This is a research project aims to solve the cold start problem without sacrificing the security by creating a method to securely reuse the enclave. The paper is accepted to 2023 USENIX Security Symposium. You can download the paper here.
This repository is a guide to build and use each component of this project. The project involves 6 other projects:
- Apache OpenWhisk
- Intel SGX SDK
- WOW
- LLVM
- WAMR
- DCAP end-to-end encryption infrastructure
All implementations except for existing code bases (Intel SGX SDK, OpenWhisk, WOW, WAMR, etc.) were written and debugged by NSKernel.
This project itself is opensourced under GPLv2. See LICENSE.
Copyright (C) 2022 NSKernel and OSU SecLab.
- Apache OpenWhisk is licnesed under Apache 2.0 License.
- Intel SGX SDK is licensed under GPLv2.
- WOW did not indicate its license.
- LLVM is licensed under Apache 2.0 License with LLVM exceptions.
- WAMR is licensed under Apache 2.0 License.
This project is very complicated and I strongly encourage you to have background knowledge of each of the components before you try to build and use the project.
Disclaimer: THERE IS NO WARRANTY TO THE SOFTWARE. THE SOFTWARE IS NOT BUG FREE AND MAY CAUSE DAMANGE TO YOUR SYSTEM. UNDER NO CIRCUMSTANCES SHALL THE AUTHORS OF THE SOFTWARE BE RESPONSIBILE TO ANY DAMANGE OR LOSS DUE TO THE USE OF THE SOFTWARE.
Clone the modified LLVM
git clone https://github.com/NSKernel/llvm-reusable-enclaves.git
Build the LLVM
cd llvm-reusable-enclaves
mkdir build
cd build
cmake -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles" ../llvm
make
Download and build a regular Intel SGX SDK's PSW part
https://github.com/intel/linux-sgx.git
cd linux-sgx
git reset --hard 8abc6dd8cb44e3cef8294c508e77803ffeb8ed12
make preparation
make deb_psw_pkg
Install the built debs.
Clone the modified Intel SGX SDK
git clone https://github.com/NSKernel/linux-sgx-san.git
Prepare the building
cd linux-sgx-san
# Follow the SDK's instruction to prepare the build
Manually build the IPP crypto library using our toolchain
cd external/ippcp_internal
Modify the Makefile to use our toolchain modifying line 81 into
cd $(IPP_SOURCE) && CC='your/llvm/build/bin/clang' CXX='your/llvm/build/bin/clang++' $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s -j14
Build IPP crypto
make ipp_source
make
Copy sgx_ippcp.h to the inc folder
cp ~/linux-sgx/external/ippcp_internal/inc/sgx_ippcp.h ~/linux-sgx-san/external/ippcp_internal/inc/
Build the SDK
cd linux-sgx-san
CC='your/llvm/build/bin/clang' CXX='your/llvm/build/bin/clang++' make sdk_install_pkg
Install the SDK and setup the environment
cd linux/installer/bin/
./sgx_linux_x64_sdk*
source sgxsdk/environment
Note that you will have to clone a clean Intel SGX SDK and build its PSW using regular GCC. You will need to install that PSW.
Clone the WOW project
git clone https://github.com/NSKernel/wow.git
Clone the WAMR into wamr-sys
cd wow/wamr-sys
git clone https://github.com/NSKernel/wasm-micro-runtime.git
cd ..
Edit wasm-micro-runtime/core/shared/platform/linux-sgx/Enclave-san /Makefile's SGX_ENCLAVE_SIGNER and SGX_EDGER8R into your vanilla SGX SDK's corresponding one. Edit TCC and TCXX into your built LLVM.
Build WOW and WAMR
cargo build --manifest-path ./ow-executor-san/Cargo.toml --release --features wamr_rt
Copy the built enclave to the executor path
cp wamr-sys/wasm-micro-runtime/core/shared/platform/linux-sgx/Enclave-san/enclave.signed.so target/release/
Following the WOW's README,
cargo build --manifest-path ./ow-wasm-action/Cargo.toml --release --example add --target wasm32-wasi --no-default-features --features wasm
Clone the project
git clone https://github.com/NSKernel/reusable-enclaves-dcap.git
Use your vanilla SGX SDK to build the project
cd reusable-enclaves-dcap
make
Clone the OpenWhisk
git clone https://github.com/NSKernel/openwhisk-reusable-enclaves.git
Launch OpenWhisk
./gradlew core:standalone:bootRun
New terminal 1:
cd reusable-enclaves-dcap/bin
./gatewayapp
New terminal 2:
cd reusable-enclaves-dcap/bin
./service_provider
In the prompt, enter the compiled WASM file to encrypt (e.g., target/wasm32-wasi/release/examples/add.wasm)
New terminal 3:
cd wow
./target/release/executor-san
After attestation, when you see this
process ECDH message 2 success
Type 1 in your terminal and press Enter. You should see
DEBUG: snapshot
Done initialising
Now proceeding
Listening on: 127.0.0.1:9000
New terminal 4: Zip the encrypted WASM file
zip add.zip target/wasm32-wasi/release/examples/add.wasm.enc
Use WSK to execute the zip file following WOW's README.
Note that there is no graceful exit for the executor. You can issue a SIGKILL to it.
cd wow/wamr-sys/wasm-micro-runtime/wamr-compiler
mkdir build
Edit the CMakeLists.txt's Line 115's LLVM path into your LLVM. Then build the WAMR compiler
cd build
cmake ../
make
cd wow/wamr-sys/wasm-micro-runtime/wamr-compiler/build/
./wamrc target/wasm32-wasi/release/examples/add.wasm -o target/wasm32-wasi/release/examples/add.aot
Go back to Step 8 and follow it except for changing add.wasm into add.aot.