Furthermore, it must be pointed out that secure containers are only a part of the facilities offered by the entire SERECA platform. An additional initiative is VC3 [2], which uses SGX to achieve confidentiality and integrity as part of the MapReduce programming model. VC3 jobs follow the executor interface of Hadoop but are not permitted to perform system calls. In SERECA we focus on generic system support for container-based, interactive workloads but could be used as a basis for VC3 jobs that require extended system functionality.

Figure 5.2: Comparison between SERECA and SecureCloud Projects

Finally, it is worth to illustrate differences between SERECA and the SecureCloud project as they move in the same direction by using secure containers with SGX support. Figure 5.2 clearly shows the several architectural distinctions. First, in SERECA we provide support for a gcc-based cross compiler SGX-enabled while in SecureCloud this cross compiler is llvm-based. Second, In SERECA we want to harden applications running on top of a JVM while in SecureCloud applications are written in Go/Rust/Python. This means a completely different approach to the infrastructure development. Third, in SERECA we have support for a SGX-enabled secure coordination service, while in SecureCloud a different mechanism based on the bus ZMQ is used. Fourth, in SERECA applications are based on

26 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS microservices written with vert.x while in SecureCloud applications exchange messages through the ZMQ bus.

5.2 SERECA Value Proposition

SERECA advances the state-of-the-art of cloud technology along two important axes (namely: confidentiality and integrity), and includes accompanying tools that make the technology usable, since they enable seamless and thus low cost, both in terms of time and resources porting and easy deployment. The secure execution environment (called Secure Container) provided by SERECA protects data from unauthorized access, including attacks by the super user. This solves the issue of insider attacks by users with high privileges. SERECA secure communication mechanism (called Secure Bus) protects data during transfers. SERECA development tools (called Partitioning Tools) enable easy porting of applications including legacy ones and ultimately enable seamless migration to the SERECA platform. SERECA infrastructural service (called Secure Coordination Service) and application framework enable the secured applications to run on a distributed platform, for better reliability and performance. Importantly, one of the partners of the SERECA consortium will to go to market with a commercial offering that will make the underlying hardware needed by SERECA readily available. The offering is a Metal as a Service (MaaS) formula with advanced data locality features. In particular, it allows the cloud user to enforce specific limitations on where data is to be stored. This is a fundamental prerequisite for complying to several EU as well as national regulations. In a nutshell, SERECA provides effective protection against attacks to which the current offerings are all vulnerable. As an example, SERECA prevents the possibility that an employee of the external IT company who has super user privileges accesses sensitive information (violation of confidentiality) and possibly modifies it (violation of integrity). In the following, we briefly describe SERECA Unique Selling Points (USP), i.e. SERECA features that are not available in competing products (and/or that outperform them). We take as an example the protection of SQL databases since these are used in any webservice as a backend to store data. The SQL database typically contains data that must be protected against attack to the data confidentiality (i.e. credit card information) and/or data integrity. USP: Secure Containers and Secure vert.x enable the SERECA platform to keep the application keys confidential A good database will support transparent encryption of all files it stores in the file system. Moreover, it will encrypt all traffic to/from its clients, typically, using TLS. Nevertheless, this is not sufficient to keep the data confidential: First, the database needs to store the encryption key for its encrypted files as well and the key for its TLS certificate. Such keys could be stored in a key store but to retrieve a key, one tries to restrict access to the keys to the database only. However, anybody with root access on the VM can also gain also access to these keys. Second, anybody with root access on the PM, can also gain access to these keys - either by impersonating root on the VM or by just dumping the in memory content of processes running in the VM. Running the database in the SERECA platform will keep the keys of the database confidential. Only the database can access to its keys neither the root user on the VM nor the root user on the PM has access to these keys. USP: Secure Containers provide to the SERECA platform a powerful protection mechanism for applications in-memory state

27 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Instead if trying to retrieve the encryption keys of the database, a root user could just dump the in memory state of the database to get access to confidential data like encryption keys, passwords and credit card numbers. The SERECA platform keeps all in memory data encrypted and only the application itself has access to the memory. USP: The SERECA platform protects the integrity of applications Another way to gain access to the data of the database would be to modify the database such that the modified database logs or even modifies confidential data. The SERECA platform protects the integrity of the application, i.e., only the unmodified database program can access the data. USP: Secure vert.x and its secure coordination service ensure end-to-end security in the SERECA platform To protect the confidentiality and integrity of the data, we need to ensure that all data transferred via the network, at rest in the storage system and being processed by the application is protected. The SERECA platform protects all steps and can transparently protect all steps in case the application misses some protection like, for example, file encryption. In our use case, the database can protect the integrity and confidentiality of the files. However, SERECA provides faster encryption and hence, we use the SERECA provided file encryption mechanism. USP: SERECA platform provides application-oriented security Traditionally, to trust an application, we need to trust the complete system stack, i.e., the hypervisor, the operating system of the host system, the operating system of the VM and all users with root access to these components. In the SERECA platform, we only need to trust the application and its libraries: the SERECA platform provides application-oriented security. SERECA itself is part of the libraries linked with the application. USP: Secure Containers enable a very light-weight deployment mechanisms in the SERECA platform VMs contain a complete operating system. VM image sizes of these operating systems are hundreds of megabytes: the most recent CentOS (Sept 2016) is 857MB large while the most recent Ubuntu image is 310MB large. SERECA uses containers instead of VMs. Containers are OS-based virtualization mechanism. They are typically considered less secure than VMs. However, SERECA ensures the security of containers. In comparison, the image size of the containers are quite small: 2MB for busybox or 5MB for alpine. We ship SERECA secure containers with minimal image sizes. USP: The partitioning tools and the secure container ensure ease-of-use in the SERECA platform SERECA uses a wrapper around the Docker engine to deploy applications. Docker is very popular since it simplifies the deployment of cloud native applications. The SERECA platform provide the same installation mechanism but for application with end-to-end security. In this use case, we demonstrate how to deploy a database with the SERECA platform.

