Intel Software Guard Extensions (SGX) is a set of extensions to the Intel x86 architecture that allows trusted part of an application to be executed in a secure container called an enclave. The trusted hardware establishes an enclave to protect the integrity and confidentiality of private data in a computation and the code that operates on it. We present a new secure logging system called SGX-Log which ensures the integrity and confidentiality of system logs.

SGX-Log uses a client and server architecture. The client is a log request component, which issues various log messages, while the log-server executes the secure logging services. We have implemented SGX-Log by following the standard logging system protocol in Linux to completely protect the log data both inside and outside enclaves by using the sealing and unsealing primitives provided by SGX. For efficient log verification, we have implemented a block-level hash key chain, which enables hierarchical traversal of key chains and thus yields better performance.

Ubuntu* Desktop-14.04-LTS 64bits or higher

1. Hardware Support: Check if your machine supports Intel SGX by using the list of supported hardware at https://github.com/ayeks/SGX-hardware

2. BIOS Setting: Make sure that you have enabled SGX support in BIOS.

3. Intel SGX application can be run in Simulation mode or Hardware mode. Make sure to specify HW mode in makefile.

Build and install Intel SDX Driver available at https://github.com/01org/linux-sgx-driver

Build and install Intel SGX SDK and Intel SGX PSW from https://github.com/01org/linux-sgx

For details about the SGX programming follow refer documentation available at https://software.intel.com/en-us/sgx-sdk/documentation

git clone https://github.com/utds3lab/sgx-log.git

The sgx-log consists of 3 folders: log-client, log-server, sgx-bench

Log-server consists of trusted and untrusted modules in App and Enclave folders respectively. It can run in daemon mode or directly read log messages and send to trusted enclave for log processing.

cd log-server
make clean
make
./app

This stats log-server listens on 127.0.0.1:7891 for log messages from log-clients and settings can be configured in App/App.cpp

1. Log configuration: SGX-Log supports adding new log filtering rules customizable in under log-server/log-server.conf SGX-Log protects log configuration by storing them sealed in disk.

2. Sealed logs: Upon processing SGX-Log exports system logs in sealed format and stores under sealed-logs/ folder. E.g. sealed-logs/kern.log.sealed

Comment following code in App/App.cpp

ocall_listen_log_messages();

and uncomment following code: kernel.logs consists for sample logs from linux kernel for prototype testing

printf("\n READING LOG MESSAGES:\n");
ocall_read_log_messages("kernel.logs");

Again run same set of commands

cd log-server
make clean
make
./app

Use ctr+C to quit log server when finished.

Log-client is a program that reads messages from text file and sends to log-server using over using socket communication. Upon message receiving log-server processes them using 2-dimensional hash key chain.

cd log-client
gcc log-client.c -o client
./client

sgx-bench consists of fine-grained benchmark programs used to test SGX specific services. E.g, sealing, unsealing, hashing etc. Run sgx-bench using following commands.

cd sgx-bench
make clean
make
./app -b copy       // tests copy benchmkark
./app -b seal 0     // tests sgx sealing
./app -b seal 1     // tests sgx unsealing
./app -b hash 0     // tests sgx hashing
./app -b hash 1     // tests sgx CMAC 

We also contribute by adding other benchmarks to test enclave create, destroy, encrypt, decrypt, entry-exit operations.

We also provide sample log files used in our SGX-Log evaluation under datasets folder.

Log verification module in SGX-Log allows us to verify arbirary set of sealed log messages. To enable log verification uncomment following code in App/App.cpp

printf("\n Resetting B_KEY:\n");
reset_block_key(global_eid);

printf("\n Starting up log server:\n");
startup_phase(global_eid);

printf("\n\n READING SEALED MESSAGES:\n");
ocall_read_sealed_data("sealed-logs/kern.log");