Intel SGX, a new security capability in emerging CPUs, allows user-level application code to execute in hardware isolated enclaves. Enclave memory is isolated from all other software on the system, even from the privileged OS or hypervisor. While being a promising hardware-rooted building block, enclaves have severely limited capabilities, such as no native access to system calls and standard OS abstractions. These OS abstractions are used ubiquitously in real-world applications.
We present a new system called Panoply which bridges the gap between the SGX-native abstractions and the standard OS abstractions which feature-rich, commodity Linux applications require. Panoply exposse the standard POSIX abstractions to application logic, including access to filesystems, network, multi-threading, multi-processing and thread synchronization primitives. Further, Panoply enforces a strong integrity property for the inter-enclave interactions, ensuring that the execution of the application follows the legitimate control and data-flow even if the OS misbehaves. Thus, commodity Linux applications can enhance security by splitting their application logic in one or more enclaves, or by importing enclave-libraries, with little effort. In contrast to previous systems that enable comparable richness, Panoply offers two orders of magnitude lower TCB.
Panoply is implemented on top of the Intel SDK 1.6 shipped for Linux Kernel v3.13. Panoply comprises of a set of API libraries and build extensions. Before you start using Panoply, you should setup a stable Intel SDK developement environment. Then you can quickly test the Panoply applications. Please follow the instructions below, if you are starting from a fresh non-SGX environment. If you have an existing SGX developement environment, then proceed directly to the demo instructions.
The Linux SGX developer environment comprises of hardware with SGX support, bios support for SGX, the SGX driver, the SGX SDK, and the SGX Platform Software. Out of these, the hardware support depends on your processor and the BIOS support is provided by the vendor. The SGX driver, SDK and PSW are provided by Intel.
Check if your machine is listed in the following list of hardware which supports Intel SGX https://github.com/ayeks/SGX-hardware
Ensure that you have enabled SGX support in your BIOS.
Run the test-sgx.c code from https://github.com/ayeks/SGX-hardware to quickly check if SGX is available for your CPU and enabled in BIOS.
Following is the software configuration required for Intel SGX SDK and Panoply.
Before you start with Panoply, you should ensure that you are able to execute SGX applications. To do this, copy the sample code (the folder is located by default in /opt/intel/sgxsdk/SampleCode/SampleEnclave) to your workspace and build it (
make all inside SampleEnclave folder). After sucesfully building the Sample, test it by running
You can setup the OpenSSL demo on your own machine using the following steps.
You can download the demo code from the project branch
make all -j8
This produces libssl.a and libcrypto.a files in the topenssl folder.
cp libcrypto.a libssl.a ../src/
This produces a TopensslEnclave.signed.so file for enclave and an app file for the executable.
The above command is just an example. You can try other tests for the OpenSSL benchmark. For running the complete benchmark, just run the app file without any arguments.
The App.cpp file has the following code:
/* ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv); */
ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv);
You can modify the above code to execute the SSL test. Do the following changes to the code.
ret = TopensslEnclave_ecall_test_bm_ssl(global_eid, &ecall_return, argc, argv);
/* ret = TopensslEnclave_ecall_test_speed_crypto(global_eid, &ecall_return, argc, argv); */
./app -dhe1024dsa -bytes 102400 -num 10 -tls1 -server_auth -time
The released case-studies and the benchmarks are available from the Panoply code repository
We have tested the demo in our development environment, and have tried our best to document the procedure to setup a similar environment on your machine. However, several things might go wrong in this process. Following is a list of all the issues we have seen in our experience.
Before starting the Panoply demo setup, ensure that you are able to execute the Sample application shipped with the Intel SDX SDK. If you are not able to execute the SDK Sample code, then something went wrong with your SDX SDK setup. However, if you were able to execute the sample code and only OpenSSL is failing, then perhaps its a Panoply-specific problem. Please drop me an email with the details of the bug / error / runtime failure logs.
The SGX SDK version you installed does not have this header file. Download the header file from here, and place it in the include directory of the SDK installation. The default location for the include direcroty is /opt/intel/sgxsdk/include and the file path is /opt/intel/sgxsdk/include/sgx_status.h
Yes, you can setup the SDK in simulation mode for non-SGX machines. Please refer to the Intel Installation Guide to know more about how to setup the simulation enviroment. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.
Yes, you can create a Ubuntu 14.04 VM and install Intel SGX SDK for simulation mode. This will allow you to execute SGX applications. After the setup, make sure you are able to run the Sample code shipped with the SDK inside the VM. Then, simply follow the steps listed in the Panoply demo setup guide.
Want to get future updates for Panoply? Join our Google Group.
Panoply is released under Apache License, Version 2.0.
We thank Mona Vij and Simon Johnson from Intel for their feedback.
This research was partially supported by a grant from the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (TSUNAMi project, No. NRF2014NCR-NCR001-21 ) and administered by the National Cybersecurity R&D Directorate.