 We'll talk later or you can read out while I discuss that. Sorry about that. Okay. So, yeah, let's start with designing for security, right? One of the interesting things when you look at security is, you know, what's program language can you use? This is a picture from Microsoft actually, where they showed, you know, of all the bugs that they have in their software over the past, you know, 12 years which of those are caused by memory safety issues and which were other types of bugs. So, about 70 percent of all their security issues were memory safety issues, right? So, sure, I mean, if you are really focused on something and working on your own, and you can probably write like memory safety, but doing it at a scale of a large company or just any large project, it's just basically impossible. So, that's why I think Rust is the best way to go for secure enclaves, right? You have this minimal environment, so you probably can't pull in all the dependencies that you would need for like JVM or something like that. So, you're stuck with choosing something like lower level. But, you know, of course, you've identified something you want to be super secure. So, why you see, right? So, we're using Rust. So, some of the cool features of Rust are guaranteed memory and type safety. There's like static analysis built right into the compiler, right, 25 years of programming languages and static analysis research that is just right available right there. Very good way to deal with errors. So, you cannot ignore errors in Rust, but it's not hard to deal with them either. So, that's really good. Very good concurrency primitives, and like I said, basically no runtime, right? You can just compile it down to the bare metal, which is what we need to do in this environment. Okay. So, the next thing that we're thinking about, when you're designing something for security purposes, is like the interface that you expose to the outside world, all right? The interface is like the number one attack point for an adversary. So, you better like think long and hard about like where are you going to expose there and how are you going to deal with whatever an attacker might throw at you, right? So, if you use an interface like a binary function call interface, like you might find in, you know, just any, like the C calling convention or even like the Linux Cisco calling convention, it's very hard to get these things correct. You can have variable length structures. You can have time of check to time of use issues. You can have padding issues and things like that, right? So, regarding the padding issue, you know, this was an issue with the Intel SGX SDK. So, this is now an excerpt from the developer guide from Intel where they say, okay, you know, you've got to be aware. You don't put padding in the structures that you're using in your enclave interface. Another thing from Intel's manual or Intel's developer guide, right? They had this functionality to allow you to specify like variable length inputs. Well, that's gone now, right? So, why are we trying to mimic these C type interfaces across an interface that's just not compatible or, well, compatible, like not suitable for it, right? So, I would say, you know, look somewhere else, right? If you look at network services, they are designed to work with untrusted inputs, right? Like everyone has some web servers and they're connected to the internet and they have been for 30 years and they're like really focused on dealing with untrusted inputs. So, why not do the same, right? So, in the EDP, we just provide a byte stream abstraction. And then you can run any protocol you want on top of that, including like TLS or not, right? But you can run GRPC or HTTP or anything like that. And, you know, you might think that a reason for not running like a full protocol like that is that parsing is hard. You know, we're an enclave, we don't wanna deal with like parsing issues. But, you know, if you're using anything but C, parsing is actually easy, right? So, that's not a reason not to use it. Okay. So, moving on to the threat model, you know, if you're talking about network services, this is what you can think of, right? You can basically get your remote compute infrastructure from anywhere. Doesn't matter as long as they have the secure enclave capability, it runs on the server. You don't trust the administrator, you don't trust the server, right? So, this is like a cloud provider or anything. You trust, of course, the client and the user. And, for secure enclaves specifically, kind of, you know, we're not considering availability here. But, you can, of course, get availability by deploying your things in like a redundant fashion across multiple providers or something like that. So, the secure enclave is the network server. That is how you need to think about this here, right? So, you're not talking to like a host that is running some server, but you're talking directly to the secure enclave, right? So, how does that integrate with remote attestation? Well, easy, right? Client connects to the secure enclave. There's some protocol that you do where you verify, you know, is this a real software that I'm trying to run as running on a legit platform? Something like that. And then, you can move on. So, in a very, you know, first idea of like how you would implement this, maybe you can like save the hash of your, that you expect on the server side in your client program and you verify that when you do this connection. This works, right? But now you really, you have an issue because you can't do updates on the server side. And you need like one client per service. Like every, because the identity of the server is baked into the client, you need a different client all the time, right? So, we have a disability to verify the code identity on the server side, but how do we know which identity we want here? That's a big question. But this is something that you can solve in a different way, right? So, like I said, it's a byte stream abstraction so we can just use TLS. So, if we take a private, TLS private key and assign it to the enclave and then make sure that the enclave never exposes this private key to the world, right? Then, if you are able to establish a secure channel and the enclave identifies itself using its private key, you know you're talking directly to the enclave, right? Because the secure enclave is the only one that has access to this key. So, you don't