SCONE: Secure Container Technology & Secrets Management...• system software & application •...
Transcript of SCONE: Secure Container Technology & Secrets Management...• system software & application •...
![Page 1: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/1.jpg)
SCONE:SecureContainerTechnology&SecretsManagement
Sept2018
ChristofFetzer,TUDresden
https://sconedocs.github.io
![Page 2: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/2.jpg)
SCONE:Application-OrientedSecurity
�2
Application
Objective: Ensure integrity and confidentiality of applications
Data Computation Communication
attacker
client
https://sconedocs.github.io
![Page 3: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/3.jpg)
ThreatModel
�3
Application attacker
system administrator
(root, hardware access)
service provider administrator
(root, application rights)
client
https://sconedocs.github.io
![Page 4: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/4.jpg)
Implication:OS-basedAccessControlInsufficient
�4
Application
service provider administrator
(root, application rights)
client secret
dump memory
attacker
system administrator
(root, hardware access)
https://sconedocs.github.io
![Page 5: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/5.jpg)
Weneedacryptographicapproach!
�5
Application
service provider administrator
(root, application rights)
clientcrypto
TLS attacker
system administrator
(root, hardware access)
https://sconedocs.github.io
![Page 6: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/6.jpg)
SCONE:E2Eencryptionwithoutsourcecodechanges
�6
Application - protected by
SCONE -
service provider administrator
(root, application rights)
clientcrypto
TLS attacker
[SCONE] OSDI2016
system administrator
(root, hardware access)
Languages:C,C++,Go,Rust,Java,Python,R,…
![Page 7: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/7.jpg)
DistributedApplications-spreadacrossclouds
�7
App
service provider administrator
(root, application rights)
clientTLS attacker
App
App
back
endedge service
backend cloud
regional cloud
Initial Focus: Cloud Native Applications
system administrator
(root, hardware access)
![Page 8: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/8.jpg)
Howdoweknowthatcorrectcodeexecutes?
�8
App
service provider administrator
(root, application rights)
clientTLS attacker
App
App
back
end
controls
We need to attest that the
correct code is running!
system administrator
(root, hardware access)
https://sconedocs.github.io
![Page 9: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/9.jpg)
➤ Use TLS to authenticate
➤ server app
➤ client app
➤ We ensure that only app with
➤ „correct code“ has access to TLS certificate
Approach:Allcommunicationisencrypted(TLS)
https://sconedocs.github.ioTLS: Transport Layer Security
![Page 10: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/10.jpg)
TransparentAttestationduringStartup
�10
certificate: proves that application
• executes correct code,
• has the correct file system state, and
• in the correct OS environment, …
Configuration& AttestationService
https://sconedocs.github.io
![Page 11: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/11.jpg)
TransparentP2PAttestationviaTLS
�11
We run our internal CA and only components belonging to the same app can talk to each other …
CertificateAuthority(integratedinCAS)
https://sconedocs.github.io
![Page 12: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/12.jpg)
SecretsManagement
• SCONEhasintegratesecretsmanagement• SCONEcaninjectsecretsinto
• CLIarguments• environmentvariables• files(encrypted)
�12https://sconedocs.github.io
![Page 13: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/13.jpg)
Example:MariaDB• Supportsencryptionofdatabase• Encryptionkeyofdatabasestoredinconfigfile
• fileprotectedviaOSaccesscontrol• fileisnotencrypted
• SCONE:• insteadofkey,storeavariableinconfig:
• $$SCONECAS:MARIADBKEY$$• SCONEtransparentlyreplacesvariablebyitsvalue(i.e.,thekey)
�13 https://sconedocs.github.io
![Page 14: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/14.jpg)
ManagementofSecrets• Keyscanbeprotectedfromanyhumanaccess
• onlyattestedprogramsgetaccess• Tochangesecuritypolicy,approvalby
• byagroupofhumans,and/or• agroupofprogramsisrequired
�14
policy change
ok?
policy board
approval
https://sconedocs.github.io
![Page 15: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/15.jpg)
CurrentImplementation
• IntelSGXprotectsapplication’s
• confidentiality• integrity
• bypreventingaccessesto• applicationstateincacheand
• encryptingmainmemory• SGXisaTEE(TrustedExecutionEnvironment)
�15
Application
SCONE librariesApplication libraries
Intel SGX enclave
SGX (Software Guard eXtensions) protects application from accesses by other software
host
Operating system
Container Engine
Hypervisor
https://sconedocs.github.io
![Page 16: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/16.jpg)
Defender’sDilemma
• Attackers: • successbyexploitingasinglevulnerability
• Defender: • mustprotectagainsteveryvulnerability
• systemsoftware&application
• millionsoflinesofsourcecode
�16
Application
SCONE librariesApplication libraries
Intel SGX enclave
host
Operating system
Container Engine
Hypervisor
millions of
lines of codes(hundreds of bugs)
200k lines
https://sconedocs.github.io
![Page 17: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/17.jpg)
SCONEplatform:DesignedformultipleArchitectures
�17
portable code
Intel AMD ARM
SGX main memory encryption
main memory encryption
???
SCONE:
no source code changesSCONE:
gcc-based crosscompiler
SCONE crossc
ompiler
Portability through cross-compilation
https://sconedocs.github.io
![Page 18: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/18.jpg)
Enclave
Enclave
Enclave
UseCase:SCONE-PySpark
�18
DistributedD
ataStore
Py4J
Pipe
Pipe
Pipe
Python
Java
Driver
Worker
EnclaveTLS/S
SL
TLS/SSL
TLS/SSL
TLS/SSL
TLS/SSL
TLS/SSL
https://sconedocs.github.io
![Page 19: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/19.jpg)
Latency
�19
Lowerthebetter
<22%overheadcomparedtonativeexecution
SCONE
https://sconedocs.github.io
![Page 20: SCONE: Secure Container Technology & Secrets Management...• system software & application • millions of lines of source code 16 Application SCONE libraries Application libraries](https://reader033.fdocuments.in/reader033/viewer/2022051807/6007dde61490dd10f22c07c5/html5/thumbnails/20.jpg)
�20https://sconedocs.github.io