Past Meetup

Jessie Frazelle on SCONE: Secure Linux Containers with Intel SGX & a PWLMini

This Meetup is past

215 people went

Two Sigma

101 Ave. of the Americas, 23rd Fl. J · New York

How to find us

Cross Streets: Watt and Grand. Note: Please make sure you’re signed-up for the meetup, including your first and last name. Without this info you won’t be allowed into the building by security.

Location image of event venue

Details

We're super excited to host Jessie Frazelle (https://blog.jessfraz.com), software engineer at Microsoft, contributor to RunC (https://github.com/opencontainers/runc) and Golang, has served as Maintainer of Docker, and is the Keyser Söze of container security. She'll be presenting on SCONE: Secure Linux Containers with Intel SGX (https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf) by Arnautov, et. al.

In addition to Jessie's talk, PWLNYC Organizer David Ashby will be opening the event with a lightning talk on the Secure Hash Standard (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf), specifically SHA256, called SHAmwow: Poorly Re-implementing SHA256 for Fun and Profit.

Talks

• Jessie Frazelle on SCONE:

Containers are the latest infrastructure trend. In 2016, the SCONE (https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf) paper was written and presented at the USENIX Symposium on Operating Systems Design and Implementation (https://www.usenix.org/conference/osdi16). It outlined how to use Intel Secure Enclaves (https://en.wikipedia.org/wiki/Software_Guard_Extensions) to guard containers against attack. Containers are built on the kernel primitives cgroups and namespaces with additional LSM (Linux Security Module) layers on top, such as AppArmor, SELinux, and seccomp. Intel SGX protects code from modification by using protected areas of memory known as enclaves. With containers and adoption of cloud on the rise, this paper continues to be on the cutting edge of what is to come. Some cloud providers are now starting to expose hardware specific features like GPU and SGX, which would make running containers with Intel's SGX trusted execution a reality in the cloud. With Intel's SGX, you can have a container's process shielded from access by other programs. We'll explore how realistic this is today and in the future as well as what benefits this would have to the security of containers.

• David Ashby on SHA256:

While most of us use hash functions on a daily basis, few people can say that they truly understand what’s actually going on when they call SHA2("hello world"). Even fewer can say they’ve bothered to implement the function themselves, considering every introduction to cryptography starts off with a big warning saying to never, ever implement cryptographic primitives and just use vetted libraries due to the security implications. Of course, that important warning didn’t stop me from digging into the FIPS 180-4 spec (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf) to scratch the itch to understand how exactly it works, and along the way get a much better intuition about what bitwise operators actually do, what a bitrotation is, and why hex notation actually matters.

Bios

Jessie Frazelle (https://blog.jessfraz.com) works with Linux and Containers at Microsoft. She loves all things involving Linux namespaces and cgroups and is probably most well known for running desktop applications in containers. Jessie has been a maintainer of Docker and a contributor to RunC, Kubernetes, Linux, and Golang, among other projects, maintained the AppArmor, Seccomp, and SELinux bits in Docker, and is quite familiar with locking down containers.

David Ashby (https://twitter.com/alazyreader) is a self-taught programmer and systems engineer who sometimes spends his weekends implementing hash functions in high-level languages. He also helps organize the meetup, but no nepotism was to blame for the existence of this presentation.

Details

Doors open at 6:30 pm; the presentations will begin right around 7:00 pm; and, yes, there will be refreshments of all kinds and pizza.

You'll have to check-in with security with your Name/ID. Definitely sign-up if you’re going to attend–unfortunately people whose names aren’t entered into the security system in advance won’t be allowed in.

After Jessie's presentation, we will open up the floor to discussion and questions.

We hope that you'll read some of the papers and references before the meetup, but don't stress if you can't. If you have any questions, thoughts, or related information, please visit #pwlnyc (https://paperswelove.slack.com/messages/pwlnyc/) on slack (http://papersweloveslack.herokuapp.com/), our GitHub repository (https://github.com/papers-we-love/papers-we-love), or add to the discussion on this event's thread.

Additionally, if you have any papers you want to add to the repository above (papers that you love!), please send us a pull request (https://github.com/papers-we-love/papers-we-love/pulls). Also, if you have any ideas/questions about this meetup or the Papers-We-Love org, just open up an issue.

------------------------------------------------------------------------------------------

TwoSigma (https://www.twosigma.com/) - Platinum Sponsor of the New York chapter

------------------------------------------------------------------------------------------