actually need to do a live remote at the station challenge if you use this scheme. You can just, you know, attest to the public enclave. The enclave can have its public key attested to once and then you can rely on that going forward. And then you can just set up a standard TLS connection, right? So, this makes the life a whole lot easier because now you can use, you don't have to write your own custom protocols to do security and things like that. So, similarly to like how a standard TLS certificate kind of binds a subject name to a TLS public key, you can use an attestation to bind the public key to a software. So, now we have a binding all the way from subject name to the enclave, right? So, you can use this in your trust model. So, when you say, I'm going to a particular web service like mywebmail.com, okay? I know that, you know, mywebmail.com is actually running a particular piece of software. So, I hop through the certificate and then through the attestation, you know exactly the server side software that's running on mywebmail.com. So, like you can't do something like the lava bit thing, where the private keys leaked or order to be leaked because the private key is not owned by a human, it's owned by the enclave. And you know that the software that you've written that's running in the enclave, it cannot, it will not release the private key, right? So, when the enclave starts, you just check, do I have a valid private key? If not, I'll make one. Then, do I have a valid certificate? If not, you know, I'll put a certificate signing request and then I just, you know, once I get the certificate, I can run, I can be a TLS server. Okay, so that's the services part, like and how you integrate services with enclaves. So then, talking about, you know, portability and ease of use, if you want to write, run an install stx enclave, all you need to do is write a simple Rust program and I'll show you that in a bit. And that's because the Rust standard library upstream includes a back end for SGX that we wrote and so you can just, Rust has very good support for cross compilation. So you can easily just, you know, install the standard library for this other target, compile for this SGX target and now your program is just running or is able to run in an enclave. Right, so a lot of people or a lot of designs for using enclaves, they make you think about splitting your application in halves, like one half runs outside the enclave, one half runs inside. But, you know, then you need to write two pieces of software, so that's a lot of work. So because of the simple byte stream interface that, you know, I defined as the enclave interface, we only ever need to write the piece that runs outside the enclave once and you can reuse that for all enclaves. Right, so this is just available, you can just install that once and you can run all the enclaves. And then, right, that this runner program is just in charge of shuttling traffic around between the outside world and the enclave, right? Because it's just forwarding a byte stream, right? So if you have a TCP listening server or something like that, right, that needs to run outside the enclave, it interacts with the OS to do that. When you get any connection that gets passed through the enclave and the read and write operations are just passed directly through. So it also means that, you know, this enclave is kind of like independent of like the operating system, right? Because it doesn't depend on anything. So you can use the same enclave on all OSes easily. Cool. So, there was a bit of a whirlwind of the overview of like, you know, the thoughts that I put into like designing the system. So, yeah, you take SGX, you take Rust, you take a service, a network service idea, you combine it and that's what the enclave is all on the platform is. Website is edp.fortanix.com, you can download everything there. And there's like a quick start guide and everything. So, in the future, we're gonna work on supporting SGX2 and other extensions that are upcoming. We're gonna do better support for asynchronous IO. So, Rust has very good support for asynchronous IO using futures. So that's gonna be supported soon. And I'm looking at like adding some binary analysis tools so that, you know, once you've built the enclave, you want to like make sure that certain things got compiled correctly. To guard against miscomplations and programmer errors. Just again, to add like another layer of security on top of this interface for the enclave. Okay, so let's move to a quick demo. Here, one of the tools that is available is just, you know, checking if your system is configured correctly to run SGX, right? So it says SGX detect tool and it will just check everything. Do I have it enabled in the BIOS? Do I have the right system software installed? Do I have the driver? All that stuff. Then here, it looks like we're not running a piece that's needed on older systems. So, you know, Intel, I'll get to that in a bit. So we'll just start the software that's not running. And then if you run it again, you can see, okay, you know, I was able to launch enclaves. Good, you're good to go. So why do you need this AESM service? Well, on Intel processors before like late 2018, it was actually like DRM built into SGX so you couldn't run your own software. But that's all gone now. If you buy a new enough processor, you can run whatever enclave you want without Intel's whitelist. Okay, so let's run some actual enclave code, right? So I'll just do a simple hello world demo here first, right? So I'll just, you know, write a standard rust hello world. This is the standard thing you get when you first start a Rust project. Main function, print hello, okay, run it. So I just run it for Linux. Cargo run, because I was running this on Linux, right? So, but now I'll just run it on SGX. So all I need to do is specify that I'm cross-compiling to a different target. The botanics on SGX targets, run it, boom. Okay, so the command to print hello world to the screen here that actually came from inside the enclave. I'm sorry? Is the timing credible here? Is the timing... Did it really take a second to do all of that? Yeah, yeah, yeah. So in this, this is really fast. In the next video, I have sped up the compilation a bit but this is actually how fast it really is. Yeah. Okay, so, well, but this is just a hello world program. I told you I wanted to write like network services. So let's do that, right? I'm