Beruflich Dokumente
Kultur Dokumente
1
FACULTY OF AUTOMATION AND COMPUTER SCIENCE
COMPUTER SCIENCE DEPARTMENT
The technical approach is based on Intel® Security Guard Extensions which has the
capability to execute code and process data in an isolated environment. This means that it is
able take as input encrypted data (in this case students' reviews), decrypt it, and provide as
output the result that will be passed to teachers without permitting anyone to observe the
intermediate steps. Also, in order to assure students that the feedback they provide is indeed
processed using the Intel® SGX on a machine that belongs to the expected entity (in this case
Technical University of Cluj-Napoca), attestation functionality is provided by the platform in
conjunction with the attestation service provided by Intel®.
3. Related Work
Since Intel Security Guard Extensions[1] was made available in 2015 with the 6th
generation of Intel CPUs, several projects were developed based on it. Also several articles
and papers demonstrating its usage and benefits, but also its flaws were made available. Some
of these are:
The Intel white paper presented back in 2013[2]. It addresses the need for such
technology and mainly discusses details concerning enclave attestation and sealing
techniques.
In [3], the author explains the processes involved in attestation of the enclave. He also
introduces the Intel Attestation Verification Service which can be used to attest the
authenticity of an enclave. The service is based on Intel Enhanced Privacy ID (EPID).
The paper outlines the services infrastructure Intel has constructed to support the
initial implementations of the Intel R SGX technology.
The white paper [4] presents a memory encryption engine design - the one being used
by SGX capable processors to encrypt the EPC. The base of the engine is described in
detail and consists of the following: an integrity tree, the cryptographic primitives that
realize the encryption, the Message Authentication Code (MAC), and the anti-replay
mechanism. The authors also discuss possible attacks and how the presented model is
able to avoid them.
[5] is a graduate thesis that thoroughly explains the Intel SGX technology. It covers
everything the technology has to offer in detail and discusses possible flaws of it. One
of them is concerning the Intel's attestation model and it is also discussed in [6]. Also
a big concern expressed in both references is regarding the power Intel has in the
attestation process since this requires a software licensing.
2
FACULTY OF AUTOMATION AND COMPUTER SCIENCE
COMPUTER SCIENCE DEPARTMENT
4. Needed Resources
For the development of this project we use of the following resources:
Intel® Security Guard Extensions for building the trusted environment of the platform
IntelliJ IDEA – the Java IDE for building the backend
Spring Boot – useful framework for any Java application
AngularJS – used for building the frontend
REST – the API exposed by the backend is based on this architectural style
MySQL – relational database management system
OpenSSL – cryptography and SSL/TLS toolkit. Used to generate RSA keys (the
private key is stored in the enclave while the public one is used by the client
application) and to create self-signed certificates which were used in the remote
attestation process
5. Expected results
The resulting platform should provide the complete functionality required to cover the
entire review process. With the help of Intel Security Guard Extensions and all the used
technologies, unnecessary work like generating and distributing access codes can be eliminated
which leads to a highly streamlined usage. This will most likely attract more students to provide
feedback and maybe even become more interested in what the university has to offer.
6. Project Timeline
Week(s) To do
1 oct – 7 oct First discussion with supervisor. Choosing the project subject
8 oct – 23 dec Study the technology. Bibliographic study
7 jan – 10 feb = session =
11 feb – 24 feb Install the required software. Run some examples
25 feb – 3 mar Establishing the requirements (main objectives)
4 mar – 24 mar Enclave implementation
25 mar – 14 apr Development of the backend. Integration of enclave in the server
application
15 apr – 21 apr Development of the frontend
22 apr – 28 apr Login attestation
29 apr – 5 may Fine tuning and testing
5 may – 2 jun Writing the documentation
3
FACULTY OF AUTOMATION AND COMPUTER SCIENCE
COMPUTER SCIENCE DEPARTMENT
7. Contents
1. Introduction (Context, Motivation, Technical Approach)
2. Project Objectives and Specification
3. Bibliographic Study (Related Work, Technologies)
4. Theoretical Background (Intel® SGX)
5. Analysis and Design (General architecture, Use cases, Algorithms, Database)
6. Implementation Details(Enclave, Back-end, Front-end)
7. Tests and Results
8. User Manual
9. Conclusions
10. Bibliography
8. Bibliography
[1] “Intel SGX”, https://software.intel.com/en-us/sgx
[2] I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata, “Innovative technology for CPU
based attestation and sealing”, https://software.intel.com/en-us/articles/innovative-
technology-for-cpu-based-attestation-and-sealing , 2013.
[3] S. Johnson, V. Scarlata, C. Rozas, E. Brickell, and F. Mckeen, “Intel SGX: Epid
provisioning and attestation services”, https://software.intel.com/en-us/download/intel-sgx-
intel-epid-provisioning-and-attestation-services , 2016.
[4] S. Gueron, “A memory encryption engine suitable for general purpose processors”,
https://eprint.iacr.org/2016/204.pdf, 2016.
[5] V. Costan and S. Devadas, “Intel SGX Explained”, https://eprint.iacr.org/2016/086.pdf .
[6] R. Chirgwin, “Intel's SGX security extensions: Secure until you look at
the detail”,
https://www.theregister.co.uk/2016/02/01/sgx_secure_until_you_look_at_the_detail, 2016.