Embed Size (px)
Citation preview
SCONE Confidential Computing
Contact [email protected]
Products https://sconedocs.github.io https://scontain.com
SCONE Platform 2
Overview
SCONE Platform for Confidential Computing
1. Binary Runtime Encryption of applications: execute existing applications inside of SGX enclaves
2. Compiler-based Runtime Encryption of applications: SCONE supports to cross-compile applications to maximize safety and performance
3. Secrets management - provide an application with • assurance that services satisfy their security policies
• attests code, files, platform, … • provision services with secrets guided by security policies
Encryption at run-time, at rest, and in transit of data, code and keys.
[email protected] // SCONE Platform 3
Overview
Binary Runtime Encryption
• Binary Runtime Encryption of applications: • execute existing applications inside of SGX enclaves
• Alpine containers: • SCONE supports musl-based applications
• Ubuntu (native, containers): • SCONE supports glibc-based applications
• Shields: filesystem encryption, network encryption, …
[email protected] // SCONE Platform 4
SCONE & Kubernetes
Confidential Cloud-Native Applications
• helm-based deployment of confidential applications on Managed Confidential Kubernetes
• Install confidential apps like native apps with Kubernetes helm
• Supports standard management applications and Kubernetes dashboards
• Supports many standard programming languages for confidential apps: Python, Java, JavaScript, Go, C#, C++, C, Rust, Lua, R, Erlang, Fortran, …
• Simple integration in cloud-native development process
[email protected] // SCONE Platform
1. Confidential Machine Learning TensorFlow, TensorFlow Lite, PyTorch, OpenVino, …
2. Confidential Managed Databases Single instances, replicated, or horizontal scaling across cluster. MariaDB, MongDB, Redis, SQLite, MySQL, Cassandra, ScyllabDB, …
3. Confidential Standard Services Standard services like nginx, apache, memcached, squid, mongoDB, LDAP, … available as confidential application installed via helm
4. Multi-Party Service Policy-support for establishing trusted between entities like Federated Machine Learning
SconeApps:
Simple Confidential Application Deployment
SCONE
Key Management
Problem Key Management - How to provide code with secrets without knowing any secrets yet? - No change of App required
SCONE Platform 6
SCONE Platform 7
SCONE
Configuration and Attestation Service
Approach Attestation & Key Management The key to get access to keys is the code itself
SCONE Platform 8
SCONE
Confidential Peer-to-Peer Apps
Problem Mutual Attestation
How to can we establish trust between peers (managed by different CASes)?
SCONE Platform 9
SCONE
Configuration and Attestation Service
Approach Mutual attestation via CAS Secure exchange of TLS (CA) certificates
SCONE Platform 10
SCONE
Roadmap: Integration of Graphene-SGX with CAS
Approach Attestation & Key Management supporting other frameworks
SCONE Platform
GRAPHENE -SGX
11
SGX-LKL
native SCONE
TEEMon: Monitoring
REDIS Performance
SCONE Platform 12
connection105M
78M
TEEMon:
REDIS Page Faults Per Node
