Towards an Open-Source Secure Enclave
By The Oasis Team and Keystone Team
In this post, we will introduce secure enclaves, how they help provide a secure computing environment, and the path towards building an open-source secure enclave.
What Are Secure Enclaves?
A secure enclave is a set of software and hardware features that together provide an isolated execution environment to enable a set of strong security guarantees for applications running inside the enclave. Specifically, secure enclaves can provide confidentiality, integrity, and attestation.
Confidentiality guarantees that an adversary outside of the enclave cannot inspect the state of execution inside the enclave — even if they compromise the operating system or execute a malicious application on the machine. In other words, confidentiality guarantees that data and code inside the enclave will remain secret at all times.
Integrity guarantees that an attacker outside of the enclave cannot affect the result of computation inside the enclave (aside from supplying inputs through the defined interface). In other words, integrity ensures correctness of the computation running inside the enclave even if the operating system has been compromised or a user attempts to subvert the execution of the program inside the enclave.
Finally, hardware-based attestation provides an unforgeable proof that enables a remote party to verify what has run inside the enclave even if they don’t have physical access to the machine.
A secure enclave thus provides a powerful cornerstone for secure computing and development of secure systems in general.
How Enclaves Support Secure Computation
Secure computation is a powerful abstraction whose main function is to protect the confidentiality and integrity of computations that operate on sensitive data.
There are already many applications for secure computing. For example, the shift to the cloud has highlighted the need for secure computing as more data is being stored and processed on remote machines, which are not under control of the user and may be shared with other (possibly malicious) users. Additionally, there is growing interest in computing over private data from multiple disparate sources. For example, mutually distrusting organizations may want to train collaborative machine learning models over their combined data.
One way to enable secure computation is to use cryptographic techniques such as homomorphic encryption and secure multi-party computation. However, state-of-the-art techniques in this domain are still many orders of magnitude slower than native computation, limiting their practical applications.
Secure hardware enclaves offer an alternative approach for enabling secure computation at minimal performance cost. As described earlier, secure enclaves enable a program to run computations over confidential data while providing strong isolation from other applications, the operating system, and the host. An enclave can attest to the correct execution of a program inside the enclave to a remote party.
Given their strong security guarantees and low performance overhead, enclaves make secure computation practical for a wide range of real-world applications.
Shortcomings of Existing Secure Enclaves
The major processor vendors have all deployed some secure enclave features — most notably Intel SGX and ARM TrustZone. However, there are still open challenges in building a trustworthy secure enclave.
The most critical shortcoming of existing implementations is a lack of transparency and verifiability. Kerckhoff’s principle for building secure cryptosystems states that security should depend only on protecting a secret key rather than relying on secrecy of the design or implementation.
This property is not met by existing enclaves, whose design and implementation are both closed-source. Although the interface to the enclave is often well-defined, implementation details have been uncovered only through painstaking reverse-engineering efforts by security researchers. These efforts have frequently revealed major vulnerabilities such as Foreshadow.
Intel has already issued a patch for these vulnerabilities. The discovery of the vulnerabilities, however, highlights the challenges of building secure enclaves on legacy general-purpose CPUs. In these designs, the secure enclave reuses existing resources such as memory and caches; it is more difficult to enforce isolation when secure resources are shared with insecure ones.
The Importance of Building an Open-Source Secure Enclave
“An open-source, security-first design is an important step towards building a trustworthy secure enclave.”
We believe that an open-source, security-first design is an important step towards building a trustworthy secure enclave. An open-source enclave design gives us — the developers and users — many advantages over existing closed-source systems.
First, an open-source design allows the community to openly evaluate and improve on the system. Second, it provides the ability to understand the impact of problems when they are found, and evaluate the consequences of the fix publicly. An open system can also take advantage of the growing set of tools for formal verification, which will enable formal proofs of correctness and security. Finally, an open-source secure enclave can be manufactured by any chip maker.
First Workshop on Building an Open-Source Secure Enclave
Recognizing the importance of building open-source secure enclaves, industry and academic leaders in secure hardware gathered yesterday at UC Berkeley for a new workshop on building open-source secure enclaves. Participating institutions and companies include Google, Facebook, Microsoft, Intel, ARM, Oasis Labs, and many others. We will post findings from the workshop in a future blog post.
Keystone: An Open-Source Secure Enclave
Keystone is an open-source secure enclave effort with the goal of building truly trustworthy secure enclaves. Keystone is a collaborative, open-source, RISC-V based hardware enclave developed jointly by researchers from UC Berkeley, MIT, Oasis Labs and other institutions. The team has extensive experience in hardware and architecture design, software security and hardware/software side-channels. Keystone utilizes existing hardware capabilities in RISC-V to enable a simple and secure enclave design. It is also designed to be a general research platform for secure hardware innovation and will be deployed for use in real RISC-V chips.
Why This is Important for Blockchain
A critical limitation of today’s smart contract platforms such as Ethereum is that all data and computation is public. These platforms cannot support applications that access sensitive data, since workers (and anyone else using the network) can easily steal the data.
At Oasis Labs we are building a new blockchain platform that provides confidentiality and privacy for smart contracts. By providing these key properties, Oasis can support many exciting new smart contract applications such as data markets, credit scoring, and decentralized insurance.
To provide these properties, Oasis is building a unified framework combining multiple state-of-the-art technologies for secure computing, including secure enclaves (the subject of this post) and cryptographic techniques such as secure multi-party computation and zero-knowledge proofs. The Oasis platform enables developers to choose and specify which secure computing technique they want to use, allowing developers to benefit from cutting-edge secure computing technologies without needing to be an expert in security and privacy.
For secure enclaves, developers can also specify the specific hardware to use (e.g. Keystone or Intel SGX). Oasis is compatible with any secure hardware satisfying the properties described in this post, hence Oasis will provide a diverse set of options for developers wishing to utilize secure enclaves. Oasis’s support for secure enclaves is an extension of our previous research project Ekiden from UC Berkeley, Cornell and UIUC.
Although Oasis allows developers to use secure enclaves (and other techniques) for data confidentiality, the Oasis protocol itself does not rely on secure enclaves. In other words, the integrity guarantees and high scalability of Oasis do not rely on secure enclaves. We’ll provide more details about the Oasis platform in our future blog posts.
How to Get Involved
This is an ambitious project and we look forward to working with the community to make this technology available to the world. If you’re excited about our mission there are several ways you can get involved:
For further information about Oasis Labs, please contact us at email@example.com.