scone: secure container technology & secrets management...• system software & application...

SCONE:SecureContainerTechnology&SecretsManagement

Sept2018

ChristofFetzer,TUDresden

https://sconedocs.github.io

SCONE:Application-OrientedSecurity

�2

Application

Objective: Ensure integrity and confidentiality of applications

Data Computation Communication

attacker

client


ThreatModel

�3

Application attacker

system administrator

(root, hardware access)

service provider administrator

(root, application rights)

client


Implication:OS-basedAccessControlInsufficient

�4

Application



client secret

dump memory

attacker




Weneedacryptographicapproach!

�5

Application



clientcrypto

TLS attacker




SCONE:E2Eencryptionwithoutsourcecodechanges

�6

Application - protected by

SCONE -



clientcrypto

TLS attacker

[SCONE] OSDI2016



Languages:C,C++,Go,Rust,Java,Python,R,…

DistributedApplications-spreadacrossclouds

�7

App



clientTLS attacker

App

App

back

endedge service

backend cloud

regional cloud

Initial Focus: Cloud Native Applications



Howdoweknowthatcorrectcodeexecutes?

�8

App



clientTLS attacker

App

App

back

end

controls

We need to attest that the

correct code is running!




➤ Use TLS to authenticate

➤ server app

➤ client app

➤ We ensure that only app with

➤ „correct code“ has access to TLS certificate

Approach:Allcommunicationisencrypted(TLS)

https://sconedocs.github.ioTLS: Transport Layer Security

TransparentAttestationduringStartup

�10

certificate: proves that application

• executes correct code,

• has the correct file system state, and

• in the correct OS environment, …

Configuration& AttestationService


TransparentP2PAttestationviaTLS

�11

We run our internal CA and only components belonging to the same app can talk to each other …

CertificateAuthority(integratedinCAS)


SecretsManagement

• SCONEhasintegratesecretsmanagement• SCONEcaninjectsecretsinto

• CLIarguments• environmentvariables• files(encrypted)

�12https://sconedocs.github.io

Example:MariaDB• Supportsencryptionofdatabase• Encryptionkeyofdatabasestoredinconfigfile

• fileprotectedviaOSaccesscontrol• fileisnotencrypted

• SCONE:• insteadofkey,storeavariableinconfig:

• $$SCONECAS:MARIADBKEY$$• SCONEtransparentlyreplacesvariablebyitsvalue(i.e.,thekey)

�13 https://sconedocs.github.io

ManagementofSecrets• Keyscanbeprotectedfromanyhumanaccess

• onlyattestedprogramsgetaccess• Tochangesecuritypolicy,approvalby

• byagroupofhumans,and/or• agroupofprogramsisrequired

�14

policy change

ok?

policy board

approval


CurrentImplementation

• IntelSGXprotectsapplication’s

• confidentiality• integrity

• bypreventingaccessesto• applicationstateincacheand

• encryptingmainmemory• SGXisaTEE(TrustedExecutionEnvironment)

�15

Application

SCONE librariesApplication libraries

Intel SGX enclave

SGX (Software Guard eXtensions) protects application from accesses by other software

host

Operating system

Container Engine

Hypervisor


Defender’sDilemma

• Attackers: • successbyexploitingasinglevulnerability

• Defender: • mustprotectagainsteveryvulnerability

• systemsoftware&application

• millionsoflinesofsourcecode

�16

Application

SCONE librariesApplication libraries

Intel SGX enclave

host

Operating system

Container Engine

Hypervisor

millions of

lines of codes(hundreds of bugs)

200k lines


SCONEplatform:DesignedformultipleArchitectures

�17

portable code

Intel AMD ARM

SGX main memory encryption

main memory encryption

???

SCONE:

no source code changesSCONE:

gcc-based crosscompiler

SCONE crossc

ompiler

Portability through cross-compilation


Enclave

Enclave

Enclave

UseCase:SCONE-PySpark

�18

DistributedD

ataStore

Py4J

Pipe

Pipe

Pipe

Python

Java

Driver

Worker

EnclaveTLS/S

SL

TLS/SSL

TLS/SSL

TLS/SSL

TLS/SSL

TLS/SSL


Latency

�19

Lowerthebetter

<22%overheadcomparedtonativeexecution

SCONE


�20https://sconedocs.github.io

scone: secure container technology & secrets management...• system software & application...

Documents