Panoply Overview
Intel SGX, a new security capability in emerging CPUs, allows user-level application code to execute in hardware isolated enclaves. Enclave memory is isolated from all other software on the system, even from the privileged OS or hypervisor. While being a promising hardware-rooted building block, enclaves have severely limited capabilities, such as no native access to system calls and standard OS abstractions. These OS abstractions are used ubiquitously in real-world applications.
We present a new system called Panoply which bridges the gap between the SGX-native abstractions and the standard OS abstractions which feature-rich, commodity Linux applications require. Panoply exposse the standard POSIX abstractions to application logic, including access to filesystems, network, multi-threading, multi-processing and thread synchronization primitives. Further, Panoply enforces a strong integrity property for the inter-enclave interactions, ensuring that the execution of the application follows the legitimate control and data-flow even if the OS misbehaves. Thus, commodity Linux applications can enhance security by splitting their application logic in one or more enclaves, or by importing enclave-libraries, with little effort. In contrast to previous systems that enable comparable richness, Panoply offers two orders of magnitude lower TCB.
Before we begin with Panoply
Panoply is implemented on top of the Intel SDK 1.6 shipped for Linux Kernel v3.13. Panoply comprises of a set of API libraries and build extensions. Before you start using Panoply, you should setup a stable Intel SDK developement environment. Then you can quickly test the Panoply applications. Please follow the instructions below, if you are starting from a fresh non-SGX environment. If you have an existing SGX developement environment, then proceed directly to the demo instructions.
The Linux SGX developer environment comprises of hardware with SGX support, bios support for SGX, the SGX driver, the SGX SDK, and the SGX Platform Software. Out of these, the hardware support depends on your processor and the BIOS support is provided by the vendor. The SGX driver, SDK and PSW are provided by Intel.
Hardware Support and BIOS Settings
-
Check if your machine is listed in the following list of hardware which supports Intel SGX https://github.com/ayeks/SGX-hardware
-
Ensure that you have enabled SGX support in your BIOS.
-
Run the test-sgx.c code from https://github.com/ayeks/SGX-hardware to quickly check if SGX is available for your CPU and enabled in BIOS.
Software Requirements
Following is the software configuration required for Intel SGX SDK and Panoply.
Intel SGX Setup
Build and Install Intel SGX Driver
Build and Install Intel SGX SDK and Intel SGX PSW
Resources for Troubleshooting
Intel Developer Zone:
Intel Documentation:
Running Sample code from SGX SDK
Before you start with Panoply, you should ensure that you are able to execute SGX applications. To do this, copy the sample code (the folder is located by default in /opt/intel/sgxsdk/SampleCode/SampleEnclave) to your workspace and build it (make all inside SampleEnclave folder). After sucesfully building the Sample, test it by running ./app
Panoply Demo
You can setup the OpenSSL demo on your own machine using the following steps.
Getting the Demo Code
You can download the demo code from the project branch
Executing the OpenSSL Demo Example
Extract the zip file
unzip Panoply-demo-openssl.zip
Build libssl and libcrypto libraries
cd Panoply-demo-openssl/topenssl/
make all -j8
This produces libssl.a and libcrypto.a files in the topenssl folder.
Copy the libraries to src folder
cp libcrypto.a libssl.a ../src/
Build the Enclave and the App
cd ../src/
make all
This produces a TopensslEnclave.signed.so file for enclave and an app file for the executable.
Run the app
./app sha1
The above command is just an example. You can try other tests for the OpenSSL benchmark. For running the complete benchmark, just run the app file without any arguments.
./app
Making changes to the App
The App.cpp file has the following code:
- Current code
/* ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv); */
ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv);
You can modify the above code to execute the SSL test. Do the following changes to the code.
- Modified code
ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv);
/* ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv); */
- Build and re-run the app
make all
./app -dhe1024dsa -bytes 102400 -num 10 -tls1 -server_auth -time
Case-studies and Benchmarks
The released case-studies and the benchmarks are available from the Panoply code repository
Case-studies
Benchmarks
FAQs
We have tested the demo in our development environment, and have tried our best to document the procedure to setup a similar environment on your machine. However, several things might go wrong in this process. Following is a list of all the issues we have seen in our experience.
I cannot run the demo. Is something wrong with my SGX SDK or Panoply setup?
Before starting the Panoply demo setup, ensure that you are able to execute the Sample application shipped with the Intel SDX SDK. If you are not able to execute the SDK Sample code, then something went wrong with your SDX SDK setup. However, if you were able to execute the sample code and only OpenSSL is failing, then perhaps its a Panoply-specific problem. Please drop me an email with the details of the bug / error / runtime failure logs.
I am getting a compile time error about “sgx-status.h”. Is something wrong with my setup?
The SGX SDK version you installed does not have this header file. Download the header file from here, and place it in the include directory of the SDK installation. The default location for the include direcroty is /opt/intel/sgxsdk/include and the file path is /opt/intel/sgxsdk/include/sgx_status.h
I do not have a machine with SGX Hardware support. How can I use Panoply?
Yes, you can setup the SDK in simulation mode for non-SGX machines. Please refer to the Intel Installation Guide to know more about how to setup the simulation enviroment. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.
I don’t have a linux machine with the required OS and / or kernel version. Can I still try out Panoply?
Yes, you can create a Ubuntu 14.04 VM and install Intel SGX SDK for simulation mode. This will allow you to execute SGX applications. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.
Publications
- “Panoply: Low-TCB Linux Applications With SGX Enclaves”, Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena, To appear at Network and Distributed System Security Symposium (NDSS 2017) Paper
Contact
Panoply Team
Shweta Shinde
Dat Le Tien
Shruti Tople
Priya Deb
Prateek Saxena
Support
Having trouble with Panoply? Check out our FAQ or tell us about it directly and we’ll help you sort it out.
Announcements
Want to get future updates for Panoply? Join our Google Group.
Acknowledging Panoply
-
Using Panoply in your research projects and want to acknowledge it? Just cite our NDSS’17 paper.
-
Panoply is released under Apache License, Version 2.0.
Acknowledgements
Intel
We thank Mona Vij and Simon Johnson from Intel for their feedback.
National Research Foundation
This research was partially supported by a grant from the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (TSUNAMi project, No. NRF2014NCR-NCR001-21 ) and administered by the National Cybersecurity R&D Directorate.
