Introduction
Fortanix Confidential Computing Manager (CCM) ensures the confidentiality and integrity of your application’s data when your data is in transit, at rest, and in use. This guide will walk you through the steps of demonstrating how Fortanix CCM protects data in use, by performing memory scraping on a simple python application.
Prerequisites
Follow the Fortanix CCM Quickstart guide to enroll a compute node and set up the “Flask Server Enclave OS application”.
Step 1: Run the Non-secure Application on an Enrolled Compute Node
- Run the original non-converted application on the node by using the following command:
Here,
docker run -p 9000:9000 -e PORT=9000 fortanix/python-flask:latest
9000is the port you want your application server to listen to. When the application starts, you will see the following:
Figure 1: Run the non-converted application
- On a separate terminal you can issue requests to your application server using the following command:
The above command returns the greeting message
curl http://localhost:9000
{"response":"Hello Flask!"}. You can repeat this command as many times as you like.
Step 2: Run the Secure Application on an Enrolled Compute Node
- Run the converted application using the following command:
Here, we use port
docker run --privileged --volume /dev:/dev -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1 -p 9001:9001 -e PORT=9001 fortanix-private/python-flask-sgx:latest
9001since9000is reserved by the non-secure application.
NOTEEnsure the following:- Replace
52.152.206.164with the IP of your node. - Replace
fortanix-private/python-flask-sgxwith the registry you used while setting up the application as part of the Quickstart guide.
After running the converted application you will see the following:
Figure 2: Run the converted application
This indicates that your application is running securely within a Fortanix Enclave OS container.
- Replace
- Similar to above, use a separate terminal to issue a request to the converted application (make sure you use the correct port):
curl http://localhost:9001
Step 3: Memory Scraping
To introduce some confidential data, every time a request is made to the application servers through curl http://localhost:9000 or curl http://localhost:9001 a secret token is generated and stored in memory. To demonstrate the importance of securing data in use, you can extract the tokens from the non-secure and the secure application by scraping the memory of the processes associated with these two applications.
- Make sure you have issued a few requests to each of the two application servers using
curlto ensure the servers now store secret tokens in their memory. - Get the process id of the two applications by running the following commands:
docker ps
docker top <container-id> - Execute the memory scraping script for each of the applications as follows:
Note:
chmod +x scrape_data.sh
./scrape_data.sh <PID> <output-filename>scrape_data.shsupports Ubuntu, Amazon Linux, and RedHat Linux.
Example output for non-secure application:
Figure 3: Memory scraping non-secure application
Example output for secure application:
Figure 4: Memory scraping secure application - Next, compare the extracted memory contents. To search for the generated secret tokens run the following commands:
grep SECRET_TOKEN nonsgx_strings
grep SECRET_TOKEN sgx_stringsExample output:
Figure 5: Comparision of scraped data
The results shown in Figure 5 demonstrate that you were able to extract sensitive information from the memory for the non-secure application, but for the secure application running inside an Enclave OS container, no sensitive information was leaked.
Comments
Please sign in to leave a comment.