SCONE is a platform to build and run secure applications with the help of Intel SGX (Software
Guard eXtensions). In a nutshell, our objective is to run applications such that data is
always encrypted, i.e., all data at rest, all data on the wire as well
as all data in main memory is encrypted. Even the program code can be encrypted. SCONE helps
to protect data, computations and code against attackers with root access. The main objective
of SCONE is to make it as easy as possible
to secure existing application as well as new cloud native applications: switching to SCONE
is simple since applications do not need to be modified. SCONE supports the most popular
– including PyPy, Java, Rust, Go, C, and C++ but also some ancient languages like Fortran.
Avoiding source code changes helps to ensure that applications can later run on different
trusted execution environments. Moreover, there
is no risk for hardware lock-in nor software lock-in – even into SCONE. SCONE can be used on
top of Kubernetes, Ranger and Docker. We provide a tight integration with Docker Swarm. In
case you are already using Docker stack files,
we provide a simple way to secure your services and applications. We will provide a similar
integration with Kubernetes later in 2018. SCONE scales better than competing solutions since
it uses an advanced thread management and
a very efficient way how to perform system calls. SCONE has an integrated secrets and
configuration management – simplifying the distribution of secrets without application
changes by performing an attestation of applications.
SCONE will become part of one of the blockchain-based decentralised cloud computing platforms
in 2018. State Of The Art: SCONE scales better than competing solutions like Graphene-SGX
since it uses an advanced thread management
and a very efficient way how to perform system calls. Unlike competing solutions, SCONE has
an integrated secrets and configuration management – simplifying the distribution of secrets
without application changes by performing
an attestation of applications. Unlike competing solutions, SCONE has integrated local
attestation and configuration service. SCONE verifies that the correct code is running before
passing any configuration info to the application.
This service ensures not only the code with the expected signature (MRENCLAVE) is running but
also that it runs in the correct environment, i.e. the expected file system state and the
correct operating system version was booted
before it provides the code with its secrets.