Confidential Computing

UK RISE Annual Conference 2020

●Compromise of confidentiality ●How to ensure that computing ●code and data are exposed in plain platforms are trustworthy and correct text on computing platforms software is run on them? ●when “in use” ●compromise of user data leading ●Making HW Root of Trust (RoT) to the loss of privacy available to guests in cloud deployments is challenging ●from constrained IoT devices to cloud deployments ●Compromise of IPR ●Compromise of code and data integrity ●e.g. algorithms, ML models,..

| Ilhan Gurel | 2020-11-30 | Open | Page 3 of 19 What does Confidential Computing mean?

●Code and data confidentiality can be achieved at runtime (“in use”) ●e.g. by means of HW based isolation and memory/CPU state encryption technologies ●Data confidentiality and integrity can be protected at rest, in use and in transit ●Code and data cannot be tampered and accessed from outside of the trust boundaries of a secure enclave/trust domain ●Code and data can be measured and attested. ●Confidential Computing is built upon the existing concepts of Trusted Computing

… and the relevant technologies allow all of these to be achieved both on bare metal and in virtualized environments

| Ilhan Gurel | 2020-11-30 | Open | Page 4 of 19 The relevant technologies

AWS Nitro Enclaves Intel MKTME Microsoft Project Cerberus MIT Sanctum Google Titan AMD SEV-SNP TPM 1.2 Intel SGX v1 AMD SEV v1.0 Intel SGX v2

ARM TrustZone TPM 2.0 ARM TrustZone-M RISC-V Keystone Intel TDX

2003 2005 2014 2015 2016 2017 2018 2019 2020

Intel MKTME (Multi Key Total Memory Encryption) AMD SEV (Secure Encrypted Virtualization) Intel TDX (Trust Domain Extensions) AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) Intel SGX (Software Guard Extensions)

| Ilhan Gurel | 2020-11-30 | Open | Page 5 of 19 The use cases

Password Protection of protection AI/ML Communication Internet of Things protection Application and VM Blockchain protection

Secure containers License management

Privacy preserving analytics and Encrypted workloads databases Secure Attestation bootstrapping of identities Protection of Confidential Computing Secure Crypto and Key packet Management use cases processing operations

| Ilhan Gurel | 2020-11-30 | Open | Page 6 of 19 The relevant open source projects

●Intel SGX SDK ●Apache Teaclave ●provided by Intel for developing Intel SGX secure ●Crypto API Toolkit (Intel SGX based softHSM) enclaves ●Baidu Rust SGX SDK ●provides libraries, headers, samples codes, tools ●Fortanix Rust SGX SDK and documentation ●Enarx ●Open Enclave SDK ●RISC-V Keystone ●open source SDK that mostly hides underlying enclave technology and initiated by Microsoft ●RISC-V HexFive ●Google Asylo ●Hyperledger Private Data Objects (Blockchain by Intel) ●open source SDK that mostly hides underlying enclave technology and initiated by Google ●The Confidential Consortium (CoCo) Framework (Blockchain by Microsoft) ●Google Project Oak: Control and end to end encryption of data in distributed systems ●Hyperledger Fabric Private Chaincode (Blockchain by IBM)

| Ilhan Gurel | 2020-11-30 | Open | Page 7 of 19 What else is happening?

●The Confidential Computing Consortium ●Growing number startup companies emerging ●Announced on August 21st, 2019 by the and providing services/products related to Linux Foundation Confidential Computing ●An industry wide effort ●Commercial availability of “Confidential Computing” capabilities by the cloud vendors ●to advance computational trust and security for next-generation computing ●Lots of academic research on ●to bring together HW and SW vendors, ●finding novel solutions utilizing Confidential cloud providers, developers, open source Computing Technologies experts and academics to accelerate the ●microarchitectural side channel attacks and confidential computing market mitigations ●to influence the relevant technical and ●some interesting projects such as Slalom, regulatory standards Project Graviton and CoSMIX

| Ilhan Gurel | 2020-11-30 | Open | Page 8 of 19 The solutions for encrypting applications, containers and VMs

OCI encrypted Intel SGX Protected VMware vSphere VM Enarx container images Code Launch (PCL) encryption

• Allows encryption • An application • PCL allows running • VMware vSphere VM container later deployment framework encrypted code and data encryption allows encryption of VM • Encryption can be • Support both AMD • “sgx_encrypt” tool images and VM disk done by using SEV an Intel SGX. encrypts the sections of images Containerd imgcrypt Intel TDX to follow a secure enclave library or skopeo tool (except .bss, .tbss, • Integration with • In case of AMD SEV, .dynamic, .debug,..) by vCenter Server and • Also see OCIcrypt and Enarx allows using AES GCM KMS the specification deployment of proposal. The work encrypted workloads • Content key is also includes to AMD SEV after provisioned y using a Kubernetes integration attestation and key sealing enclave IP provisioning processes enclave by using sgx_create_encrypt ed_enclave() | Ilhan Gurel | 2020-11-30 | Open | Page 9 of 19 What about Homomorphic Encryption?

