initc3 / auditee Goto Github PK
View Code? Open in Web Editor NEWTool to verify the reproducibility of SGX enclave builds
Home Page: https://auditee.readthedocs.io
License: GNU General Public License v3.0
Tool to verify the reproducibility of SGX enclave builds
Home Page: https://auditee.readthedocs.io
License: GNU General Public License v3.0
See https://github.com/mobilecoinfoundation/mobilecoin/blob/master/consensus/service/BUILD.md#build.
Provide signed enclave, and ias report, like in the case of the hash machine example.
From https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf:
4.2.2 Report Signature
The Attestation Verification Report is cryptographically signed by Report Signing Key (owned by the Attestation Service) using the RSA-SHA256 algorithm. The signature is calculated over the entire body of the HTTP response. Base 64-encoded signature is then returned in a custom HTTP response header
X-IASReport-Signature
. To verify the signature over the report, you should the following steps:
- Decode and verify the Report Signing Certificate Chain that was sent together with the report (see Report Signing Certificate Chain for details). Verify that the chain is rooted in a trusted Attestation Report Signing CA Certificate (available to download [from Development (DEV) attestation service portal] upon successful registration to IAS).
- Optionally, verify that the certificates in the chain have not been revoked (using CRLs indicated in the certificates)
- Verify the signature over the report using Attestation Report Signing Certificate.
4.2.3 Report Signing Certificate Chain
The public part of Report Key is distributed in the form of an x.509 digital certificate called Attestation Report Signing Certificate. It is a leaf certificate issued by the Attestation Report Signing CA Certificate:
- Attestation Report Signing CA Certificate:
CN=Intel SGX Attestation Report Signing CA, O=Intel Corporation, L=Santa Clara, ST=CA, C=US
- Attestation Report Signing Certificate:
CN=Intel SGX Attestation Report Signing, O=Intel Corporation, L=Santa Clara, ST=CA, C=US
A PEM-encoded certificate chain consisting of Attestation Report Signing Certificate and Attestation Report Signing CA Certificate is returned in a custom HTTP response header
X-IASReport-Signing-Certificate
.
The attestation report root CA certificate can be obtained at https://api.portal.trustedservices.intel.com/EPID-attestation. Look for the line:
See example (C++): https://github.com/hyperledger-labs/private-data-objects/blob/04d6b93737bc2c0446d292a028087ef4fb365ca7/common/crypto/verify_ias_report/verify-report.cpp
If using Python, some options are:
Rough sketch of the interface:
# check that an IAS report corresponds to the expected source code
auditee --check-mrenclave --ias-report <ias-report-json> --src-url <src-code>
auditee --check-mrenclave --ias-report <ias-report-json> --src-path <src-path>
auditee --check-mrenclave --ias-report <ias-report-json> --nix-file <nix-file>
# check that the signed enclave binary corresponds to the expected source code
auditee --check-mrenclave --signed-enclave <signed-enclave> --src-url <src-code>
auditee --check-mrenclave --signed-enclave <signed-enclave> --src-path <src-path>
auditee --check-mrenclave --signed-enclave <signed-enclave> --nix-file <nix-file>
Check whether an IAS report corresponds to some given source code, identified via its URL.
auditee --check-mrenclave --ias-report ias-report.json --src-url https://github.com/sbellem/sgx-iot
Check whether a signed enclave binary corresponds to the expected source code, identified via its URL.
auditee --check-mrenclave --signed-enclave enclave.signed.so --src-url https://github.com/sbellem/sgx-iot
Currently, everything is done within a docker image, as a base image with a nix package for the sgx sdk is already installed, and prebuilt, to save time. However, we now used cached prebuilts hosted on cachix, and nix derivation to build enclaves can be written to fetch from a github archive (tarball), and if the local nix installation is configured to use the cache, the sgx sdk will not be re-built (which could take more than 2 hours), but instead fetched from the cache.
