Imperial College London (IMP) has developed TaLoS, a library that is used as part of the SecureCloud auditing service. TaLoS securely terminates a TLS connection inside an SGX enclave and exposes a TLS API to an application that executes outside of the enclave. TaLoS can therefore act as a building block for applications that require a secure TLS termination point that is safest from interface by untrusted code. As part of TaLoS, it is possible to add trusted processing of the TLS connection payload by providing a callback function that is executed inside the SGX enclave by TaLoS. In the SecureCloud auditing service, this is used to securely log all service requests and responses. IMP has released TaLoS under the Apache open-source license on GitHub (https://github.com/lsds/TaLoS). As of June 2018, the TaLoS release has received 61 stars on GitHub, and it is among the most popular SGX projects. We had a number of third-party uses of TaLoS, both by academic researchers and by industry. The GitHub release of TaLoS includes detailed documentation that helps developers use TaLoS as a building block to create more trustworthy applications.

Imperial College London (IMP) has created the SecureCloud auditing service, which we released publicly on GitHub under the name LibSEAL (https://github.com/lsds/LibSEAL). LibSEAL uses the TaLoS library described abobe to securely log all requests and responses sent to a microservice. It maintains the secure log inside of an SGX enclave, and periodically runs checks over the log to identify violations of service integrity. The details of the design and implementation of LibSEAL has been published in a ACM EuroSys’18 paper. To the best of our knowledge, LibSEAL is the first example of the use of SGX technology for improving the accountability of Internet services. Accountability is an important requirements, and we have seen initial interest in LibSEAL by multiple companies, including Intel, Microsoft and IBM. We will maintain the LibSEAL software release as open source, and explore further use cases for the LibSEAL implementation.

Imperial College London (IMP) has developed a new component for secure big data processing called SGX-Spark. SGX-Spark is a modified version of the Apache Spark framework, which runs compute tasks inside of SGX enclave. It maintains encrypted data on HDFS and moves the data inside of an SGX enclave, before encrypting it transparently and passing it to a task implementation. SGX-Spark uses the SGX-LKL technology in order to run a Java Virtual Machine (JVM) inside of an SGX enclave. Since SGX-Spark is still under heavy development, we have not yet released it as open source. We have discussed SGX-Spark with a number of companies, including Intel, Microsoft and Huawei, who all encouraged us to continue the open-source development of the project. Our plan is to release SGX-Spark by the end of the SecureCloud project and investigate whether its modifications can be upstreamed to the mainline Apache Spark repository.

SCONE is a platform to build and run secure applications with the help of Intel SGX (Software Guard eXtensions). In a nutshell, our objective is to run applications such that data is always encrypted, i.e., all data at rest, all data on the wire as well as all data in main memory is encrypted. Even the program code can be encrypted. SCONE helps to protect data, computations and code against attackers with root access. The main objective of SCONE is to make it as easy as possible to secure existing application as well as new cloud native applications: switching to SCONE is simple since applications do not need to be modified. SCONE supports the most popular programming languages like JavaScript, Python - including PyPy, Java, Rust, Go, C, and C++ but also some ancient languages like Fortran. Avoiding source code changes helps to ensure that applications can later run on different trusted execution environments. Moreover, there is no risk for hardware lock-in nor software lock-in - even into SCONE. SCONE can be used on top of Kubernetes, Ranger and Docker. We provide a tight integration with Docker Swarm. In case you are already using Docker stack files, we provide a simple way to secure your services and applications. We will provide a similar integration with Kubernetes later in 2018. SCONE scales better than competing solutions since it uses an advanced thread management and a very efficient way how to perform system calls. SCONE has an integrated secrets and configuration management - simplifying the distribution of secrets without application changes by performing an attestation of applications. SCONE will become part of one of the blockchain-based decentralised cloud computing platforms in 2018. State Of The Art: SCONE scales better than competing solutions like Graphene-SGX since it uses an advanced thread management and a very efficient way how to perform system calls. Unlike competing solutions, SCONE has an integrated secrets and configuration management - simplifying the distribution of secrets without application changes by performing an attestation of applications. Unlike competing solutions, SCONE has integrated local attestation and configuration service. SCONE verifies that the correct code is running before passing any configuration info to the application. This service ensures not only the code with the expected signature (MRENCLAVE) is running but also that it runs in the correct environment, i.e. the expected file system state and the correct operating system version was booted before it provides the code with its secrets.

CC is developing a distributed Secure Key-Value Store (KVS) that is integrated with the other components of SecureCloud. As such, Chocolate Cloud will primarily commercialize the KVS as part of the SecureCloud platform. This outputs key differentiators compared to existing distributed key-value stores are security provided by a combination of SGX and coefficient and/or data encryption, and native support for erasure coding, including network coding. The latter makes it possible to efficiently restore data on failed storage nodes. CC’s KVS has been demonstrated in a number of settings and is being tested by various partners in deployments at CloudSigma, TUD and UTFPR. It uses a microservice-based internal architecture and takes advantage of the SecureCloud platform and infrastructure services such as terminating SSL connections securely and the use of SGX-enabled orchestration and monitoring. However, CC has designed the KVS in such a way that it can also be deployed without these services. Particularly, it is possible to deploy it in environments without support for SGX, such as (at the time of writing) Google Cloud Platform, opening up a second avenue for commercialization.

CC has developed “CodingLib-SGX”, an erasure coding library for Random Linear Network Coding (RLNC) designed specifically for SGX. CC is unaware of other libraries that offer support for RLNC and SGX. CC has tested and evaluated its performance within CloudSigmas and TUDs SGX-compatible infrastructure. “CodingLib-SGX” has a structure and API that is the same as our non-SGX “CodingLib” erasure coding library currently used in our products. This means it can and will be swapped in our code base in any of our ongoing projects based on customer demands.