5.3 Joint Exploitation plans

5.3.1 TU Dresden, jClarity and Cloud&Heat TU Dresden, jClarity and Cloud&Heat decided to follow a joint exploitation strategy. The roles of the three partners are as follows:

28 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

• In its hybrid nature as a Cloud provider and Cloud infrastructure franchise company, Cloud&Heat will provide SGX-enabled Cloud infrastructures. So far, there are no clouds that provide SGX-enabled server machines. Cloud&Heat will be one of the ﬁrst cloud providers that will commercially leverage such machines. More precisely, Cloud&Heat intends to extend its Datacenter in a Box solution used as infrastructural basis for private and public cloud infrastructures by SGX hardware. In this speciﬁc context, Cloud&Heat provides a unique platform for joint exploitation efforts. The perspective in this case is twofold:

– Firstly, Cloud&Heat intends to deploy the security-enhanced infrastructure within own datacenter sites. One upcoming option for deployment may be a high security datacenter in Frankfurt, Germany. The site has redundant connectivity to the German Commercial Internet Exchange point (DE-CIX) and, thus, high-throughput and high availability networking is available. This network accessibility plus a solid physical security make this datacenter site a perfect basis for the intended SGX-enabled cloud infrastructure. – Secondly, Cloud&Heat intends to provide a platform for joint exploitation as part of its franchise business offering. By this, Cloud&Heat does not limit the scope of the joint exploitation strategy to direct customers and direct contacts of the involved SERECA partners only, but extends its range dramatically.

• TU Dresden will explore founding a startup (SCONE Containers Ltd) to commercialize SCONE. SCONE is the secure container environment that is being developed in the context of SERECA. The startup will focus on curated secure container images, i.e., pre-manufactured images that are based on SCONE. It will provide secure versions of popular Docker containers like a secure database image and a secure key/value store image. The applications of these secure container images will be signed such that can be run inside of SGX enclaves. Nevertheless, clients of the curated image services will be able to customize their images very similar to customized Docker images. In other words, despite the excellent security provided by SCONE, the system will maintain the ease-of-use of Docker containers. SCONE Containers Ltd will provide a hardened OS image containing a Docker engine that supports secure containers. This OS image will be offered in the above mentioned Cloud&Heat cloud infrastructure plus on top of the franchise technology-stack offering.

• jClarity will provide secured service to their customers jClarity will use curated secure container images to protect the conﬁdentiality and integrity of their application data. jClarity will also take the role of an alpha customer of the MaaS service as well as the secure container image service.

5.3.2 EPSILON and EIPLI EPSILON and EIPLI are pursuing a joint exploitation plan, aiming at taking current project results to the next level, i.e. making the transition from the lab to the real world. The main obstacle is that the implementation of an IT-based infrastructure for real-time monitoring of a water supply network on a

29 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4 large scale has a cost in excess of 10 M euros (for a medium-sized installation). On the one side this represents a great business opportunity, but on the other side it requires that the preconditions be created for making massive amounts of funding available to the potential customers, i.e. – in most cases – to the Public Authorities that are in charge of water distribution in the area. The European Commission is well aware of the necessity of favoring the transition of research results to infrastructural improvements, and has provided mechanisms and guidelines for implementing such a transition. Speciﬁcally, EPSILON and EIPLI are exploiting the opportunities that would result from the creation of synergies between H2020 and “European Structural and Investment Funds” (ESIF). This is an ambitious plan (and not an easy to implement one), but in case of success not only it will open tremendous business opportunities, but it will also result in dramatic advantages for the region (particularly in terms of public safety and health). To implement the plan, Luigi Romano, the Innovation Manager of SERECA, along with a representative from EIPLI (namely: Giuliano Cerverizzo), had a meeting with the person in charge of managing European funds for the local government of Basilicata (namely: Regione Basilicata). The purpose of the meeting was to try to add the topic of critical infrastructure monitoring to the Strategies for Smart Specialization (S3) of the region. EPSILON is still waiting for an ofﬁcial feedback from Regione Basilicata. Also importantly, a preliminary version of the WSNM pilot is being set up – and will be constantly updated – at the Monte Cotugno dam. EPSILON and EIPLI will use this pilot as a Proof Of Concept for persuading the local government to make resources available for the implementation of an IT-based infrastructure for real-time monitoring of a water supply network on a large scale.

5.4 Individual Exploitation Plans

5.4.1 TU Dresden

Exploitable output

SERECA’s research team developed a new technology to securely execute existing applications inside containers, named SCONE. SCONE was published and presented to a scientiﬁc audience at the USENIX Symposium on Operating Systems Design and Implementation (OSDI) in November 2016. There is also interest from commercial entities such as Google, Intel Labs, Amazon and Docker.

