Opendata, web and dolomites

Report

Teaser, summary, work performed and final results

Periodic Reporting for period 2 - SERECA (Secure Enclaves for REactive Cloud Applications)

Teaser

Cloud security is a major concern to organisations that must comply with strict confidentiality and integrity policies. The lack of adequate security mechanisms is therefore a barrier to the broad adoption of cloud computing. Security is now a commercial imperative for cloud...

Summary

Cloud security is a major concern to organisations that must comply with strict confidentiality and integrity policies. The lack of adequate security mechanisms is therefore a barrier to the broad adoption of cloud computing. Security is now a commercial imperative for cloud computing across a wide range of markets.
The Secure Enclaves for REactive Cloud Applications (SERECA) project removes technical impediments to secure cloud computing, encouraging greater uptake of cost-effective and innovative cloud solutions in Europe. SERECA extends secure enclaves, a new hardware mechanism provided by commodity CPUs, to protect cloud deployments, thus empowering applications to ensure their own security without relying on potentially untrusted public cloud operators. The innovations that SERECA provides will help place Europe at the forefront of secure cloud operations. SERECA has validated its results through the development of two innovative and challenging industry led use cases: (i) monitoring a civil water supply network and (ii) a software-as-a-service application to analyse the performance of cloud applications. The project has therefore achieved the following three objectives:
1. Substantially improve the state-of-the-art in cloud security for interactive, latency-sensitive applications by developing innovative and effective mechanisms to enforce data integrity, availability, confidentiality, and localisation based on secure CPU hardware.
2. Seamlessly integrate the new security features into the standard cloud stack and its expected characteristics of scalability, elasticity, and availability so as to encourage easy application migration to the cloud without also compromising application responsiveness nor complicating application management.
3. Convincingly validate and demonstrate the benefits of our approach by applying it to realistic and demanding industrial use cases.

Work performed

The technology developed by SERECA has six unique selling points:
• USP1: SERECA uses Intel’s SGX technology to ensure confidentiality. Sensitive data is kept in memory in an encrypted form and only the application itself has access to the memory. SERECA applications can leverage the SGX technology either in a transparent or non-transparent manner with small changes.
• USP2: SERECA uses SGX to ensure integrity. The integrity of the application is protected, i.e., only the unmodified original applications can access the data.
• USP3: SERECA does not require any cloud changes. SERECA leverages SGX-enabled containers to ensure the security of data without requiring changes to the cloud stack itself.
• USP4: SERECA benefits from a microservice pattern. SERECA takes advantage of a microservice architecture, which fits with the requirement for high performance and reliability.
• USP5: SERECA ensures ease-of-use. SERECA applications are supported transparently and configured through high-level APIs.
• USP6: SERECA enforces secure communication between microservices. Communication between microservices is protected using AES encryption and SHA256.

Final results

The progress beyond the state of the art was realised as part of four technical work packages:
• In Work Package 1, the project investigated approaches to provide cloud applications a secure execution environment using Intel Software Guard Extensions (SGX). We succeeded in creating a custom toolchain to run existing applications on SGX. By running the application on SGX, the applications data is protected against manipulation and eavesdropping—even from attackers with access to the hardware. SERECA can run a variety of existing software securely, including web servers (Apache, NGINX), data stores (Memcached, Redis, SQLite) and managed runtimes (Java VM, Javascript V8) on an otherwise untrusted cloud infrastructure.
• In Work Package 2, we extended the Vert.x framework with secure communication channels. In addition, to account for the fact that modern applications spanning multiple servers require coordination, we developed a secure coordination service that protects data confidentiality. For ease of deployment, we added transparent support for existing Linux binaries using a library OS approach. Finally, we added support for deploying distributed enclave applications using Docker Swarm.
• In Work Package 3, we created a set of reusable services that form the foundation of our use case applications. The services allow to store data securely, recover after a failure, and control the placement of data within geographic boundaries. The latter is important to abide to regulatory requirements.
• In Work Package 4, we developed two use case applications to showcase the SERECA innovations. As our first use case, we re-engineered an existing version of a water supply monitoring system to run securely in the cloud. Our second use case is a performance monitoring system: sensitive performance data is collected and evaluated in a cloud-based system. SERECA protects the integrity and confidentiality of data in both cases.

Website & more info

More info: http://www.serecaproject.eu/.