Enclave Host Interface for Security

Loading...
Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2022-08-22
Department
Major/Subject
Security and Cloud Computing
Mcode
SCI3113
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Language
en
Pages
51
Series
Abstract
Secure enclave technology has during the last decade emerged as an important hardware security primitive in server computer cores, and increasingly also in chips intended for consumer devices like mobile phones and PCs. The Linux Confidential Compute Consortium has taken a leading role in defining the host APIs for enclave access (e.g. OpenEnclave APIs). Earlier solutions for security isolation in mobile phones relied on so called Trusted Execution Environments, which are similar in hardware isolation, but serve primarily OEM device security use-cases, and the environments are access controlled by remote trust roots (code signatures). This thesis examines the security requirements for enclaves, visible through APIs and SDKs. An augmented IDE / SDK interface that accounts for security, including legacy considerations present with TEEs is also proposed. This thesis also attempts to improve developer experience related to development of trusted application by providing a tight integration with IDE and an expressive way to select methods which can be carved out of an existing rust application into a seperate trusted application. Furthermore, this thesis also discusses some common pitfalls while developing code for trusted applications and attempts to mitigate several of the discussed risks. The work plan includes a background study on existing TEE and enclave SDKs, a novel SDK augmentation that accounts for the features listed above, and a prototype implementation that highlights the enclave security needs beyond mere isolated execution. An IDE plugin is also implemented, that exemplifies how software engineers (with potentially limited security knowledge) can implement a trusted application service with enclave support such that the end result (enclave code) will run without information leakage or interface security problems.
Description
Supervisor
Ekberg, Jan-Erik
Thesis advisor
Rusanen, Antti
Keywords
trusted execution environment, enclave, trusted application, SDK, vsual studio code
Other note
Citation