Occlum - Max Fang's Notes

# Occlum *A library OS empowering everyone to run every application in secure enclaves* *Occlum is a memory-safe, multi-process library OS for Intel SGX* https://occlum.io/ Links: [[TEE]], [[Confidential Computing Consortium|CCC]], [[Rust]] - [Main repo](https://github.com/occlum/occlum) ## [GitHub Docs](https://github.com/occlum/occlum/tree/master/docs) - [Quick Start: Deploy Occlum on Azure AKS](https://github.com/occlum/occlum/blob/master/docs/azure_aks_deployment_guide.md) - [The Encrypted FS Image](https://github.com/occlum/occlum/blob/master/docs/encrypted_image.md) - *Since 0.22.0, Occlum has supported using an encrypted FS image, which is encrypted by a user-provided key, to run apps inside the enclave. The confidentiality and integrity of user's files and libraries are both protected with it.* - [Install Occlum with Popular Package Managers](https://github.com/occlum/occlum/blob/master/docs/install_occlum_packages.md) - [The Mount Command](https://github.com/occlum/occlum/blob/master/docs/mount_cmd.md) - [Occlum Remote Attestation](https://github.com/occlum/occlum/blob/master/docs/remote_attestation.md) - [Resource Configuration Guide](https://github.com/occlum/occlum/blob/master/docs/resource_config_guide.md) - [Quick Start: running Occlum with OCI runtime rune](https://github.com/occlum/occlum/blob/master/docs/rune_quick_start.md) - [Mount and Unmount Filesystems at Runtime](https://github.com/occlum/occlum/blob/master/docs/runtime_mount.md) ## [Website](https://occlum.io/) ### Why Occlum Modern applications are being increasingly deployed to untrusted infrastructure, e.g., public clouds, IoT devices, blockchain nodes, etc. While a new class of hardware security technology known as enclaves (e.g., [Intel SGX](https://software.intel.com/en-us/sgx)) can provide the much-needed protection in these scenarios, secure enclaves are well known to be hard to program. Occlum makes running applications inside enclaves easy. **It allows one to run unmodified programs inside enclaves with just a few simple commands.** And Occlum is open-source and free to use. So, instead of spending months to port your code into enclaves, you can run your applications inside enclaves now! - Seems promising for [[-Lexe/Lexe]] ### How to Use If you were to write a Hello World program using some Enclave SDK (e.g., Intel SGX SDK), the project would consist of hundreds of lines of code. Thanks to Occlum, you can be freed from writing any extra enclave-aware code and only need to type some simple commands: `occlum init`, `occlum build`, and `occlum run`. ![[Screen Shot 2022-02-13 at 12.11.36 AM.png]] ### Features #### Efficient Multitasking Occlum offers light-weight LibOS processes that share the single address space of an enclave. These light-weight LibOS processes can be 1,000X faster on startup and 3X faster on inter-process communication, compared to the traditional heavy-weight, per-enclave LibOS processes. #### Multiple File Systems Occlum supports various types of file systems, e.g., read-only hashed FS (for integrity protection), writable encrypted FS (for confidentiality protection), untrusted host FS (for convenient data exchange between the LibOS and the host OS), etc. #### Memory Safety Occlum is built from scratch with [[Rust]], which helps to minimize low-level, memory-safety bugs and thus more trustworthy to host security-critical applications. #### Ease of Use Occlum provides user-friendly build and utility command-line tools. Running applications on Occlum inside SGX enclaves can be as simple as only typing several shell commands. ### Use cases #### ==Secret Management== Link: [[-Lexe/Lexe]] Secret management is essential in today's microservice architecture. However, the data store of your secret management system becomes a centralized weakness. If it got comprised, all your secrets are in danger. Occlum allows you to fortify the secret store by running it in hardware-encrypted memory. #### Blockchain Privacy Links: [[Blockchain]], [[-Lexe/Lexe]] Privacy in blockchain transactions (smart contracts) is a roadblock for blockchain to enter a serious business market. With Occlum, even a smart contract gets executed at a random node of the chain, the content and details of the contract still remain confidential. #### Data Protection at Edge With the rise of Edge Computing, more and more code and data are running at heterogeneous remote sites, which means that the IP property (both source and data) are exposed. Occlum allows you to deploy your code/data at those untrusted edges, with the necessary confidence that they are properly protected. #### Federated ML Data exchange among multiple non-mutually-trusted parties is tricky. The problem lies at not only the lack of trust but also very often the jurisdiction requirement. Combing with Occlum, federated ML (Machine Learning) enables different entities to safely share the data, with no one having any access to the data. ## [Main repo](https://github.com/occlum/occlum) **NEWS:** Our paper _Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX_ has been accepted by [ASPLOS'20](https://asplos-conference.org/programs/). This research paper highlights the advantages of the single-address-space architecture adopted by Occlum and describes a novel in-enclave isolation mechanism that complements this approach. The paper can be found on [ACM Digital Library](https://dl.acm.org/doi/abs/10.1145/3373376.3378469) and [Arxiv](https://arxiv.org/abs/2001.07450).