Reference Market

The cloud security market can be segmented based on the type of cloud security namely, cloud identity and access management, data loss prevention, e-mail and web security, cloud database security, network security, and cloud encryption.1 Container security is a new segment overlapping the existing security services of e-mail and web security, cloud database security, network security, and cloud encryption. Customers. Large scale enterprises such a Google Inc. and SMEs such as Cloud&Heat GmbH are already interested as customers. They would resell secure containers to their cloud customers which are small and medium enterprises around the world.

1https://www.alliedmarketresearch.com/cloud-security-market.

30 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Value Proposition. The value of secure containers is to protect conﬁdentiality and integrity of cloud services. Go-to-Market. The strategy to bring the product to the market would be a cooperation with jClarity and Cloud&Heat to start a pilot project. Market Size. According to ResearchandMarkets the cyber security market is currently worth USD 122.45 billion.2 Also Cybersecurity Ventures value the market to be worth USD 210 billion by 2017.3 Market Trends. According to Accenture’s 2015 Enterprise Cloud Report, 75 percent of organizations worldwide are already implementing or using at least one cloud application and 82 percent identify cloud technology as a key part of their IT strategy.4 But there is still a need for innovative security solutions: Cloud security is a concern for 61% of IT senior managers that is holding them back from the cloud and 46% saying the same about integration concerns.5 Moreover, a 2016 survey from RightScale identiﬁed cloud security as second prior challenge for 29% of respondents.6 Figure 5.3 shows the challenges that IT professionals as cloud byers and users are facing in 2016 compared to 2015.

Figure 5.3: Cloud Challenges 2016

The survey also shows that the useage of container technologies, such as Docker7, has increased more than double, from 13% in 2015 to 27% in 2016.8 Figure 5.4 shows the usage of DevOps Tools and it’s increasing potencial. DevOps tools help companies to standardize and automate deployment and conﬁguration of servers and applications. This numbers and ﬁgures point up an increasing market for our product SCONE that allowes companies to securely execute existing applications inside containers.

2http://www.researchandmarkets.com/research/gk9dkm/cyber security. 3http://cybersecurityventures.com/cybersecurity-market-report/ 4Accenture. ”Enterprise Cloud Report.” Cloud Sherpas. April 2015. 5Columbus, Louis. Cloud Computing Adoption Continues Accelerating In The Enterprise. Forbes.com. November 22, 2014. 6RightScale. ”State of the Cloud Report.” 2016. 7Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud. 8RightScale. ”State of the Cloud Report.” 2016.

31 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Figure 5.4: Usage of DevOps Tools

Market Growth Rate. Regarding the growth of the general cloud security market analysts expect that companies will invest more money in security technologies. According to Gartner the worldwiede information security spending will grow 7.9 % to reach USD 81.6 billion in 2016.9 Thus, the authors of the report ”Cyber Security Market by Solutions” published by MarketsandMarkets estimate for the global cyber security market a Compound Annual Growth Rate (CAGR) of 10.6 percent. The market value will grow from USD 122.45 billion in 2016 to USD 202.36 billion by 2021.10 SWOT analysis. Figure 5.5 shows the initial SWOT analysis for a further development of SCONE in the context of current security market dynamics. As stated before, there are two main opportunities for SCONE: cloud users and vendors are expected to spend more money on information security products, and second the usage of containers as an Infrastructure as a Service (IaaS) is extremely increasing. Because there is currently no comparable security solution to securely execute existing applications inside containers, one of the strengths is being the ﬁrst at a brand new niche market. Moreover, the group is already in contact with Google, Intel Labs, Amazon and Docker to discuss possible solutions to resell the product to clients of these companies. In the opposite to these opportunities and strengths there is one major threat, that Intel will not release their server version of the CPU extension. This would likely reduce the probability of cloud providers adopting SCONE secure containers. And one minor threat is that SCONE largely depends on the underlying technology that allows to achieve isolation (Intel SGX). This dependency means that the user has to trust Intel, which for some customers might not be acceptable. A weakness is that the CPU extensions do not support sufﬁcient memory size, which means that performance of secure containers might be degraded.

Academic Education and Research

Publications. The research carried out in the context of SERECA have resulted in several publications submitted and accepted at top-tier conferences, see Section 2.2.2.

9http://www.gartner.com/newsroom/id/3404817 10http://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html

32 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Figure 5.5: SCONE SWOT Analysis

Courses. These results are also integrated in one of the master program courses in a form of a lecture, named Cloud Security and Intel SGX. The number of participants attending this course is approximately 40 students each winter term. Theses. Further, TUD exploits the results of SERECA in an academic environment such as having four master and one bachelor theses currently running that cover SERECA relevant problems and topics. Additionally, one of the research assistants working on the project will base his PhD thesis on the results of SERECA.

5.4.2 TU Braunschweig Exploitable Output TU Braunschweig has led the development of one of the core components of the SERECA cloud architecture. Furthermore, TU Braunschweig started the investigation of several security properties of Intel SGX. Resulting in a tool to demonstrate the impact of certain attacks on SGX applications. The concrete exploitable outputs include:

• The SERECA SGX vulnerability tool (WP1). The tool can exploit synchronisation bugs of multithreaded code running under SGX. This is achieved by only manipulating the scheduling of threads that are used to execute enclave code. It allows an attacker to interrupt threads by forcing segmentation faults on enclave pages. A paper depicting the tool has been accepted at ESORICS 2016.

