Panoply

Low-TCB Linux Applications with SGX Enclaves

Panoply Overview

Intel SGX, a new security capability in emerging CPUs, allows user-level application code to execute in hardware isolated enclaves. Enclave memory is isolated from all other software on the system, even from the privileged OS or hypervisor. While being a promising hardware-rooted building block, enclaves have severely limited capabilities, such as no native access to system calls and standard OS abstractions. These OS abstractions are used ubiquitously in real-world applications.

We present a new system called Panoply which bridges the gap between the SGX-native abstractions and the standard OS abstractions which feature-rich, commodity Linux applications require. Panoply exposse the standard POSIX abstractions to application logic, including access to filesystems, network, multi-threading, multi-processing and thread synchronization primitives. Further, Panoply enforces a strong integrity property for the inter-enclave interactions, ensuring that the execution of the application follows the legitimate control and data-flow even if the OS misbehaves. Thus, commodity Linux applications can enhance security by splitting their application logic in one or more enclaves, or by importing enclave-libraries, with little effort. In contrast to previous systems that enable comparable richness, Panoply offers two orders of magnitude lower TCB.


Before we begin with Panoply

Panoply is implemented on top of the Intel SDK 1.6 shipped for Linux Kernel v3.13. Panoply comprises of a set of API libraries and build extensions. Before you start using Panoply, you should setup a stable Intel SDK developement environment. Then you can quickly test the Panoply applications. Please follow the instructions below, if you are starting from a fresh non-SGX environment. If you have an existing SGX developement environment, then proceed directly to the demo instructions.

The Linux SGX developer environment comprises of hardware with SGX support, bios support for SGX, the SGX driver, the SGX SDK, and the SGX Platform Software. Out of these, the hardware support depends on your processor and the BIOS support is provided by the vendor. The SGX driver, SDK and PSW are provided by Intel.

Hardware Support and BIOS Settings

Software Requirements

Following is the software configuration required for Intel SGX SDK and Panoply.


Intel SGX Setup

Build and Install Intel SGX Driver

Version 1.6

Build and Install Intel SGX SDK and Intel SGX PSW

Version 1.6

Resources for Troubleshooting

Intel Developer Zone:

Intel Documentation:


Running Sample code from SGX SDK

Before you start with Panoply, you should ensure that you are able to execute SGX applications. To do this, copy the sample code (the folder is located by default in /opt/intel/sgxsdk/SampleCode/SampleEnclave) to your workspace and build it (make all inside SampleEnclave folder). After sucesfully building the Sample, test it by running ./app


Panoply Demo

You can setup the OpenSSL demo on your own machine using the following steps.

Getting the Demo Code

You can download the demo code from the project branch

Executing the OpenSSL Demo Example

Extract the zip file

unzip Panoply-demo-openssl.zip

Build libssl and libcrypto libraries

cd Panoply-demo-openssl/topenssl/

make all -j8

This produces libssl.a and libcrypto.a files in the topenssl folder.

Copy the libraries to src folder

cp libcrypto.a libssl.a ../src/

Build the Enclave and the App

cd ../src/

make all

This produces a TopensslEnclave.signed.so file for enclave and an app file for the executable.

Run the app

./app sha1

The above command is just an example. You can try other tests for the OpenSSL benchmark. For running the complete benchmark, just run the app file without any arguments.

./app

Making changes to the App

The App.cpp file has the following code:

/* ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv); */

ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv);

You can modify the above code to execute the SSL test. Do the following changes to the code.

ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv);        

/* ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv); */

make all

./app -dhe1024dsa -bytes 102400 -num 10 -tls1 -server_auth -time


Case-studies and Benchmarks

The released case-studies and the benchmarks are available from the Panoply code repository

Case-studies

Benchmarks


FAQs

We have tested the demo in our development environment, and have tried our best to document the procedure to setup a similar environment on your machine. However, several things might go wrong in this process. Following is a list of all the issues we have seen in our experience.

I cannot run the demo. Is something wrong with my SGX SDK or Panoply setup?

Before starting the Panoply demo setup, ensure that you are able to execute the Sample application shipped with the Intel SDX SDK. If you are not able to execute the SDK Sample code, then something went wrong with your SDX SDK setup. However, if you were able to execute the sample code and only OpenSSL is failing, then perhaps its a Panoply-specific problem. Please drop me an email with the details of the bug / error / runtime failure logs.

I am getting a compile time error about “sgx-status.h”. Is something wrong with my setup?

The SGX SDK version you installed does not have this header file. Download the header file from here, and place it in the include directory of the SDK installation. The default location for the include direcroty is /opt/intel/sgxsdk/include and the file path is /opt/intel/sgxsdk/include/sgx_status.h

I do not have a machine with SGX Hardware support. How can I use Panoply?

Yes, you can setup the SDK in simulation mode for non-SGX machines. Please refer to the Intel Installation Guide to know more about how to setup the simulation enviroment. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.

I don’t have a linux machine with the required OS and / or kernel version. Can I still try out Panoply?

Yes, you can create a Ubuntu 14.04 VM and install Intel SGX SDK for simulation mode. This will allow you to execute SGX applications. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.


Publications


Contact

Panoply Team

Shweta Shinde: Project Maintainer

Dat Le Tien

Shruti Tople

Priya Deb

Prateek Saxena

Support

Having trouble with Panoply? Check out our FAQ or tell us about it directly and we’ll help you sort it out.

Announcements

Want to get future updates for Panoply? Join our Google Group.

Acknowledging Panoply


Acknowledgements

Intel

We thank Mona Vij and Simon Johnson from Intel for their feedback.

National Research Foundation

This research was partially supported by a grant from the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (TSUNAMi project, No. NRF2014NCR-NCR001-21 ) and administered by the National Cybersecurity R&D Directorate.

National Research Foundation, Prime Ministers Office, Singapore