-
Notifications
You must be signed in to change notification settings - Fork 11
The CloudProxy Tao for Trustworthy Computing
License
jlmucb/cloudproxy
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
This directory contains the source code and design material for the CloudProxy Project. This project was started at the Intel Science and Technology Center for Secure Computing at University of California at Berkeley. Google joined the project in January 2013 and is a major contributor. The code and accompanying material is licensed for general use under the Apache 2.0 License. Please consult the LICENSE file for details and terms. By using this software you agree to those terms. The repository contains the complete CloudProxy source and a number of examples as well as rather complete instructions. The current version supports both Go and C++ programming interfaces to Cloudproxy and support for the following "root" security hosts: 1. Support for TPM 1.2. 2. Support for TPM 2.0. 3. Support for the Soft Tao: a software root of trust which can be used for development on hardware without TPM's. In the case of TPM 2.0, the TPM can either be a discrete TPM part or a firmware based TPM. Cloudproxy runs in or on the following platforms: 1. A Linux based KVM. 2. A Linux OS (either running as a VM over KVM or as the "root" platform. 3. Mac OS-X, version 10. Macs generally do not have TPMs but can run using the "Soft Tao." This is very convenient for development. Each Cloudproxy (Tao) host presents the same programming interface to "hosted systems" or applications, so you can develop on, for example, a "SoftTao" based Mac Cloudproxy and run, without programming changes on a root Tao using a TPM or hosted Tao's. To get started, follow the "Cloudproxy Nuts and Bolts" tutorial, in Doc directory, which comprehensively describes Cloudproxy concepts, installation and a fully implemented sample application, called simpleexample. Although the Nuts and Bolts paper is long, you can follow the installation and simple example sample code by reading only the first half of the document. Simple example, although simple, covers the entire Cloudproxy API, called the "Tao." Most applications can be built by simply copying and pasting sample code from simple example. Our experience is that someone can install and build cloudproxy and complete the simpleexample tutorial in about a day and program relatively complex applications the next day. Most installation scripts and tests can also be used, with minor changes for configuring and running your own applications. The tutorial covers both Go and C++ interfaces on a SoftTao running on Mac OS-X or Linux. It covers the important concept of Tao Principal Names in depth. "CloudProxy Deployment Nuts and Bolts" covers complete installation and configuration information for TPM installations whether directly hosted on Linux or hosted in a Linux VM running on KVM. The instructions are also rather comprehensive and may be copied an pasted in a variety of deployment scenarios. "CloudProxy Deployment Nuts and Bolts" also covers important key management tools and techniques for Cloudproxy applications and hosts. Since programs are "first class" principals in Cloudproxy and are completely and unforgeably identified by Cloudproxy for the purpose of authentication and key management, first time programmers often worry about distribution and update of new applications and new versions of applications. "CloudProxy Deployment Nuts and Bolts" describes several simple mechanisms to do automatic key management and provides prototypical tools and infrastructure components to generate keys including foundational "policy keys," certify program and data protection keys, rotate keys, support key storage hierarchies, provision keys using a keystore and transfer keys between applications and different versions of the same applications. All these tools and techniques are implemented in this repository. Simpleexample itself contains a simple tao library ("taosupport") which allows most applications to interface with the Tao using a few simple stylized calls. This library can be used across a large application set with very little change. Eric Grosse pointed out that "simple example" may still be a big "first step," so there is an even simpler starting application called "simple-http-server" which demonstrates just about the simplest possible use case. There are a number of sample applications provided. These include: 1. Newfileproxy: This is a new version of the very first "real" cloudproxy application called fileproxy. The fileproxy application provides confidentiality and integrity protection and access control for files stored in a cloud by a set of cloudproxy service applications. Fileproxy demonstrates "insider protection" in a cloud application in an intuitive setting. Newfileproxy is a newer version of a fileproxy. It is simpler than the original and is based on the simpleexample code you learned in the tutorial. The old version of fileproxy is deprecated. 2. Mixnet: This is a cloudproxy based mixnet router and is fully functional. 3. Roughtime: This is a secure time implementation based on cloudproxy that can be used to support "secure network time" to cloudproxy or non-cloudproxy programs. 4. Simple-http-server: A cloudproxy secured http service (server only). Several older applications remain the distribution but are not maintained. They include: 1. Bidproxy: A secure bidding service that is secure against tampering by the organization conducting the bid. It protects the confidentiality of bids and designates the winning bid. 2. Authproxy: A distributed authentication service hosted on Cloudproxy. The directory Doc also contains older documentation and commentary including the original Cloudproxy paper by Manferdelli, Roeder and Schneider. There is also Docker container support, although we have not kept this current nor is there extensive use documentation yet. News: Cloudproxy now has state rollback protection and supports more crypto suites (as well as enabling adding new crypto suites. Current crypto suites include 1. The original "128 bit" security suite which includes aes-128, aes-128-CTR with SHA-256 HMAC and P-256 based Eliptic Curve Public Key support. 2. A Suite B compliant "192 bit" security suite which includes aes-256, aes-256-CTR with SHA-384 HMAC and P-384 based Eliptic Curve Public Key support. 3. A new "256 bit" security suite which includes aes-256, aes-256-CTR with SHA-512 HMAC and P-521 based Eliptic Curve Public Key support. Please send feedback, comments and suggestions and bug reports to [email protected] or [email protected] Unless expressly noted in any such submitted material, you agree that any feedback, comments or suggestions can be used and distributed under the Apache License in this directory. The Cloudproxy developers --- John Manferdelli, Tom Roeder, Kevin Walsh, Sid Telang, Albert Kwon. Thanks to Paul England who answered a number of questions on TPM 2.0.
About
The CloudProxy Tao for Trustworthy Computing
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published