Skip to content

Derived from CAT-SGX and elf-respect: Practical and Efficient in-Enclave Verification of Privacy Compliance

License

Notifications You must be signed in to change notification settings

StanPlatinum/Deflection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Deflection (CAT-SGX)

Deflection is an SGX shielding runtime (SGX middleware) that can run nearly unmodified C/C++ code securely. Other than Graphene-SGX, SCONE, Occlum, etc., it can protect the code secrecy and data confidentiality at the same time.

This project is derived from elf-respect (https://github.com/StanPlatinum/elf-respect) and its compiler (https://github.com/StanPlatinum/elf-respect-compiler).


Although SGX can provide strong isolation and integrity assurance, code privacy may raise some concerns when using it in cloud environments.

So in this project, we are aiming at a new problem: how service providers build a Practical TEE that can ensure the privacy of both data providers and code providers, i.e., a solution that enables a user to verify whether a remote service (such as MLaaS) has the properties of confidentiality (and integrity) without touching the binary/source code.

We also provide a compiling toolset (currently supporting C code) which is applicable in the confidential verification/attestation (for the code producer).

We combine both SGX and PCC to design a new verification framework that makes the TCB as small as possible. Since Intel SGX only has a limit regarding memory usage - a very limited area, up to 128M in size, that can be protected by the processor at one time, making the TCB small becomes significant.

Specifically, the proof is (partially) generated from the outside of the enclave during the compiling and can be verified at runtime inside. Of course, the inside checker can cooperate with the outside compiler to make the checker as lightweight as possible.

Moreover, our method provides a new paradigm for PCC to use a TEE (such as Intel SGX) as an execution environment for trusted verification. We remove the VCGen (the compiler) from the trusted computing base.

Quick start

Make sure,

you have an 'SGX machine' (a machine whose CPU supports Intel SGX, with SGX Driver installed, and with SGXSDK installed in /opt/intel);

you have at least 10G memory (Swap could be included) and 100G disk space before having a try. It means probably the most suitable place for having fun with cat-sgx is a satisfiable Linux server machine.

The installation paths of other dependencies are in the same directory as cat-sgx by default.

./install.sh

A Hello World example

cd dynamic-loader-checker
make
./app

About

Derived from CAT-SGX and elf-respect: Practical and Efficient in-Enclave Verification of Privacy Compliance

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published