Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Open Source Framework For Building 'Enclaved' Apps For Cloud (arstechnica.com)

Posted by BeauHD on from the lock-it-up dept.

An anonymous reader quotes a report from Ars Technica: Today, Google is releasing an open source framework for the development of "confidential computing" cloud applications -- a software development kit that will allow developers to build secure applications that run across multiple cloud architectures even in shared (and not necessarily trusted) environments. The framework, called Asylo, is currently experimental but could eventually make it possible for developers to address some of the most basic concerns about running applications in any multi-tenant environment. Container systems like Docker and Kubernetes are designed largely to allow untrusted applications to run without exposing the underlying operating system to badness. Asylo (Greek for "safe place") aims to solve the opposite problem -- allowing absolutely trusted applications to run "Trusted Execution Environments" (TEEs), which are specialized execution environments that act as enclaves and protect applications from attacks on the underlying platform they run on.

21 comments

  1. I read that... by b0s0z0ku · · Score: 4, Funny

    I read that as "enslaved" at first. Which is a good metaphor for the cloud: your data, held hostage on someone else's computer.

    1. Re:I read that... by Anonymous Coward · · Score: 0

      Also, "Google" and "confidential" in the same sentence. I LOLed.

    2. Re:I read that... by Anonymous Coward · · Score: 0

      This might also be useful for running encryption stuff on your own computer if you want to ensure that things like logging cannot be done to passwords/encryption keys.

  2. sounds absolutely fascinating! by rogoshen1 · · Score: 3, Insightful

    i'm exceedingly interested in trying this out for a few months until google pulls the plug and discontinues it.

  3. "Docker and Kubernetes" by greenwow · · Score: 2

    Which are less secure than true vms. There's a reason companies that care about security use real vms instead.

    1. Re:"Docker and Kubernetes" by Anonymous Coward · · Score: 0

      But no one ever screws up. /s

    2. Re:"Docker and Kubernetes" by llamalad · · Score: 3, Informative

      Which companies are these? And are they hiring?

      Everywhere I look it seems like I only see shops that are drinking the kubernetes Kool Aid.

    3. Re:"Docker and Kubernetes" by K.+S.+Kyosuke · · Score: 1

      So VMS is more alive than BSD?

      --
      Ezekiel 23:20
    4. Re:"Docker and Kubernetes" by Anonymous Coward · · Score: 0

      Netcraft confirmed that.

    5. Re:"Docker and Kubernetes" by Anonymous Coward · · Score: 0

      [q] that care about security [/q]

      Aren't using IaaS like AWS or Digital Ocean.

      If it's on-prem, it matters less what you use.

    6. Re:"Docker and Kubernetes" by phantomfive · · Score: 2

      Yeah, Docker is built for running trusted software, not untrusted software.

      If you want to run untrusted software, VMware was designed for that.......but doesn't do a great job. If you're running Linux, it's not hard to set up your own container. If you're using BSD, you can set up a jail.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:"Docker and Kubernetes" by phantomfive · · Score: 1, Informative

      When I see a company that is deploying docker containers on AWS, I see a company that has a shitty build system. They can't write simple scripts to install software (and the key is to keep them simple).

      This is especially true because on AWS you already start with images in a known state, you don't have a lot of special cases here (which would be the case if you were deploying to end-user desktop machines). I guess most programmers have trouble figuring stuff out or something.

      --
      "First they came for the slanderers and i said nothing."
    8. Re:"Docker and Kubernetes" by Anonymous Coward · · Score: 0

      I disagree with your contention that using Docker means that one’s build system sucks.

      I think it takes a rather mature build system in order to deploy Docker-hosted applications properly. Perhaps the key is “properly.” When done properly, you an get yourself as close as possible to the “identical dev, test, and prod environments” ideal that most teams strive for.

      It gives you great flexibility on the deployment platform, too. Build on Ubuntu, deploy to Debian, CentOS, or whatever. You let docker understand the differences between the host environments and give you an indntical internal environment within the deployed container.

      I wouldn’t want to run my Docker images on the same bare metal or VM as some other I trusted, unknown vendor or developer, of course, “just in case.” But these days, CPUs are leaking all of your secrets to everyone else on the box anyway, so, perhaps all VM security is an illusion as well.

      But you don’t use Docker for security. You use it for reproducibility and deployment convenience.

    9. Re: "Docker and Kubernetes" by phantomfive · · Score: 1

      Yeah, I still think your build and deploy process sucks. If it can't handle minor differences in environment it's too fragile.

      --
      "First they came for the slanderers and i said nothing."
  4. Congratulations, you just invented... by Anonymous Coward · · Score: 0

    ....you just invented Java!

  5. Google is evil by Anonymous Coward · · Score: 0

    Tracking id that they have built into a standard for malware protection

    Sudden discontinuation of promoted products

    Changes in access policy and price structures after adoption

    The raping of YouTube content makers

    and on and on and on

    Google needs to be disassembled like Bell was

  6. Intel's enclave. by Anonymous Coward · · Score: 0

    How's this software solution any better than Intel's hardware solution?

  7. On a similar note... by Anonymous Coward · · Score: 0

    Google releasing a framework for "confidential cloud" software? On a similar note, an industry consortium of wolves have announced a secure highway for chickens.

  8. How Will Google Be Able To Collect Your Data? by Anonymous Coward · · Score: 0

    If when using their "confidential cloud"?

  9. I should probably be more careful what I smoke. by Hognoxious · · Score: 1

    That kind of got me thinking. What would happen if Netcraft died?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  10. Opensource DRM is still defective by design by ezdiy · · Score: 1

    Google has realized they need to get back their control over Android, and DRM is their golden ticket. So what is TEE and pals?

    Each CPU has a burned in public key. A publisher can encrypt binary specifically for the public key of yours, and such a blob will run only and only on a CPU with burned in private key, like sort of smartcard on steroids. This can be paired with remote attestation and what not, but it's no different from, say, CPU, acting as your SIM card (which is actually one of such use cases). In smart card industry we call this a "secure element".

    While not "mandatory" now, it starts to creep in. The google safenet feature which uses this can now attest to applications whether the device supports TEE or not, and vendors slowly nudge into buying DRM capable devices through planned obsolescence.

    Can this be broken? Of course, this isn't legit ZK computing with actual grounds in cryptography. It's semantically no different from a smart card, and you can dump your private key with enough effort. Needless to say, if you distribute a jailbreak consisting of emulator for a key of some CPU, the simcard will be prompty blacklisted and all "cloud" features cease to function (ie works only to fool applications which stay offline).

    Why is that bad? The computer is no longer yours. Jailbreaks become pretty much infeasible and you have zero control over what's running on your device, only the CPU vendor has full control over "ring -2". A perfect walled garden, and ranchers have the perfect cattle marking stamps too.