Protecting Go Language Applications with the Graphene Library OS on Intel® SGX®-Secured Alibaba Cloud

Challenges with Go and SGX®

To help maintain the security of application code, an Intel® SGX®-enabled CPU carefully controls the execution context when either entering or exiting an enclave. For example:

  • A user execution stack is not visible outside the enclave, either in the same process or when executing in the operating system kernel;
  • Register values are loaded with synthetic data upon exit (and correctly restored upon re-entry);
  • Certain instructions, such as SYSCALL, are forbidden from use at runtime within an enclave, forcing a protected exit of the enclave for handling; and,
  • A limited, specific set of pages of physical memory are designated for use only within an enclave, a level of protection added to the traditional virtual memory translation layers.

Challenges with Go and Graphene

As the Go runtime sits directly over the operating system kernel interface, its implementation can make assumptions about the behavior of this interface — the Linux® x86–64 Application Binary Interface (ABI). By sliding in the Graphene Library OS between the Go runtime and the kernel, we encounter challenges which touch on these assumptions, discussed below.

Learn More about Go, Graphene, and Intel® SGX®

We hope this blog highlighted some interesting challenges we — Intel and Alibaba — are addressing, in our effort to improve security and protection of Go language applications by making features of Intel SGX more easily available to use.

About Alibaba Cloud

Established in 2009, Alibaba Cloud, the cloud computing arm of Alibaba Group, is among the world’s top three IaaS providers according to Gartner, and the largest provider of public cloud services in China according to IDC. Alibaba Cloud provides a comprehensive suite of cloud computing services to businesses worldwide, including merchants doing business on Alibaba Group marketplaces, start-ups, corporations and government organizations. Alibaba Cloud is the official Cloud Services Partner of the International Olympic Committee.

About Intel®

We are a world leader in the design and manufacturing of essential technologies that power the cloud and an increasingly smart, connected world. We offer computing, networking, data storage, and communications solutions to a broad set of customers spanning multiple industries. In 1968, Intel® was incorporated in California (reincorporated in Delaware in 1989), in what became known as Silicon Valley, and our technology has been at the heart of computing breakthroughs ever since.

References

[1] “Unmodified” here means no source-code-level changes, nor recompilation of original sources.

Intel Legal Notices

No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.

Original Source

https://www.alibabacloud.com/blog/594889?spm=a2c41.13092806.0.0

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com