• The SERECA coordination service (WP2). The SERECA coordination service is an enhanced version of the ZooKeeper coordination service that uses SGX to preserve the conﬁdentiality and basic integrity of ZooKeeper-managed data, providing much stronger security guarantees with a minimal trusted code base of a few thousand lines of code. A paper describing the service has been accepted at ACM Middleware 2016.

33 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Both projects will be released as open-source software in 2017. Additionally, for 2017, TU Braunschweig is planning to host a booth at the upcoming CeBIT computer trade fair in Hanover promoting the work of SERECA. The booth is planned to be co-located with the joined stands of the state of Lower Saxony11.

Academic Education and Research As an university partner of the SERECA project, the main focus of TU Braunschweig naturally lies in research publications and academic education. Publications. Similar to the other academic partners, TU Braunschweig was also able to publish the results obtained in SERECA at well-known conferences. For a detailed statement of all publications, see Section 2.2.2. Courses. Currently, TU Braunschweig is exploiting the results of SERECA in a seminar course about trusted execution held in the winter semester 2016/2017. Published research papers are discussed in a group of interested students to acquaint them with the current state of trusted execution technologies. The papers covered by the seminar, include papers from the SERECA consortium as well as related papers, dealing with different trusted execution technologies. Furthermore a course based on the lessons learned in the SERECA project is planned for the summer term 2017. The courses will discuss alternatives of trusted execution technologies such as TPMs, ARM TrustZone and Intel SGX. Theses. TU Braunschweig has offered opportunities to multiple skilled students to write theses, whose results might be applicable in the context of SERECA. The SecureKeeper work is an example for this, as its precursor was developed in a bachelor thesis, but was later further enhanced and ultimately published by TU Braunschweig. Additionally, several theses cover trusted execution, especially Intel SGX.

5.4.3 Imperial College Exploitable Output Imperial College has led the development of several technologies during the course of the SERECA project. It intends to exploit these technologies primarily for educational and research purposes. The concrete exploitable outputs being developed by Imperial College include:

• The SERECA partitioning framework (WP1). The SERECA partitioning framework simpliﬁes migration of existing applications to SGX by semi-automatically partitioning them into security- sensitive and non-sensitive parts in a principled manner. A paper describing some of this work has been submitted for publication.

• LKL-SGX container deployment (WP2). The LKL-SGX library operating system will allow easy deployment of unmodiﬁed application binaries to SGX enclaves as Docker containers.

Imperial College intends to make both the SERECA partitioning framework and LKL-SGX container deployment system available as open-source software.

11http://www.cebit-niedersachsen.de/

34 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Consultancy. The technologies being developed by Imperial College have given it considerable expertise in the potential challenges and solutions involved in migrating legacy applications to SGX. Imperial College therefore intends to investigate commercialising its expertise through consulting activities in partnership with Imperial Consultants Ltd. (ICON), a consultancy company wholly owned by Imperial College. Industrial follow-on funding. Imperial College will also explore applying for follow-on funding in collaboration with industrial partners as part of the Innovate UK scheme. In particular, as part of its current “Emerging and Enabling Technologies” call, Innovate UK lists as one of its priority sectors enabling technologies for cyber security.

Academic Education and Research In addition to commercial exploitation, Imperial College intends to use the outcomes of the SERECA project to support the following academic initiatives: Grant proposals. Imperial College has proposed a joint research project on trusted execution support for data science with the recently established UK Alan Turing Institute for Data Science. In addition, the results and expertise acquired from SERECA can also foster new ideas for academic grant proposals targeting, for instance, UK ESPRC and EU H2020. Courses. Methods and results from the SERECA project will be used in lecture material for a course in Scalable Distributed System Design (SDSD). SDSD is a Masters course in the Department of Computing of Imperial College that introduces the concepts and techniques required to design and engineer scalable distributed applications in data centre environments. SERECA material will be used in the course to provide practical examples and showcase state-of-the-art techniques in securing data centre services. BEng, MEng and MSc student projects. These projects provide an opportunity for students to work independently and acquire skills that are difﬁcult to develop through the normal lecture and exam cycle. Projects involve a particular problem that is to be solved independently or in small groups. The topics are often related to current research effort; however, the focus is much narrower and the task and expected outcome is well deﬁned (e.g., develop a program or algorithm). This allows students to apply their knowledge to practical problems. The SERECA project provides numerous opportunities for student projects. Currently 2 MSc projects that contributed to SERECA have been completed and one is ongoing.

5.4.4 Cloud&Heat

Exploitable Output Cloud&Heat plans to exploit the output of the SERECA project by augmenting its cloud offerings with the strong security features and rich support for reactive applications provided by the SERECA Cloud Platform. New products based on the SERECA Cloud Platform will enable Cloud&Heat to offer and provide secure cloud services to existing and new customers alike. Speciﬁcally, Cloud&Heat’s current line of Datacenter-in-a-Box (DiaB) solutions12 will be extended with new conﬁguration options for Intel Secure

12https://www.cloudandheat.com/en/products.html#datacenter-in-a-box

35 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

Guard Extensions (SGX) hardware and a pre-installed SERECA framework once both are production- ready. Customers, in turn, will then be able to deploy their SERECA applications on this platform and have them run securely in the cloud, hosted in Cloud&Heat-maintained deployments equipped with SGX-enabled hardware.

