The most important principle in engineering any complex system is abstraction. In software engineering this is a very widely used mechanism. Programmers think in terms of services that are provided to them from a lower layer and services that they provide to a higher layer.

Take the operating system as an example. It provides an abstraction of the hardware used. A browser running on top is oblivious to whether it runs on an Intel or AMD processor. Its only concern is rendering web pages correctly.

These kinds of abstractions enable us to build extraordinarily complex systems. Unfortunately, imperfections in these abstractions often result in security vulnerabilities.

A problem in a lower layer will impact all layers built on top. To build truly trustworthy systems, we need to be able to reason about software at its own abstraction layer without losing generality. To achieve this, a more secure architecture is needed.

Confidential Computing Platforms

Confidential computing platforms such as Intel® Software Guard Extensions (SGX) can be used to build software modules called enclaves with extraordinarily strong security properties.

All attempts to access an enclave are verified directly by the hardware to guarantee isolation. There needs to be zero trust in any other software component of the platform. Only the processor and the developer of the enclave need to be trusted.

Enclaves operate at software layers above the operating system. This means they can use services provided by the operating system, but they should not trust them.

For example, if an enclave wishes to connect to a network service it can do so, however, it is up to the enclave developer to ensure that network packets are properly protected (e.g., by setting up a TLS connection) when passed to/received from operating system services.

SGX’s isolation guarantees reduce the power of an in-kernel attacker to that of an attacker at the network level. Packages can be rearranged, duplicated, or dropped, but their contents will remain confidential and integrity protected.

Enclave Development Platform

Intel® SGX enables us to redefine the hierarchical trust model in typical software architecture to a zero-trust model. To achieve this, SGX enclaves must be written meticulously. Fortanix developed the Enclave Development Platform (EDP) specifically for this purpose. EDP enables software engineers to build trustworthy enclaves by taking care of three requirements:

  1. a secure development environment,
  2. a secure API that software engineers can program against, and
  3. proper state sanitization upon entry and exit of enclaves.

EDP enables software engineers to write enclaves in Rust. This modern type and memory-safe language prevents many of the security issues that software written in languages such as C/C++ faces.

Issues like buffer overflows, use after free, and race conditions, are caught at compile-time, avoiding memory and performance costs of garbage collectors used by other languages such as Go, C#, and Java. Rust also supports high-level programming constructs that can significantly simplify source code, reduce complexity and minimize chances of logical errors.

Intel® SGX enforces that enclaves can only be accessed through entry points specified at compile time. Once an enclave is called, the processor needs to be put in a secure state.

Similarly, when execution control returns from the enclave, sensitive data needs to be completely erased from the processor state; failure to do so may leak sensitive data. EDP guarantees processor state sanitation upon enclave entry/exit.

This will be detailed in a future blog post.