gonna use the hyper library, which is a standard way. Sorry. Nope, I'm not using the rocket library, which is a way to write web applications in Rust. And then while I'm editing this file to add the rocket dependency to my project, I'm also gonna configure that I want a certain number of threads. So in version one of SGX, there's a maximum number of threads that you have to specify at build time. Okay, so, yeah, in order to use Rocket, you need to enable some features in Rust. I'm gonna import the Rocket crate. The crate is basically what does a library in other languages. So I'm just defining the slash hello endpoint for my API, because we're doing hello world here. So instead of printing it to the screen, I'm just gonna return hello world as the output of my API here. And then in my main function, I'm just gonna run the web server with this one endpoint here. Yeah, no, it depends on what you do, right? So yeah, the question was, you don't need to use macro use anymore. Macro use, you need it if you don't explicitly import the macro you're using using a use statement. So macro use is like a blanket import of all macros from a Rust crate, yeah. Okay, so it's compiled it. Like I said, this was a little bit sped up, but you can see it's running on port 8,000. And yeah, so that's it, right? We just built a web server, a web application that's completely contained in the enclave running inside an OSGX enclave. Yeah. So cargo, I think normally it will, so all these crates can be compiled in parallel, well depending on how your dependency tree looks, right? So it will just fill up your CPUs. But sorry, so this was sped up because I don't want to wait here during my presentation for everything to compile. That's just JSON response? So this was actually doing a plain text response. So yeah, I was just returning a string. So in Rust, there's difference between references and owned objects. So that's why that was there. I'll talk about more later. Any other questions so far? Yeah, well I wouldn't necessarily call it serialization deserialization, right? So there's a special calling convention that is defined and that has a bunch of calls defined. So this is the full list of all the, what is called user calls, right? So when the enclave needs to call out, it needs to go to user space. So I call a user call. And then you can then forward that to the system, right? So this is the whole list of all the user calls that is supported right now. And this is like sufficient to build basically any network service. Yeah, so you have the standard primitives like read, write, and there's some networking stuff to open streams and then some event management and some memory management. And then that's basically it. Yeah, so the example that I just showed was unencrypted HTTP, right? So if you, depending on like your security model you probably, you might want to use HTTPS instead. But yeah. Well, it depends, right? So when you're running a network server you might in addition to like all the protected APIs that you want to do over TLS you might have some management APIs like stop the server or something like that, right? So there's no security needed because that's availability is out of scope, right? So that can just be given by anyone who has access to the host system. So then you could do that over HTTP instead of HTTPS because yeah, that doesn't really matter, right? But then you wouldn't want to expose that over the network probably, right? Yeah, you could use a reverse proxy of course, but you know, as soon as you, if you want to use, if you're planning on using TLS for security, right? You want the TLS connection to be terminated inside the enclave because otherwise you can easily do a man in the middle attack between the proxy and the enclave. Yeah. Yeah, yeah, so there's two different ways, there's a couple different ways you can go about it. Oh, I'm sorry, I'll repeat the question. The question was, I showed a slide about issuing certificates at certificate issuance time do you need to do like any complex validation? Yeah, so you could like one approach you can take is that your CA is in charge of checking at the station, so then you need to make sure that when you get your certificate signing request, it contains an extension that also includes the attestation that might include the public key and you verify that the public key is the same as the public key in the certificate signing request, you verify the attestation, you verify that against the list of software that you trust or something like that and then only then you actually issued a certificate. That's one way you can do that. There's other ways where you can like publish all the attestations in like a public repository so that clients can go and check that in addition to checking the certificate. But yeah. So, no, currently we don't really have any plans on having that kind of functionality as part of this project. Right, I mean, we do have the standard attestation primitives that you get from Intel SGX and like how you can use those and yeah, but no like CA server or something like that. It depends on, yeah, I mean, depends on like how complex the policies you want are. Yeah, so that's a good question. We have seen a lot of vulnerabilities. Oh yeah, sorry, you're right. Sorry, I'll repeat the question. Okay, so we're putting a private key inside the enclave. Given all the attacks we've seen on SGX, do you think it's reasonable to expect that you can actually keep the private key secure? Yeah, so there have been lots of attacks but generally they've been able to be patched with microcode updates. Actually, there was some report earlier this week was a cash out attack but if you go read the paper you can see that the researcher had hyperthreading enabled which is no longer kind of, if you use remote attestation with SGX, if you have hyperthreading enabled it will no longer pass remote attestation. So I believe that the attack that was shown last week doesn't actually work against the standard SGX environment anymore, but to get back to your question, like once an attack is discovered, of course you can leverage it to extract a private key. So SGX has this TCB recovery mechanism, where you need to basically update to the latest version of everything and then provision some new keys. So you can do the same thing here. So you need to use short-lived certificates but that's already standard practice these days. So