Reference Market

Cloud&Heat’s business objectives firmly position the company in the infrastructure-as-a-service (IaaS) market, specialising in individual, customised, turn-key solutions for private cloud installations. Adding the SERECA Cloud Platform to the company’s product portfolio in the form of SERECA-as-a-Service not only promises to open the company the door to the growing platform-as-a-service (PaaS) market, but also aids the company in asserting itself as a specialist and technological leader in the information security sector. Customers. Potential customers include businesses that want to move their mission-critical applications and data into the cloud, but are wary of the level of privacy protection associated with typical cloud-hosted applications, and generally users with high demand for secure, resilient, and low-latency services. The quintessential target groups are developers and users of highly secure, reactive applications. Value Proposition. The value of the SERECA Cloud Platform in production will manifest itself in the increased trust customers will have that their privacy is protected not merely by the provider’s promise, but a security mechanism beyond the provider’s control. On top of that, the rich SERECA framework will attract developers and users of highly secure, reactive applications. Go-to-Market. Cloud&Heat will initially rely on its existing distribution channels to bring the SERECA Cloud Platform to the market. Market Size. A reference market for the SERECA Cloud Platform does not exist so far. However, Cloud&Heat expects to develop a niche PaaS market around the SERECA Cloud Platform. According to a German Internet economy study by Arthur D. Little GmbH13, the domestic PaaS market volume will increase to 400 MAC by 2019. The SERECA Cloud Platform ecosystem will become a part of this market. Market Trends. The market for cloud services has been growing above average in recent years. The digital transformation is still going strong, with no sign of slowing down. This process can be observed in all industries and markets. Enterprises with earnings in excess of 50% of their sales by cloud services reach better revenues than enterprises without, have better growth rates, and a higher gross profit. Market Growth Rate. By now, almost half the German enterprises are using cloud services. In 2014 cloud services where used by 44% of enterprises and 24% of them are planning to move into the cloud. The preferred form of cloud is private, but popularity for public clouds is rising. The prognosis of growth for the next two years is still positive and strongly developing. SWOT analysis. Cloud&Heat’s analysis of the strengths, weaknesses, and opportunities of as well as threats to the businesses it plans to generate from the SERECA output is depicted in figure 5.6.

13http://www.adlittle.com/downloads/tx adlreports/The German Internet Study 2016-2019 01.pdf

36 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Strengths Weakness

● Low barriers for market entry ● Additional costs possible ● High profitability Use cases possible ● Complexity ● Secure ● User attitude and control

SWOT

Opportunities Threats

● Scope in global markets ● Data safety agreements ● Emergence new markets ● Data protection/ Security ● Agility and flexibility ● Costumers trust

Figure 5.6: Cloud&Heat SERECA SWOT Analysis

5.4.5 EPSILON

Exploitable Output

EPSILON aims at expand its portfolio offering with the re-engineered monitoring application (now called RiskBuster) developed in SERECA. The idea is to target a variety of critical infrastructures monitoring applications and not only the water sector. To do that, EPSILON wants to create a general purpose application, starting from the WSNM pilot, which make use of SERECA security mechanisms. Such a product could be attractive for the critical infrastructure SCADA market since it provides not only a cloud enabled monitoring application highly scalable thanks to the micro-service based architecture, but also for the innovative security mechanisms. EPSILON believes that leveraging the SERECA security features provides an added value in giving assurances on security to interested customers.

Reference Market

The segment market of interest for EPSILON is unarguably the SCADA systems market sector. Main drivers for the market include a huge potential from renewable energy sector, high investments in infrastructure for sectors such as oil and gas, power (transmission and distribution), and water and wastewater management. EPSILON wants to ride the trend toward the integration of SCADA systems with new Information Technologies (IT). The Internet of Things (IoT), for example, is considered as the fourth generation of SCADA systems. The emerging big data, along with the analytics, has led to the integration of instrumentation with SCADA data to analyze and scrutinize the data of the process. In this sense, Cloud Computing plays a central role. However the integration market trend is still slow due to cyber security fears.

37 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

As the Market&Market report says: ”SCADA market is expected to grow in the forecasted period as there is huge potential from renewable energy sector, high investments in infrastructure for sectors such as oil and gas, power (transmission and distribution), and water and wastewater management. These are some of the factors which are driving the growth of the SCADA market. Cyber security threat is considered as an important restraint which is being faced frequently by the SCADA market”. In the rest of this subsection we deﬁne, describe, and forecast the market on the basis of cyber-security technologies/services to provide detailed information regarding the key factors inﬂuencing market growth, the type of customers targeted, and the value proposed. Customers. Potential customers that could take advantage of the RiskBuster product in the SCADA market segment are:

• Cloud Platform Vendors - Attracted by the advanced security mechanisms used in SERECA, cloud vendors may be interested in a new product for a SCADA as a Service solution.

• Critical Infrastructure Administrators - RiskBuster could represent an interesting product for CI administrators. They in fact may be more conﬁdent for a migration to a cloud environment thanks to the security guarantees provided in SERECA, even against powerful attackers.

• SCADA System Companies - EPSILON’s product may attract other SCADA system companies willing to include new type of applications in their portfolio. RiskBuster could represent for them an innovative possibility: cloud-based and, most important, security enabled.

