Using Fortanix Confidential Computing Manager to Protect Data in Use


Fortanix Confidential Computing Manager (CCM) ensures the confidentiality and integrity of your application’s data when your data is in transit, at rest, and in use. This guide will walk you through the steps of demonstrating how Fortanix CCM protects data in use, by performing memory scraping on a simple python application.


Follow the Fortanix CCM Quickstart guide to enroll a compute node and set up the “Flask Server Enclave OS application”.

Step 1: Run the Non-secure Application on an Enrolled Compute Node

  1. Run the original non-converted application on the node by using the following command:
    docker run -p 9000:9000 -e PORT=9000 fortanix/python-flask:latest
    Here, 9000 is the port you want your application server to listen to. When the application starts, you will see the following:
      CCM_memoryScraping.png                                                        Figure 1: Run the non-converted application
  2. On a separate terminal you can issue requests to your application server using the following command:
    curl http://localhost:9000
    The above command returns the greeting message {"response":"Hello Flask!"}. You can repeat this command as many times as you like.

Step 2: Run the Secure Application on an Enrolled Compute Node

  1. Run the converted application using the following command:
    docker run --privileged --volume /dev:/dev -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL= -p 9001:9001 -e PORT=9001 fortanix-private/python-flask-sgx:latest
    Here, we use port 9001 since 9000 is reserved by the non-secure application.
    Ensure the following:
    • Replace with the IP of your node.
    • Replace fortanix-private/python-flask-sgx with the registry you used while setting up the application as part of the Quickstart guide.

    After running the converted application you will see the following: CCM_memoryScraping1.png                                                        Figure 2: Run the converted application

    This indicates that your application is running securely within a Fortanix Enclave OS container.
  2. Similar to above, use a separate terminal to issue a request to the converted application (make sure you use the correct port):
    curl http://localhost:9001

Step 3: Memory Scraping

To introduce some confidential data, every time a request is made to the application servers through curl http://localhost:9000 or curl http://localhost:9001 a secret token is generated and stored in memory. To demonstrate the importance of securing data in use, you can extract the tokens from the non-secure and the secure application by scraping the memory of the processes associated with these two applications.

  1. Make sure you have issued a few requests to each of the two application servers using curl to ensure the servers now store secret tokens in their memory.
  2. Get the process id of the two applications by running the following commands:
    docker ps
    docker top <container-id>
  3. Execute the memory scraping script for each of the applications as follows:
    chmod +x
    ./ <PID> <output-filename>
    Note: scrape_data.shsupports Ubuntu, Amazon Linux, and RedHat Linux.
    Example output for non-secure application:
    CCM_memoryScraping2.png                                                 Figure 3: Memory scraping non-secure application

    Example output for secure application:
    CCM_memoryScraping3.png                                                                         Figure 4: Memory scraping secure application

  4. Next, compare the extracted memory contents. To search for the generated secret tokens run the following commands:
    grep SECRET_TOKEN nonsgx_strings
    grep SECRET_TOKEN sgx_strings

    Example output:

            Figure 5: Comparision of scraped data

    The results shown in Figure 5 demonstrate that you were able to extract sensitive information from the memory for the non-secure application, but for the secure application running inside an Enclave OS container, no sensitive information was leaked.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful