Thank you for your interest in DMA. This document will get you started with our prototype implementation. DMA is accepted by ICICS 2024, see program of accepted papers for more details. You can download the paper and slides.
DMA provides strong freshness binding of the attestation evidence and uses consensus algorithms to ensure balanced trust across network domains. AuthE are placed
on authentication nodes, while AttestE are placed on user nodes. In addition,
function-specific user-level enclaves, referred to as user enclaves (UserE), are
also deployed in user nodes.
To use DMA, the following conditions must be met:
-
Distributed Intel SGX machines (SGX 1 or SGX 2).
Please check if your machine supports Intel SGX by running
cpuid | grep SGX.Make sure the SGX driver is installed on your machine, visit the linux-sgx-driver repository or the SGXDataCenterAttestationPrimitives repository for more information.
-
Install the Intel SGX SDK, PSW, and DCAP libraries on all machines, regardless of whether your machine supports DCAP attestation.
Please visit the linux-sgx repository for more information on how to install the Intel SGX SDK, PSW, and DCAP libraries.
Note: You should also install the
*-devpackages to obtain the DCAP library header files. -
Install the Intel SGX SSL library on all machines. For more information, visit the intel-sgx-ssl repository.
$ wget https://github.com/01org/intel-sgx-ssl/archive/support_tls_lin_1.1.1m.zip $ unzip support_tls_lin_1.1.1m.zip $ cd intel-sgx-ssl-support_tls_lin_1.1.1m/openssl_source $ wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz $ cd ../Linux $ bash ./build_openssl.sh $ make -j $ sudo make install
-
Fully clone the repository, including all third-party libraries contained in the
3rd-partydirectory.$ git clone https://github.com/Seix61/DMA.git --recursive
-
If you need to use EPID attestation, supplement the configuration information in
include/global/general_settings.h. For more information, visit https://api.portal.trustedservices.intel.com/EPID-attestation.// Your EPID Service Provider ID static const sgx_spid_t SPId = {}; // Your EPID Subscription Key static const std::string SubscriptionKey = "";
To build DMA, you can use the following commands:
$ mkdir build && cd build
$ cmake ..
$ make -jYou can build DMA on one machine and then distribute the build artifacts to all machines.
The following are the required build artifacts:
build/src/auth/AuthApp: The host application for AuthEnclavebuild/src/auth/enclave.signed.so: The AuthEnclavebuild/src/attest/AttestApp: The host application for AttestEnclavebuild/src/attest/enclave.signed.so: The AttestEnclavebuild/src/user/UserApp: The host application for UserEnclavebuild/src/user/enclave.signed.so: The UserEnclave
DMA uses CLI11 to parse the runtime parameters of AuthApp, AttestApp, and UserApp. For details on the meaning of the parameters, please refer to the source code in src/auth/App/src/main.cpp, src/attest/App/src/main.cpp, and src/user/App/src/main.cpp.
We provide a Python script to quickly generate the required runtime parameters. To obtain this script, refer to script/run_generator.py.
Note: You need to run the run_generator.py script separately on each machine.
To run run_generator.py, create two JSON files in the directory where the script will be executed:
-
peers.json, which describes all the nodes deployed in the network. The template is as follows:{ "127.0.0.1": 1 // 1 AuthEnclave instance is running on the machine with IP address 127.0.0.1 } -
current.json, which describes the configuration information of the current machine. The template is as follows:{ "ip": "127.0.0.1", // The IP address of the current machine is 127.0.0.1 "id": 1 // The ID of the current machine is 1 }
Note: The order in which the nodes appear in peers.json will determine the node ids in current.json. e.g., if there are two machines with IP addresses 192.168.1.2 and 192.168.1.3, and if peers.json is { "192.168.1.2": 1, "192.168.1.3": 1 }, then machine 192.168.1.2 has id 1 in current.json, and machine 192.168.1.3 has id 2 in current.json.
You can use the following command to run run_generator.py, where the --threads option indicates the number of threads used for RPC communication within AuthEnclave:
$ python3 ./run_generator.py --threads 5If you want to use DCAP attestation between AuthEnclaves and between AuthEnclave and AttestEnclave, please use the --use_dcap option; otherwise, EPID attestation will be used by default:
$ python3 ./run_generator.py --threads 5 --use_dcap 1If you do not wish to perform attestation between AuthEnclaves and between AuthEnclave and AttestEnclave (usually in a testing environment), please use the --ignore_trust option:
$ python3 ./run_generator.py --threads 5 --ignore_trust 1After generating the runtime parameters, please run DMA in the following order.
-
Run AuthEnclave:
$ ./AuthApp --config ./config_auth.ini
-
Run AttestEnclave:
$ ./AttestApp --config ./config_attest.ini
-
Run UserEnclave:
$ ./UserApp --config ./config_user.ini
If you find this useful in your research, please consider citing:
@inproceedings{li2024DMA,
author = {Li, Peixi and Li, Xiang and Fang, Liming},
title = {DMA: Mutual Attestation Framework for Distributed Enclaves},
year = {2024},
isbn = {978-981-97-8797-5},
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
url = {https://doi.org/10.1007/978-981-97-8798-2_8},
doi = {10.1007/978-981-97-8798-2_8},
booktitle = {Information and Communications Security: 26th International Conference, ICICS 2024, Mytilene, Greece, August 26–28, 2024, Proceedings, Part I},
pages = {145–164},
numpages = {20},
keywords = {Remote attestation, Intel SGX, Distributed system},
location = {Mytilene, Greece}
}
All contributions are welcome, if you have a feature request feel free to open an issue!