Value Proposition. Figure 5.7 reports which are the RiskBuster most important values that will be proposed to customers. EPSILON identified four relevant features of its monitoring application developed in the context of SERECA: security, scalability, responsiveness and availability. Based on the SCADA market customers interests, EPSILON expects that the most attracting one will be security. In this sense, the proposed value of RiskBuster, that is, the usage of Intel SGX to harden sensitive data, is extremely innovative. This will allow EPSILON to give to its customers unprecedented assurances even against malicious Cloud Providers. Go-to-Market. In order to reduce the time-to-market EPSILON’s first product release won’t be really customizable. Therefore firsts RiskBuster offerings will target towards SCADA companies and CI administrators customers. When the customizable version will be available, EPSILON will target also Cloud Platform vendors. The product offering will allow SCADA operators to monitor assets of interest, receive alarms/notifications, draw historical trend from any device (i.e. smartphone, tablet, laptop). Promotion of the product will be done using social media channels and the company website. EPSILON will provide free trials licenses to promote more the adoption of RiskBuster. Market Size. The SCADA market is estimated to reach $11.16 billion by 202014. Market Trends. The Technavio report on SCADA market15 says that: ”The growing popularity of SCADA as a service is anticipated to aid market growth over the next four years. SCADA providers and end-users can significantly reduce costs, achieve greater flexibility, and enhance functionality by shifting to the cloud-based environment. This research report predicts cloud-based SCADA solutions

14http://www.marketsandmarkets.com/Market-Reports/scada-market-19487518.html 15http://www.technavio.com/report/global-automation-global-scada-market-process-industries-2016-2020

38 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Figure 5.7: RiskBuster Value Proposition to reduce end-users’ costs up to 80% compared to traditional SCADA systems in the process industry during the forecast period.”. This demonstrates how relevant is the trend of cloud adoption in the SCADA market. Such a trend perfectly collides with the strength features of RiskBuster product which is built for cloud environments and embeds the security mechanisms provided in SERECA. EPSILON expects that RiskBuster strengths will look appetizing in the SCADA market. Market Growth Rate. The SCADA market size has been estimated to grow from 2014 to 2020 at an estimated Compound Annual Growth Rate (CAGR) of 7.24% SWOT analysis. Figure 5.8 shows the initial SWOT analysis conducted on the RiskBuster product. Its principal Strength, as already stated in the value proposition, is given by the advanced security mechanisms developed in the context of SERECA, which leverage the innovative Intel SGX CPU extension. This represents the added value that other competitors solutions do not posses. They, in fact, cannot protect, as RiskBuster does, the data against malicious cloud providers. In terms of Opportunities, the RiskBuster product can take advantage, ﬁrst, of the reduced number of SCADA solution for cloud environments, and second, of the high request for cyber-security coming from the SCADA market. Many CI administrators, in fact, require more and more guarantees in this sense. Our monitoring solution can provide them. Unfortunately it’s not all sunshine and rainbows. There are Weaknesses and Threats that may represent a barrier for the product exploitation. RiskBuster, in fact, is still not completely inter-operable with some usual SCADA protocols and, furthermore, lacks of some functionalities that in particular affect the user experience. Aware of application’s limits, EPSILON will strive to improve them. EPSILON believes that

39 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4 major players in the SCADA market like ABB Ltd. (Switzerland), Rockwell Automation (U.S.), Siemens (Germany), Indusoft can represent a Threat for the RiskBuster product exploitation. The competition with such large companies can compromise the value provided by RiskBuster. Customers, in fact, may be skeptical about the innovation provided through SGX enclave security mechanisms and could trust more a conservative solution. EPSILON needs to highlight in a proper way the advantages, the added value, of RiskBuster. The SGX-enabled feature is something that no one else has and so will be the strength point that EPSILON will enhance as best as possible in the product dissemination.

Figure 5.8: RiskBuster SWOT Analysis

5.4.6 Red Hat Exploitable Output The interests of Red Hat in SERECA outcomes are twofold:

• Improve the security level in an upcoming product.

• Build expertise in running Java based applications in secure enclaves.

Red Hat is working on the delivery of a new product named Obsidian. This product is a new application platform focusing on the Cloud (using Red Hat Openshift) and micro-services. Eclipse Vert.x is one of the runtime supported by this product. As security and privacy are core concepts in this product, SERECA outcomes are valuable assets. Obsidian embeds the secure event bus developed in SERECA and also reuse several services that have been developed such as the conﬁguration service, fail-over, discovery service and circuit breaker. Additionally, Red Hat is also seeking for expertise in the secure enclaves’ domain, and more especially in the execution of Java applications in secure enclaves. Red Hat is one of the major contributors to OpenJDK, the main implementation of the Java Virtual Machine. With the development of secure enclave, it becomes primordial to be able to run Java applications inside these enclaves or close to these

40 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS enclaves. Part of the work conducted by Red Hat in SERECA is about ﬁnding the different approaches and measuring the impacts of secure enclave on the application code (written in Java and running on the JVM), deployment and performances.

Reference Market This section focuses on the exploitation of SERECA results in the Obsidian product. Obsidian is a product providing a new way to build applications. As a Cloud-first development, the application is designed and built to run natively in the Cloud, and in particular in Red Hat Openshift. The application is following the micro-service practices and is decomposed into multiple isolated services interacting using lightweight protocols. The target, in term of customers, is mainly companies having existing Java applications developed using a monolithic approach and, because of the time to market stress, need to decompose these applications into micro-services. Greenfield applications are also a target. This would include existing Red Hat customers as well as new ones, mainly middle and large companies seeking for more agility. The current adoption plan for GA + 12 months (1 year after the official launch) is the following:

• 200 Vert.x applications,

• 5 Java microservice references (fully supported customers),

• 5 acquisitions from competitive products such as Pivotal Cloud Foundry.