●Homomorphic Encryption (HE) refers to an encryption scheme “that allows computation to be directly on encrypted data, without requiring any decryption in the process” ●Invented in 2009 ●but the origins go back to a paper (titled as “On Data Banks and Privacy Homomorphisms”) published by Ronald Linn Rivest and Len Adleman in 1978 ●(Ronald L. Rivest invented RSA algorithm together with Adi Shamir and Len Adleman in 1977) ●the existence of a Full HE scheme was demonstrated in 2009 by Craig Gentry ●Publicly available SW implementations are available: Microsoft SEAL , HELib (IBM) and PALISADE ●FHE is far from being practical due to massive overhead in computation and memory

| Ilhan Gurel | 2020-11-30 | Open | Page 10 of 19 Attestation is a process of measuring code and data; and reporting these measurements as digitally signed to a requesting entity, which can evaluate these measurements further according to known values or whitelists.

| Ilhan Gurel | 2020-11-30 | Open | Page 11 of 19 What is needed for a fully functional attestation mechanism ?

Relying HW RoT Attester Protocol Verifier Party

HW RoT for SW APIs for An attestation Being able to Relies on storage, reporting accessing crypto protocol between validate, verify attestation and measurement modules/the attestor and and evaluate verification results secure enclaves verifier attestation reports provided by the Crypto functionality Verifier functionality Efficient and Technical Attestation agent scalable protocol capabilities for Cryptographic and the relevant that can mitigate updating Applies specific identities for services known attacks whitelists, etc. actions based on attestation (e.g. replay attestation attacks) Keeping whitelists results up to date

| Ilhan Gurel | 2020-11-30 | Open | Page 12 of 19 IETF RATS (Remote ATtestation procedureS) architectural overview

Appraisal Policy Appraisal Policy for Evidence: for Evidence A set of rules that informs how a Verifier evaluates the validity of information about an Attester

Attester An entity providing evidence that must be appraised in order to infer the extent to which the Attester is considered trustworthy

Endorser An entity (typically a manufacturer) whose Endorsements help Verifiers appraise the authenticity of Evidence

Evidence A set of information (digitally signed) about an Attester that is to be appraised by a Verifier

Relying Party A role performed by an entity that depends on the validity of information about an Attester, for purposes of reliably applying application specific actions

Relying Party An entity (typically an administrator), that is authorized to configure Owner Appraisal Policy for Attestation Results in a Relying Party

Verifier A role performed by an entity that appraises the validity of Evidence about an Attester and produces Attestation Results to be used by a Relying Party

https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/ | Ilhan Gurel | 2020-11-30 | Open | Page 13 of 19 Intel SGX DCAP overview

DCAP Provider Library

Relying party/Verifier Platform PCS

User Space Registration Service PCCS Application AESM Provisioning Certification Untrusted Caching Service ECDSA Quoting enclave TLS TLS Service

Secure enclave Provisioning enclave

/dev/sgx Kernel AESM Application Enclave Service Manager DCAP Data Center Attestation Primitives Intel SGX Driver Operated by non-Intel PCCS Provisioning Certificate Caching Server entities PCE Provisioning Certification PCK Provisioning Certification Key Operated by Intel PPID Platform Provisioning ID Reporting root key PCS Provisioning Certification Service Intel SGX capable CPU PSW Platform SW Seal root key QPL Quote Provider Library QGL Quote Generation Library QvE Quote Verification Enclave

| Ilhan Gurel | 2020-11-30 | Open | Page 14 of 19 Intel SGX DCAP attestation data

●Attestation report body includes the following ●Intel SGX DCAP attestation quote. (see information (see sgx_report_body_t) sgx_quote3_t)

| Ilhan Gurel | 2020-11-30 | Open | Page 15 of 19 Demo: PyTorch running in a secure enclave with encrypted input and output files

Platform

1. Attest Key Provisioning Server 3. Validate attestation response Secure Enclave data provided by Intel Trusted Services Graphene-SGX 4. Provision decryption key Pretrained data (encrypted) PyTorch Image file Operated by non-Intel (encrypted) entities 2. Validate attestation quote 5. Decrypt input files and process them Output result file (encrypted) Operated by Intel 6. Encrypt output file

Kernel Intel Trusted Services

Intel SGX capable CPU

Graphene-SGX: https://github.com/oscarlab/graphene/ https://arxiv.org/pdf/2009.04390.pdf

| Ilhan Gurel | 2020-11-30 | Open | Page 16 of 19 https://www.ericsson.com/en/security Are the secure enclave technologies secure? There is no binary “yes/no” answer to this question and the answer depends on:

Adversaries and their HW & SW security Deployments Supply chain security capabilities vulnerabilities

• adversaries with the • with or without • security • both HW and SW advanced technical physical access to vulnerabilities? supply chain capabilities such as devices? • are the known security being able to initiate • secure key vulnerabilities • well established powerful attacks generation and patched? vulnerability and provisioning? incident management processes?

| Ilhan Gurel | 2020-11-30 | Open | Page 18 of 19 Timeline of the microarchitectural side channel vulnerabilities

L1DES MFBDS MDSUM VRS CrossTalk SGXPectre Foreshadow-NG Spectre v1 SWAPGS CacheOut SGAxe PLATYPUS Spectre v1 Spectre v2 NetSpectre Meltdown ret2spec RIDL, Fallout and TSX Asynchronous Foreshadow SpectreRSB ZombieLoad Abort LVI Cross Line

January June July August May August November Jan March June August November 2018 2018 2018 2018 2019 2019 2019 2020 2020 2020 2020 2020

L1DES L1D Eviction Sampling LVI Load Value Injection MFBDS Microarchitectural Fill Buffer Data Sampling MLPDS Microarchitectural Load Port Data Sampling MDSUM Microarchitectural Data Sampling Uncacheable Memory RIDL Rogue In-flight Data Load VRS Vector Register Sampling TSX Transactional Synchronization Extensions | Ilhan Gurel | 2020-11-30 | Open | Page 19 of 19