Review of "Shielding applications from an untrusted cloud with Haven"
As cloud computing becomes more and more prevalent, more and more data are stored in the cloud, including sensitive ones. Thus, without special techniques the security of your data will depend very much on the cloud provider. Both the humans involved and the software/hardware running the cloud infrastructure. But we all know that such a dependency is not always dependable. How do we cope with that? Haven a prototype that achieves shielded execution of unmodified legacy applications like SQL Server and Apache on a commodity OS and commodity hardware. SGX is used to defend against privileged code and physical attaches such as probes.
Two key features are used to provide shielded execution, Intel SGX and Drawbridge. Intel SGX protects the confidentiality and integrity of pages in an enclave, a region of user mode address space. While cache-resident, enclave data is protected by CPU access controls. SGX also allows CPU-based attestation, allowing a remote system to verify cryptographically that specific software has been loaded within an enclave and establish shared secrets allowing it to bootstrap an end-to-end encrypted channel with the enclave. Besides protecting the content and integrity of memory mappings, SGX also mediates transitions into and out of the enclave and protects the enclave's register file from OS exceptions handlers. Drawbridge provides two core mechanisms, picoprocess and library OS. picoprocess is a secure isolation container constructed from a hardware address space, but with no access to traditional OS services or system calls; Instead, a narrow ABI of OS primitives is provided,, implemented using a security monitor. LibOS is a version of Windows 8 refactored to run as a set of libraries within the picoprocess, depending only on the ABI. Together, picoprocess and LibOS enable sandboxing of unmodified Windows applications with comparable security to virtual machines, but with much lower overheads. Together with Drawbridge, Haven enabling mutual distrust between host and guest.
Will this paper be influential in 10 years? Maybe, it provides a great way to secure cloud computing. But if it also supports other OSes, like CoreOS and Linux, I think the future will be even better.