Red Hat has planned an important growth of this market as the agility requirements to build and deliver new services to customer are booming. It is also the response from Red Hat against competing products such as Pivotal Spring Boot and Cloud Foundry. SWOT analysis. Figure 5.9 presents a SWOT analysis of Obisidian regarding SERECA features.

Figure 5.9: Obsidian SWOT Analysis

41 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

5.4.7 jClarity

Exploitable Output jClarity is looking to exploit the output of the SERECA Cloud Platform by hosting an instance of Illuminate SaaS on an SGX enabled cloud provider and marketing that instance as being the world leading Application Performance Management SaaS not only in terms of its analysis capabilities, but also in it’s security for data sensitive customers. jClarity will highlight that with the SGX enclaved backed platform that it’s publicly hosted SaaS can have the same if not better levels of security than many of it’s customer’s on-premise deployments 16. As an SME jClarity needs to have key differentiators in order to stay ahead of its competitors in the market. Today it has 75-80 world class customers due to its reputation and thought leadership in Java and performance analysis. Security is another major concern for our customers and we need to be seen as thought leaders in that space as well, removing any misconceptions that a small company cannot deal with security effectively.

Reference Market

Application Performance Management (APM) is a multiple billion dollar market which his growing in double digit percentages every year, fuelled by the enormous growth in new software being written. Illuminate is initially targeting the largest language and platform market, Java, which has 9-10 million developers. Customers. Our customers come from all sectors including E-Commerce, Defence, Health, Government, Education, anywhere Java is run! Many customers are migrating or looking to migrate to a cloud based architecture where they are looking to outsource non core services (such as APM) to SaaS providers that can give them comparable levels of security as their on-premise solutions do today. Value Proposition. The main value proposition for jClarity and it’s customers is the extra layer of protection that SERECA Cloud Platform gives against both malicious cloud provider / data centre staff but also extra protection again external attackers that would attempt to read memory or gain access to keys. In essence it reduces the TCB from the current state (the Operating System / Container) where a malicious admin with root privileges could gain sensitive information, to a TCB where the main security concern is about the physical chip itself. The SERECA Cloud Platform does so without sacriﬁcing any of the the common features that modern micro-service based applications rely on, such as co-ordination, data storage, location awareness and so forth. Go-to-Market. Illuminate is already in the market place. We would launch an extra SERECA Cloud Platform instance on an SGX enabled cloud provider such as Cloud and Heat and utilise our Pr and marketing ﬁrm (Streets Consulting) to run a media, marketing and product lunch campaign across multiple channels. In addition we would personally contact all of our on-premise customers giving them the option to move to the new publicly hosted, SERECA Cloud Platform enhanced version of Illuminate. Market Size. According to Gartner (in May 2014), the APM market was worth USD 2.4 Billion and the cloud market to be worth USD 131 Billion.

16Excluding obvious industry sectors, like defence.

42 DELIVERABLE 5.4 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS

Market Trends. The trend to move applications to the cloud and to rely on SaaS vendors has ﬁrmly taken hold in the market. Every single one of our customers (except for the defence industry) is either undergoing trials to move their applications to the cloud, is moving their applications to the cloud or has moved their applications to the cloud. All of out customers look to utilise 3rd party SaaS vendors to fulﬁl architectural concerns that are not core thto their business such as authentication, logging and application performance management.

Market Growth Rate. According to Gartner (in May 2014), the APM market was growing by 13% and the cloud market was growing at over 20%.

SWOT analysis. With the SERECA Cloud Platform, Illuminate’s principal Strength, is given by the advanced security mechanisms which leverage the innovative Intel SGX CPU extension. This represents the added value that other competitors solutions simply do not posses. In terms of Opportunities, having more customers move to jClarity’s publicly hosted Illuminate service will help reduce jClarity’s cost base. Each on-premise customer that we support costs approxiamately 3x the support cost of a customer on our public service. New customers who value security highly will also see jClarity as a thought leader in that space which helps build an initial base level of trust. There are Weaknesses and Threats that may represent a barrier for the product exploitation. Time to market may be an issue, the APM industry and cloud markets move quickly and the added level of security that the SERECA Cloud Platform provides may be superseded or undermined by solutions coming from any of the full stack cloud players such as Amazon, Google, Microsoft and IBM. The main threat comes from entities such as state sponsored actors breaking the guarantees of the SERECA Cloud Platform and that becoming a heavily publicised vulnerability that creates a bad perception in the marketplace. Figure 5.10 presents a SWOT analysis for jClarity’s Illuminate regarding SERECA features.

