4 Commits 2d07ca20d7 ... 59bdba04c4

Author SHA1 Message Date
  Miti Mazmudar 59bdba04c4 Changed the nesting, ordering of the docker/Dockerfile bullet list. 3 years ago
  Miti Mazmudar f653828751 Merge branch 'master' of git-crysp.uwaterloo.ca:miti/mitigator 3 years ago
  Miti Mazmudar 09abcd86e3 Included versions of drivers as per reviewer As first comment. 3 years ago
  Miti Mazmudar 1a267dded6 Renamed tmux session names as per Reviewer B's 1st comment. 3 years ago
2 changed files with 23 additions and 16 deletions
  1. 20 13
      README.md
  2. 3 3
      docker/deploy_enclaves.sh

+ 20 - 13
README.md

@@ -5,12 +5,18 @@ This repository contains Docker files for reproducing the implementation of the
 Miti Mazmudar, Ian Goldberg. "Mitigator: Privacy policy compliance using trusted hardware".  
 Proceedings on Privacy Enhancing Technologies. Vol. 2020, No. 3. 18 pages. July 2020.
 
-*Note:* This system requires a machine with Intel Software Guard Extension (SGX) in order to be built and to function correctly. 
+*Note:* This system requires a machine with Intel Software Guard Extension (SGX) in order to be built and to function correctly. We install appropriate versions of the following through our dockerscripts.
+* Linux SGX driver
+* Graphene-SGX driver
+* Linux SGX SDK
+* Graphene-SGX library OS
+
+Linux SGX and Graphene-SGX drivers and the Linux SGX SDK through our dockerscripts below.
 
 This system consists of three enclaves: a decryptor, a verifier and a target enclave. The target enclave is a PHP-enabled apache web server, which obtains user data through forms and we wish to ensure compliance of the webserver with its privacy policy. The Linux SGX driver and Linux SGX SDK are required to run the decryptor enclave. The Linux SGX SDK is also required for the enclaves to attest to each other and to seal secrets to disk. We use the Graphene-SGX library to support running a proof-of-concept verifier and the target application. The target application also contains a PHP extension to interface with the decryptor enclave. The Graphene-SGX driver is required to run any applications within Graphene. 
 
 We use Docker scripts to reproduce our setup for our paper. Two of our scripts set up drivers and the others set up and launch a docker container for running the three enclaves. 
-* `build-driver`: builds specific versions of the Linux SGX and the Graphene-SGX drivers as kernel modules.
+* `build-driver`: builds version f7dc97c0 of the Linux SGX driver and version 30d4b940 of the Graphene-SGX driver, as kernel modules.
 * `install-driver`: installs the kernel modules generated by the build-driver script onto the machine. 
 * `build-mitigator`: builds three docker images, one for each of the Dockerfiles in the sgx-docker/, graphene-docker/, and docker/ folders respectively.
 * `run-mitigator`: creates a *detached* docker container with the image initialized in the build-mitigator script. Re-run this script after any changes to the `build-mitigator` script to recreate a docker container with the new docker image.
@@ -19,21 +25,22 @@ We use Docker scripts to reproduce our setup for our paper. Two of our scripts s
 
 The docker images download the following software: 
 
-  sgx-docker/Dockerfile:
-  * [Linux SGX SDK and PSW](https://github.com/intel/linux-sgx) 
+  sgx-docker/Dockerfile: installs branch sgx_2.1 of the [Linux SGX SDK and PSW](https://github.com/intel/linux-sgx) 
 
-  graphene-docker/Dockerfile:
-  * [Graphene-SGX](https://github.com/oscarlab/graphene) (it actually downloads our mirror of a branch on that repo that has since been rebased, but we wanted to keep the exact version that we used)
+  graphene-docker/Dockerfile: downloads and installs [our mirror](https://git-crysp.uwaterloo.ca/miti/graphene) of a branch of the [Graphene-SGX library OS](https://github.com/oscarlab/graphene).
 