The --file
option is not supported in newer versions. See the changelog to know what to change. Currently, since python-on-whales is not pinned, the verify_mrenclave()
function fails.
In the meantime pin python-on-whales
to a working version, such 0.17.1
.
The example sgx-hashmachine involves hashing a string a billion times in an enclave and putting the result in the REPORT DATA of a quote for a remote attestation report.
Since computing the hash billion times is a bit annoying as it takes about 10 minutes, this example may be well suited to show that as an alternative to perform the computation oneself in order to verify that the resulting final hash is correct, knowing the initial string, one may instead "trust" Intel and the remote attestation process, etc.
This is a dummy example to demonstrate how one could gain trust in remote computations that are outsourced to cloud services. In other words, if the remote computations are performed in enclaves that are remotely attested, then one can be somewhat certain that the computations were done according to some known source code. How can one be certain that the deployed and remotely attested enclave was built from some source code? That is the purpose of this example, to show how the auditee tool can be used to automate this verification.
One way to ensure that the input data was not tampered with is to put a hash of it in the REPORT DATA of a remote attestation.
See Intel SGX explained paper for why this is important.
When verifying the reproducibility of an enclave build, the file path to the source code must be passed. In addition to the file path, support also a URL, from which the source code can clone or downloaded. As a first iteration, support cloning with git. Note that it is somewhat redundant to do this because the nix
derivation also fetches from a (GitHub) URL. So, we'd be fetching the code twice: once to be able to read the .enclavehub.yml
, and second, to be able to build the source code.
From https://edp.fortanix.com/docs/concepts/sgx/
Also, if your enclave stores more than one sealed blob, the service may perform a partial rollback attack by returning different versions of different blobs. One possible defense against this attack is to track the integrity of all blobs as a whole, for example with a Merkle tree.
auditee mrenclave --help
Traceback (most recent call last):
File "/usr/local/bin/auditee", line 5, in <module>
from auditee import main
ImportError: cannot import name 'main' from 'auditee' (/usr/local/lib/python3.9/site-packages/auditee/__init__.py)
When attempting to reproduce an enclave build, the SGX SDK version used must match the one used to sign that build.
How can we be sure that the trusted source code was correctly compiled? How can we be sure that the enclave binary is a correct compilation of the source code, and thus preserves the properties which are trusted?
Remote attestation allows a user to gain trust that a remote computer is running the expected source code, on genuine and up-to-date hardware. When an enclave binary is loaded in the protected memory region, a measurement is performed, which yields a cryptographic hash, known as MRENCLAVE
. This hash uniquely identifies the loaded code, and is included in the remote attestation report. A verifier can consequently compare the MRENCLAVE
in the report with the trusted MRENCLAVE
. The trusted MRENCLAVE
can be established by using a toolchain to build the enclave binary from the trusted source code, and simulating the measurement with Intel's sgx sign tool which will yield a data structure known as SIGSTRUCT
, which contains the MRENCLAVE
. The verifier and enclave developer must agree on the toolchain in the sense that the toolchain must yield reproducible builds, meaning that building the enclave binary from the same source code should yield the exact same MRENCLAVE
.
The toolchain proposed by linux-sgx and auditee
use nix
as it provides strong reproducibility guarantees. However, the fact that a build is reproducible does not guarantee that it was correctly compiled, meaning that the compiler did not introduce some kind of deviations from the source code such that although one may trust the source code, one would not trust its "faulty" binary
representation.
Hence, the question: "How can we make sure that the compiler used was not faulty?"
For a somewhat detailed idea of what this is about see section 3.1 and more particularly subsection Translation validation in https://sel4.systems/About/seL4-whitepaper.pdf:
In addition to taking a json file as an argument, also accept a dict
instead of a file. This is useful when using programmatically.
Given the following inputs:
Enclave.signed.so
,ouput:
Resources:
Rough outline of steps:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.