SGX-LKL is a library OS designed to run unmodified Linux binaries inside SGX enclaves. It uses the Linux Kernel Library (LKL) (https://github.com/lkl/linux) to provide mature system support for complex applications within the enclave. A modified version of musl (https://www.musl-libc.org) is used as C standard library implementation. SGX-LKL has support for in-enclave user-level threading, signal handling, and paging. System calls are handled within the enclave by LKL when possible, and asynchronous system call support is provided for the subset of system calls that require direct access to external resources and are therefore processed by the host OS. The goal of SGX-LKL is to provide system support for complex applications and managed runtimes such as the JVM with minimal or no modifications and minimal reliance on the host OS. The library is available on GitHub here
Various components and modules have been contributed to the Eclipse Vert.x project and its ecosystem. More contributes are planned in the remaining year.
The secure event bus using SSL has been contributed to Vert.x Core and is available in Vert.x 3.2.1+. Documentation is available here
A Zookeeper cluster manager has been developed and is now part of the Vert.x ecosystem. Documentation is available here. This module is in technical preview as many improvements have been planed.
The circuit breaker implementation and health check support have also been contributed to Vert.x. The health check implementation is based on the Health Check specification proposed in Eclipse MicroProfile, an initiative to optimize Enterprise Java for microservice architectures. The SERECA consortium has been actively involved in the specification reported on GitHub here and here.
Cloud computing, while ubiquitous, still suffers from trust issues, especially for applications managing sensitive data. Third-party coordination services such as ZooKeeper and Consul are fundamental building blocks for cloud applications, but are exposed to potentially sensitive application data. Recently, hardware trust mechanisms such as Intel's Software Guard Extensions (SGX) offer Trusted Execution Environment (TEE) to shield application data from untrusted software, including the privileged Operating System (OS) and hypervisors. Such hardware support suggests new options for securing third-party coordination services.
We describe SecureKeeper, an enhanced version of the ZooKeeper coordination service that uses SGX to preserve the confidentiality and basic integrity of ZooKeeper-managed data. SecureKeeper uses multiple small enclaves to ensure that (i) user-provided data in ZooKeeper is always kept encrypted while not residing inside an enclave, and (ii) essential processing steps that demand plaintext access can still be performed securely. SecureKeeper limits the required changes to the ZooKeeper code base and relies on Java's native code support for accessing enclaves. With an overhead of 11%, the performance of SecureKeeper with SGX is comparable to ZooKeeper with secure communication, while providing much stronger security guarantees with a minimal Trusted Computing Base (TCB) of a few thousand lines of code.
Secure Keeper code is available here
More details on Secure Keeper can be found in the related paper (MW '16)