   docker/Dockerfile:
   * Our own codebase for the [Decryptor](https://git-crysp.uwaterloo.ca/miti/Decryptor) enclave, the [Verifier](https://git-crysp.uwaterloo.ca/miti/verifier) enclave and the [PHP extension for the Apache web server](https://git-crysp.uwaterloo.ca/miti/Apache_PHP_extension).
-  * We install [our repository for the Protobuf definitions](https://git-crysp.uwaterloo.ca/miti/dhmsgs_proto_defs.git) for passing messages between enclaves during and after local attestation.
-  * The decryptor enclave requires the Linux SGX SDK as well as the [Intel SGX SSL library](https://github.com/intel/intel-sgx-ssl) for performing cryptography operations safely within an enclave.
-  * The Intel SGX SSL repo essentially interfaces functions from the [OpenSSL library](https://github.com/openssl/openssl), and so we install a compatible version of that library.
-  * To avoid code duplication, the verifier and the PHP extension use the same source code files for performing local attestation; these files are also made available in [our repo](https://git-crysp.uwaterloo.ca/miti/commonVerifierPHPfiles).
-  * As Graphene-SGX does not support local attestation, we patched the SGX SDK libraries to run them on Graphene; the verifier uses [our patch](https://git-crysp.uwaterloo.ca/miti/linux-sgx-trts-modified) of these libraries.
-  * We have tested the verifier with the [Pixy source code analysis tool](https://github.com/oliverklee/pixy) to perform the compliance check, however this code is commented out for now.
-  * The PHP extension requires [PHP-CPP](https://github.com/CopernicaMarketingSoftware/PHP-CPP) to make the C++ functions of the extension available to the PHP pages. We provide manifests for the verifier and the PHP extension binaries in order to run them within Graphene-SGX. We use Graphene-SGX's Apache sample application for the Apache web server, with PHP version 7 installed from source.  
+  * Our own helper repositories: 
+    * [Protobuf definitions](https://git-crysp.uwaterloo.ca/miti/dhmsgs_proto_defs.git) for passing messages between enclaves during and after local attestation.
+    * [Common local attestation files](https://git-crysp.uwaterloo.ca/miti/commonVerifierPHPfiles) - To avoid code duplication, the verifier and the PHP extension use the same source code files for performing local attestation.
+  * Decryptor enclave dependencies: 
+    * The decryptor enclave requires the [Intel SGX SSL library](https://github.com/intel/intel-sgx-ssl) for performing cryptography operations safely within an enclave.
+       * The Intel SGX SSL repo essentially interfaces functions from the [OpenSSL library](https://github.com/openssl/openssl), and so we install a compatible version of that library.
+  * Verifier dependencies: 
+    * As Graphene-SGX does not support local attestation, we patched the SGX SDK libraries to run them on Graphene; the verifier uses [our patch](https://git-crysp.uwaterloo.ca/miti/linux-sgx-trts-modified) of these libraries.
+    * We have tested the verifier with the [Pixy source code analysis tool](https://github.com/oliverklee/pixy) to perform the compliance check, however this code is commented out for now.
+  * PHP extension dependency: The PHP extension requires [PHP-CPP](https://github.com/CopernicaMarketingSoftware/PHP-CPP) to make the C++ functions of the extension available to the PHP pages. We provide manifests for the verifier and the PHP extension binaries in order to run them within Graphene-SGX. We use Graphene-SGX's Apache sample application for the Apache web server, with PHP version 7 installed from source.  
 
 ## Build steps
 

+ 3 - 3
docker/deploy_enclaves.sh

@@ -4,8 +4,8 @@
 #List existing sessions by pressing tmux ls.
 
 cd ~/graphene && make SGX=1 sgx-tokens
-cd ~/source/Decryptor && tmux new-session -d -s dec './app; bash';
-cd ~/graphene/LibOS/shim/test/native && tmux new-session -d -s ver './pal_loader SGX verifier; bash'
+cd ~/source/Decryptor && tmux new-session -d -s decryptor './app; bash';
+cd ~/graphene/LibOS/shim/test/native && tmux new-session -d -s verifier './pal_loader SGX verifier; bash'
 sleep 60; #Should have better logic here to check if the previous command exited successfully (server should only be started after the verifier finishes, or else it will try to do LA with the decryptor and crash' 
-cd ~/graphene/LibOS/shim/test/apps/apache && tmux new-session -d -s php "SGX=1 make start-graphene-server; bash" 
+cd ~/graphene/LibOS/shim/test/apps/apache && tmux new-session -d -s php_server "SGX=1 make start-graphene-server; bash"