if you use let's encrypt or something like that you know that if you keep patching everything within three months you'll have a valid certificate again for like the latest updates. So yes, somehow, right? So if you can tie the microcode version so the microcode version is checked as part of remote attestation, right? So as long as you know that you have a new enough remote attestation that is valid, then you know you were on a new enough microcode. So you need to buy, yeah, so you just need to get a new TLS private key and then you're good. So right, so you need to build somewhere so you need to build somewhere in your trust verification mechanism to ensure that you know there's a way to get like that attestation that was used for this private key is not too old. Sorry, I forgot to repeat the question but I think it might have been clear from context. Okay, yeah, go. Possibly, so currently there's not a lot of off the shelf hardware available with security capabilities as good as SGX, right? So SGX gives you like integrity protected memory encryption so you really only have to trust the one CPU chip and not like the rest of the motherboard and the supply chain and everything. It gives you multiplexing, right? So multiple secure enclaves that are isolated from each other as well. And yeah, so if you look at other technologies like Trustzone or the recently announced AMD, SCV, S&P, you just don't quite get there yet. But once it makes sense to support new cool technologies that are probably gonna come out, yeah, I'll definitely look at it, right? So the goal is to do the same thing, do the same thing, right? Where we just make it a small, like run the same code in the enclave and have like a small proxy, yeah, just to run the same thing. Yeah, so sorry, the question was should I support or are we gonna support other enclave technologies? Okay, so, am I doing one time? Five minutes, okay. So I'm just gonna show real quick the next step, right? I just showed a very simple API but now I want to do some JSON computation types thing. So I'm gonna add some dependencies on SIRTI. SIRTI is Rust's serialization, deserialization framework. It's, I would say the best way to serialize data in any language, it works really conveniently and easy. Interacts very well with the type system. So yeah, I'm just gonna import these extra crates that I added as dependencies and then I'm gonna define a type. I'm gonna import some more stuff. Yeah, so I'm going to define a type that implements deserialize, right? So I'll be able to turn JSON into this type. The type is called two vectors which means I'm gonna call hold two vectors in the mathematical sense and because the function I'm gonna implement is the dot product, right? So I'm gonna pass in two vectors in JSON and then compute the dot product and output it again. So, oh, sorry, I meant cross product. All right, so I just have to define the API here. So the previous API was at slash hello. This one is at slash cross. As input, I'm gonna take this JSON value of type two vectors and I'm gonna output JSON value again and then I just need to kind of get these two values, A and B, from the JSON, from the input, compute the cross product, the output and then send that on back to the client. So this is gonna be like maybe like another 10 lines of code or so. So here I need to figure out what the right elements are to multiply. Don't worry, I'm coming back to change the indices. And last thing, I just need to add the API to the list of APIs that my web server supports. Save, quit, compile, run. Okay, so yeah, I'm just running the component arrest. Normally on my laptop, this takes about five minutes, so yeah, but here we're on presentation time. So yeah, I mean here again, I'm just running the API with some input data and then we'll see that it works. You know, defensive security demo is always so boring because it's just, you know, you should just show that something is working. Yeah, well, there we go. The cross product of one, two, three and four, five, six is minus three, six, minus three. Compute it inside an enclave. So if you had a more sensitive computation where you wanted to be sure that it was correct and you couldn't do it on the client, you might use this. Sorry, can you repeat the question? Oh, okay. The question is why shouldn't we use this? This framework is very big and you shouldn't use it because of that. So, you know, you have to make certain trade-offs when you're building security software. I think here letting the programmer use primitives that are familiar to them lets them like build software in a more common way, right? So that makes it more accessible to people. So people, you know, they might have some familiarity with like building a web service with an API that is somewhat secure and so just lets them do that. Yeah, you get a slightly larger TCB but I think that's countered by like using the Rust language, having a very well-defined and interface that is very small and interpretable. Any other questions? Oh, yeah, so in terms of future developments, so I mentioned support for upcoming features in SGX and Rust and binary analysis already. In the future, we might support different platforms when those are, you know, have grown up to be as good as SGX and yeah. Okay, yes. So should there be other ones? Yes, there should be. I assume that there should be a process in place and software support for that. You can get in touch with the Rust community and you or similar people to have abstractions in place for that update. Is that a process for that or is it just gonna be like the usual? Okay, so the question is if there are, you know, new architectures that want like similar support for this type of enclaves in Rust, how should they go about doing that? Yeah, so the Rust community is basically just pull request based. There's no consortium or anything about it? No, no, no. So currently, yeah, in Rust, if you want to add a new target, they're super flexible about it. You know, maybe once the grid list grows to 100, they'll get put a more bigger process in place, but right now it's just, yeah, you send a pull request. If you need any like help or advice on like building a new target that is like similar to this, I'm happy to help. There's a Slack channel that I'm generally available on, you can find the link on our websites. So this is Slack channel for SGX experts and things like that. So yeah, thank you, thank you.