Use of SGX to protect network nodes

Nowadays computing technologies are exponentially growing up in terms of complexity. As a consequence, it is necessary to develop in parallel new security strategies, having each one of them a specific target. The era of Big Data requires new technologies for data protection in different stages. Moreover, it is necessary to protect systems at the lowest level possible, because even the privileged software can be manipulated by malicious users, thus compromising the code running on the machine. Therefore, data protection, software integrity and trustworthiness of the hardware must be ensured. Trusted Computing is becoming the new frontier of data protection during In-Use stage, namely inside the CPU or the memory. This can be achieved with Trusted Execution Environments (TEE) and Remote Attestation. A TEE allows to run application within an encrypted memory region, which is decrypted with a secret key stored in the CPU at runtime. By assuming that privileged software can be manipulated, encryption ensures that any code running at higher privilege levels cannot access it, it might only read the encrypted pages. Remote Attestation can be either hardware (with TEEs) or software: it is the security procedure of attesting to a remote third party that a machine is trusted (hardware-based) and it is hosting code that is behaving as expected. Starting from these two concepts, this Master Thesis includes an investigation of the major TEEs with a special focus on Intel Software Guard Extension (SGX ) and Intel SGX Data Center Attestation Primitives (DCAP). Afterwards an analysis of Confidential Computing is performed: Confidential Computing aims to bring Trusted Computing to Cloud environments, this being an interesting topic since nowadays Cloud Computing is one of the most attractive field for computer engineers. After a critical analysis of current Confidential Computing technologies, a Remote Attestation framework based on Occlum LibOS and SGX DCAP is introduced. This framework includes a Verifier and some Attesters that are running apps inside SGX enclaves (whose generation is made much simpler thanks to Occlum LibOS). At runtime the Verifier starts the Remote Attestation process, hence it checks both if the machines on which apps are running are trusted (in terms of TEEs) and if the running code is behaving as expected. This framework is then moved to a containerized environment. Occlum and Intel SGX DCAP have been chosen as main technologies for the implementation because of their stability and interoperability, therefore this framework can be enhanced to be adopted together with the current Remote Attestation frameworks at Torsec Research Group at Politecnico di Torino.