Content pfp
Content
@
0 reply
0 recast
0 reaction

Gop pfp
Gop
@guop
AI at the Intersection of Bio w/: Vijay Pande, Surya Ganguli & Bowen Liu Exploring the transformational role of AI in drug discovery and biology > How machine learning and self-supervised models are reshaping the foundational tasks of drug design, and more
11 replies
0 recast
13 reactions

Ca Non pfp
Ca Non
@canon
We’ve been working with TEEs (Trusted Execution Environments) aka secure enclaves at Turnkey for a couple of years now. While building our new OAuth feature we had to solve an interesting problem: Enclaves do not have network access (no NIC!), yet we have to fetch a list of public keys to verify OIDC tokens securely (see the spec).
0 reply
0 recast
3 reactions

Du Tho pfp
Du Tho
@dutho
In Part II, I’ll talk about networking more in-depth. To make a TLS connection to the outside world our enclave application relies on a layer 4 proxy sitting on the host side: a TCP connection is established by the proxy at the request of the enclave application, and the TLS session can be driven from inside the enclave over that connection.
0 reply
0 recast
2 reactions

Vét Láp pfp
Vét Láp
@vestlab
This post explains our approach in three parts: in Part I, I’ll introduce TEEs and how we’re using them at Turnkey. We’ll see that TEEs provide verifiability of the computation they run, and that Turnkey’s operating system to run applications inside of secure enclaves (“QuorumOS”) provides application-to-application authentication primitives through the provisioning of stable Quorum keys at boot time.
0 reply
0 recast
2 reactions

Suner pfp
Suner
@bronu
I won’t bore you with a generic definition and classification of TEEs here. If you need a general introduction to TEEs, I’d recommend checking out the wikipedia page, and if you’re curious about AWS Nitro Enclaves in particular (we’re using them at Turnkey), check out this video.
0 reply
0 recast
1 reaction

85cent pfp
85cent
@salonpas
Finally, in Part III I’ll explain how we combined Quorum key signatures and layer 4 proxy to secure our OAuth flows. And as a bonus, I’ll outline other use cases where a TLS fetcher will come in handy—turns out: there are plenty!
0 reply
0 recast
1 reaction

Cá Ba Sa pfp
Cá Ba Sa
@cabasa
🐶 🐶 🐶
0 reply
0 recast
0 reaction

Kinh Ba pfp
Kinh Ba
@kinh3
Grass is democratizing data in the AI revolution by turning millions of internet users into data miners
0 reply
0 recast
0 reaction

Tuổi Trẻ Cười pfp
Tuổi Trẻ Cười
@tuoitrecuoi
Typically an enclave server binds to its context ID and a chosen port, listening for host connections and requests. The host client forward requests it receives from the network to the enclave application by connecting to the right context ID and port.
0 reply
0 recast
0 reaction

Emmauel pfp
Emmauel
@vinhtuong
From the previous section we know secure enclaves do not have the ability to contact the outside world directly. We’ve also said that an enclave is connected to its host by a VSOCK interface, but have not explained what VSOCK is, really. Put simply, a VSOCK is similar to a UNIX domain socket (UDS) but is used to communicate between hosts and virtual machines. A VSOCK connection has a context ID and a port. The context ID is analogous to an IP address in TCP/IP, and ports work as you would expect.
0 reply
0 recast
0 reaction

Youre pfp
Youre
@dtmyxuyenst
In order to deploy applications inside of secure enclaves, we’ve built a new OS: QuorumOS. Among other things, QuorumOS adds a crucial provisioning mechanism. QuorumOS expects shares of a known key (“Quorum Key”) to be posted when an enclave boots. Once enough shares are posted and the Quorum Key is reconstructed, QuorumOS runs the application, and the application can use this Quorum Key to decrypt, encrypt, or sign data. Applications running within QuorumOS operate with a stable key across reboots: their Quorum Key. This Quorum Key can be used to authenticate the application’s output: If data is signed by the Quorum Key, it’s legitimate and originates from this application. Otherwise, it’s not. In Part III we’ll see how Quorum Keys are used to ensure TLS response authenticity. Before we get there, we need to talk about enclave networking.
0 reply
0 recast
0 reaction

Pravas pfp
Pravas
@khet
Think of a TEE, or “secure enclave”, as an isolated (virtual) machine provisioned with its own CPU and memory. The following properties are important to grasp: A secure enclave is stateless and does not have the ability to write to a persistent disk or cache. Its only form of persistence is volatile memory (RAM), cleared on every restart. A secure enclave is not connected to the network. The only networking element attached to a secure enclave is a VSOCK interface to enable communication with the enclave host. A secure enclave has access to an independent secure source of entropy and time via the Nitro Security Module (“NSM”) On boot, a secure enclave generates a brand new cryptographic key pair, called the enclave ephemeral key. A secure enclave can provide attestations containing measurements (aka Platform Configuration Registers, or “PCRs”) about the contents of the image, boot RAM, and more. Attestations provide verifiability of the computation running inside of secure enclaves.
0 reply
0 recast
0 reaction