Figure 5.10: jClarity SWOT Analysis

43 SECURE ENCLAVES FOR REACTIVE CLOUD APPLICATIONS DELIVERABLE 5.4

5.4.8 EIPLI The experience of SERECA made EIPLI more aware of the importance of innovative solutions in the water-framework field able to address those relevant challenges identified by the European Commission (EC)17 (e.g. basins management/protection, drinking water management/protection). The impulse that the EC is giving to the development of new water-related management and monitoring solutions is impressive. For this reason, EIPLI has started a collaboration for a project proposal in the context of ”LIFE” program18 with ENI, the most important Italian oil&gas multinational company. The proposal is called ”CoMEL” (Control and Mitigation of Eutrophic Lake) that aims at developing controlling system for reducing lake eutrophication and cyanobacteria bloom. As the EC stated, among the five main environmental issues that Europeans citizens and environmental organizations are worried about, the water pollution is the one at the top. Water protection is therefore the priority number one. Much progress has been made in water protection in Europe, in individual member states, but also in tackling significant problems at European level. But Europe’s waters are still in need of increased efforts to get them clean or to keep them clean. Initiatives were taken by some countries in this sense, however this is at present not the case everywhere. What lacks is a real cooperation among different entities at European level, which could represent a real step forward. EIPLI will therefore leverage the organizational and technological knowledge learned in SERECA for one of the main programs (LIFE) sponsored by the EC.

17http://ec.europa.eu/environment/water/water-framework/info/intro en.htm 18http://ec.europa.eu/environment/life/

44 6 Standardization

The SERECA project took part to the cyber security technical committee meeting (as a guest) organized by the European Telecommunications Standards Institute (ETSI) in Sophia Antipolis (FR). The meeting was part of the Security Week event organized by ETSI 1 where SERECA participated with an EPSILON representative. The Cybersecurity technical committee (namely: TC-CYBER) works closely with relevant stakeholders within and outside ETSI to collect, identify and specify requirements and thus develop appropriate standards to increase the privacy and security of organizations and citizens across Europe. The activities of TC-CYBER include the development of standards in the following areas:

• Cybersecurity

• Security of infrastructures, devices, services and protocols

• Security advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operators

• Security tools and techniques to ensure security

• Creation of security speciﬁcations and alignment with work done in other ETSI committees

During the meeting the different standardization processes were discussed. We presented the techniques used in SERECA during the deepening of some cyber-security hot topics 2, which are in the same area of interest of our project. We explored the possibilities to standardize the work done in SERECA in the following area which are still work in progress:

• TR 103-303 - Protection measures for ICT in the context of Critical Infrastructure - This branch of standardization looks for measures of protection of critical infrastructures. Since one of the project use case leverages SERECA hardening mechanisms to secure a critical infrastructure, we decided to follow this area of standardization.

• TR 103-309 - Secure by Default, platform security technology - This area of standardization aims at encourage development and adoption of ’secure by default’ platform security technologies by showing how they can be used to effectively solve real business problems, and improve the usability of secure services. The main challenge identiﬁed by ETSI in this ﬁeld is to achieve effective isolation without compromising usability. Enabling technologies in this sense are: trusted platform module, secure element, trusted execution environment. These perfectly collide with the technologies used in SERECA and therefore this area of standardization need to be explored.

The consortium requested to become a member of TC-CYBER to continuously monitor the status of the standardization processes of interest.

1http://www.etsi.org/index.php/news-events/events/1068-2016-06-security-week 2http://www.etsi.org/technologies-clusters/technologies/cyber-security

45 46 7 Conclusions and Future Work

The document described Dissemination, Exploitation and Communication activities carried out in the ﬁrst 12 months of the SERECA project, and presented the consolidated plans for the next months. The consortium has developed a comprehensive plan, covering a number of activities, and in particular: i) publication in top tier conferences, ii) presentations to a variety of stakeholders, and iii) participation in events organized by the EC. The plan is being implemented via multiple channels, including: the project Web site, social media (both Twitter and Facebook), press, TV, and - importantly - human interaction. The target audience included:

• The scientiﬁc community - The consortium published and submitted quite a few papers in top tier conferences, and more are on the way. Project results have been presented to students of PhD programs. Partners have cooperated with other projects in the cloud domain.

• The industrial world - Project results have been presented to the Principal Investigators of the R&D departments of major companies, including Intel. The Unique Selling Points of the SERECA technology have been illustrated in meetings with potential customers.

• The local governments - Consortium representatives have interacted with representatives of local governments, and paved the way for synergies with EC funds that are managed locally.

• End users and the public at large - Meetings with potential end users of SERECA outputs (both the applications and the underlying platform) have been arranged, and presentations and demos given. SERECA representatives have participated in events targeting the society in general. Press releases and a TV interview were given.

Results demonstrate that the project has successfully raised awareness about its technical value - as well as its potential in terms of real take up - among stakeholders. Partners are very much involved in joint and individual exploitation plans, which they are pursuing with concrete actions, including funding of a start-up and enabling synergies between European Structural and Investment Funds, Horizon 2020 and other research, innovation and competitiveness-related Union programmes. Collaboration with other European projects in the cloud security domain has been fruitful, and will be strengthened in the next months.

47 48 Bibliography

[1] Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding Applications from an Untrusted Cloud with Haven. ACM Trans. Comput. Syst. 33, 3, Article 8 (August 2015), 26 pages.

[2] F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar Ruiz, M. Russinovich, Vc3: Trustworthy data analytics in the cloud using sgx, in: 2015 IEEE Symposium on Security and Privacy, 2015, pp. 38-54.

[3] Chia-Che Tsai, Kumar Saurabh Arora, Nehal Bandi, Bhushan Jain, William Jannen, Jitin John, Harry A. Kalodner, Vrushali Kulkarni, Daniela Oliveira, and Donald E. Porter. 2014. Cooperation and security isolation of library OSes for multi-process applications. In Proceedings of the Ninth European Conference on Computer Systems (EuroSys ’14). ACM, New York, NY, USA, Article 9, 14 pages.