UniNE’s Secure Content-Based Routing is a message-passing service based on the publish-subscribe paradigm. It exploits trusted execution technology to build a message routing service in a secure enclave. SCBR executes a protocol for securely exchanging cryptographic keys between data producers and consumers, and the routing engine. Both publications and subscriptions are encrypted and signed, thus protecting the system from unauthorized parties observing or tampering with the information. SCBR combines a key exchange protocol and a state-of-the-art routing engine to provide both security and performance while executing under the protection of the secure enclave.

UniNE’s Secure Map Reduce is a proof-of-concept map-reduce implementation specially tailored for small- to medium-footprint batch processing micro-services. It is aimed at providing support for privacy sensitive applications defined by map and reduce routines expressed in Lua, an extension language. Lua is a lightweight and embedded scripting language, which makes it a natural fit for small applications as well as for running inside enclaves. The constraint that disallows system calls from secure enclaves is exploited in favor of security. By putting the language interpreter inside the protected area, besides the given application protection (privacy, integrity and data freshness) we also shield the system from malicious user code that diverts the purpose of defining computation on data (either map or reduce) to attempts of accessing peripherals (e.g., storage or network interface accesses). Our approach does not require any particular knowledge from the programmer of cryptographic mechanisms for implementing the map and reduce functions. Also, preserving privacy and integrity is not dependent in any way on the specific characteristics of the functions, simply taking advantage in this purpose of the standard trusted characteristics of the enclaves. Besides these advantages, our solution is easily maintainable relying on a standard Lua interpreter for code execution.

UniNE’s Secure Streams is a middleware framework for developing and deploying secure stream processing on untrusted distributed environments. Secure Streams supports the implementation, deployment, and execution of stream processing tasks in distributed settings, from large-scale clusters to multi-tenant cloud infrastructures. It adopts a message-oriented middleware, integrates SSL encryption and enclaved execution of Lua scripts, to deliver end-to-end security guarantees along data stream processing stages. Secure Streams can scale vertically and horizontally by adding or removing processing nodes at any stage of the pipeline, to dynamically adjust according to the workload. The design of Secure Streams is inspired by the dataflow programming paradigm: the developer combines together several independent processing components (mappers, reducers, sinks, shufflers, joiners, etc.) to compose specific processing pipes. Secure Streams components are packaged as regular containers, and are very practical to deploy and manage in combination with other microservices.

Kubernetes is an open-source project maintained by Google to automatically deploy, scale in and out, and manage containerized applications on computer clusters. The UniNE’s SGX-aware Kubernetes scheduler is an extension to Kubernetes adding support for orchestrating containers with the knowledge of the enclave technology available in the underlying hardware. It is a vertical implementation of mechanisms in several levels, including modifications in the Linux driver for SGX and a Kubernetes orchestrator plug-in. Standard monitoring layers in Kubernetes are leveraged to accurately collect enclave memory usage in the physical nodes so the orchestration plug-in can implement its policy. The complete system implements can efficiently schedule jobs requiring enclave support, as well as regular jobs, on a heterogeneous cluster. It guarantees that jobs submitted to a given host always fit within its current enclave memory limits. This is of particular relevance to avoid major performance penalties.

The usage of SGX, be it directly in an application or through SGX-based microservices, requires that the cloud environment adequately supports and exposes the SGX resources. Therefore, one important asset of the project is the SGX-Enabled OpenStack. This asset consists of a set of tools, for example: 1) modifications to the OpenStack compute provisioning service, Nova, to support the Intel versions of KVM that exposes SGX for virtual machines; 2) Ansible recipes to automatize the installation of server nodes that support either the SGX-enabled KVM or that rely on configurations to enable requirements for LXD-based nodes; 3) adaptations of the OpenStack authorization service, Keystone, to support role-based access control (RBAC) for the SecureCloud components that manage the configurations and secrets of SGX applications; 4) agents to integrate SGX related metrics in the OpenStack Monitoring-as-a-Service component, Monasca. This asset is of interest for companies that operate a private OpenStack cloud and want to harden its applications from internal and external attacks and to public cloud providers that want to offer SGX services to developers to build novel privacy and security-aware solutions.

There are several approaches for processing big data in the cloud. For data analysis that require a global view of the data, Apache Spark, described in a previous section, is the most popular. Nevertheless, some big data processing objectives require only that individual pieces of data are independently processed. One example is the execution of simulations that evaluate the status of the power grid, which is one of the SecureCloud use cases. Other examples include the transformation of data to compute user specific outputs (e.g., recommendations) or to load data into other systems (e.g., ETL). In such cases, the elasticity of the cloud can be fully exploited as the number of machines can be chosen based on cost or automatically adjusted in other to guarantee that the processing will be finished according to the desirable deadlines. If the data processing tasks can be mapped to this model, resources can be much more efficiently managed, in comparison to Spark, reducing costs and improving throughput. This asset consists of a set of tools (available through Docker repositories, e.g., SCONE, CAS), applications templates (which will be available on public Github repositories), and configurations to existing open-source tools (Kubernetes and Asperathos, configurations that will be available on public Github repositories). These tools and configurations that enable users to build applications that can process large amounts of data in a deadline- aware scalable fashion that also supports the confidentialities aspects provided by the SecureCloud project. The asset is open-source. By downloading images and tools from Docker registry and Github, a user can build secure big data processing applications based on Kubernetes Jobs. Nevertheless, to be able to put applications in production, users may need to license other project technologies, such as SCONE and/or the SGX-enabled OpenStack.