B. External interface shielding
Trusted operating systems are is very widespread and there is a lot of demand for them, especially, from popular services, such as Memcached and Redis. This is happens because such services need to communicate with other tasks through the TCP channels which are not encrypted(this means without the use of TLS), and export to stdout and stderr directly 1.
In order to protect those services into containers, which provide security, SCONE offers special functions into set of shields 1. The first thing that this set of shields is deals with is the avoidance of low level attacks as for example the operating system kernel controlling buffer sizes and pointers go through the service. The second thing that the set of shields is focuse on is the guarantee of probity and trustness of application data that passed through the operating system 1. This set of shields is provided by a specific shield library to the services 1. SCONE provide this set of shield that was mentioned above for the encryption of console streams, encryption of files and for the encryption of communication channels through TLS 1.
When a file descriptor is opened, SCONE can connect the descriptor with a shield. A shield also includes some configuration parameters, which are encrypted and can be reached only after the enclave has been initialized. Is remarkable that the shields explained below center only on application data, and do not check data declared by the OS, (e.g. file system metadata). If the probity of such data is necessary, further shields can be added.
• File system shield. The file system shield defends the probity and trustness of files. Files are confirmed and encrypted. For the file system shield, a container image producer must establish three disjoint sets of file path prefixes. The first prefix is related with unprotected files. The second prefix is connected with encrypted and confirmed files. The third and last prefix deals with authenticated files. When a file is opened, the shield commands the largest matching prefix for the file name. Depends on the match, the file is verified, encrypted, or just passed via the central OS.
The file system shield divides files into blocks of fixed sizes. For every block, the shield retains an authentication tag and a nonce in a metadata file. The metadata file is authenticated too, in order to identify alterations. The keys used to encrypt and verify files such as the three prefix sets are part of the configuration parameters given to the file system shield due the startup. For permanent file systems, the authentication tag of the metadata file is part of the configuration parameters for the file system shield. At runtime the metadata is kept inside the enclave.
Services which use containers usually particularly use a read-only file system and examine writes to be temporary. As long as processes in a secure container can enter to the standard Docker tmpfs, it needs expensive communication with the kernel and its file system implementation. As a lightweight option, SCONE further maintains a secure temporary file system within its file system shield. The shield guarantees the probity and trustness of temporary files. The temporary file system manages the case of transformed files in non-enclave memory. According to the evlauation 1, results show that the performance of temporary files is better than those of tmpfs.
The temporary file system implementation is suitable for facing rollback attack. When a restarting happens the container process, the file system returns to an initial startup state that is confirmed by the file system shield, and hence it is not possible for a malicious user to rollback the file system to a standard state. This also happens while runtime as the metadata for files’ blocks remains inside the enclave.
• Network shield. Some container services, like Apache and NGINX, encrypt network traffic, others, like Redis and Memcached, there is doubt of their protection, which ends the encrypted attachment and sends the movement to the service in plaintext. Such a setup is suitable only for data centers in which the connection among the proxy and the service is considered to be advanced, which is inconsistent with a threat model. For example, a malicious user could manage the unsafe channel within the proxy and the service and change the data. Consequently, for secure containers, a TLS network attachment must stay intothe enclave.
SCONE allows clients to build secure tunnels to container services using TLS. It protects all socket services and re-directs them to a network shield. The network shield, against building a new contact, offers a TLS handshake and encrypts-decrypts every data transferred into the socket. This program does not need a client or service-side changes. The private key and authentication are read from the container’s file system. So, they are shielded by the file system shield.
• Console shield. Container environments allow authorized processes to connect to the stdin, stdout, and stderr console streams. To guarantee the probity of application data transferred to these streams, SCONE carries direct encryption for them. The symmetric encryption key is exchanged within a secure container and the SCONE client during the startup procedure. Console streams are uni-directional, which means that they cannot be shielded by the network shield whose underlying TLS implementation needs bidirectional streams. A console shield encrypts a stream by dividing it to variable-sized blocks based on flushing patterns. A stream is protected against replay and re-ordering attacks by allowing each block a single identifier, which is marked by the authorized SCONE client.
B. External interface shielding