SERECA - Secure Enclaves for REactive Cloud Applications

What user need or pain point is your project addressing?

Users want to have security, but they do not want to trust the cloud provider, nor the system administrator.

The Secure Enclaves for REactive Cloud Applications (SERECA) project targets two types of users/organizations: those wishing to move their mission-critical applications and their data to a Cloud infrastructure but do not trust the security of cloud-hosted applications and those who already use modern web applications hosted by cloud providers but the security solutions available to them do not provide adequate performance for latency sensitive.

An example is the case of a Critical Infrastructure that monitor key parameters of a dam for water supply. They would like to migrate to a cloud platform because this new technology can offer them many well-known benefits. However, they fear the integration between the cloud and the set of Industrial Control Systems (ICS) due to the security concerns.

Project's major results: 

The SERECA project aims at protecting cloud applications through secure enclaves, a new feature that is/will be provided by commodity CPU hardware from major vendors (namely: ARM and Intel). Secure enclaves provide security without relying on public cloud operators. In this way, the integrity and the confidentiality of the applications can be guaranteed against attacks coming from: employees of the cloud provider, other tenants, and hackers with physical access to the platform.

Target stakeholders: 

Small & medium enterprises

Project Start: 
Project End: 

How will your solution/service benefit the end-user?

By exploiting new hardware features of commercial CPUs, SERECA will enable users to deploy applications on the cloud, without having to trust the cloud provider, nor the system administrator.

At the end of the project we will have developed the SERECA secure cloud platform. We will develop the idea of a secure enclave into which applications can be deployed without having to rely on the questionable security mechanisms provided by cloud operators. SERECA aims to provide technical innovations that simultaneously establish sufficient trust and performance in cloud deployments through the secure connection of application components executing on secure commodity CPUs. The result is the secure distributed enclave, a novel technology that shifts the burden of trust from today’s cumbersome and vulnerable multi-million-line software cloud stack to a small execution environment, exploiting the features of a commodity trusted hardware platform.

This new approach will provide an attractive and scalable solution for cloud application hosting. We will extend the new innovative approach of secure CPU hardware in commodity processors known as secure enclaves (as ARM TrustZone, Intel SGX) and the vert.x reactive framework in order to make an execution of distributed reactive applications inside those enclaves possible. In conclusion, thanks to our innovative solution a user can execute reactive application and be sure that his data won't be touched by anyone, not even by malicious administrators.

Potential exploitation strategy: 
The SERECA project has identified the following exploitable outputs. 
RiskBuster pilot application - This application will execute on top of the SERECA platform to monitor in a secure manner multiple assets of a civil water supply network. Many sensors distributed on a dam will provide sensitive data that need to be handled carefully by the application. An initial version of RiskBuster is already available. It shows the communication among the different entities involved (vert.x, intel SGX,…), the dependencies on the underlying SERECA platform, and how data is securely stored in the SERECA platform.
Illuminate pilot application - Illuminate (formerly known as jPDM) is an Application Performance Management (APM) solution which is delivered to clients via Software as a Service (SaaS) by one of the project partner (jClarity JC).  A primary goal is to increase the level of security of Illuminate (hosted on cloud providers) by adding in a secure component based on the SERECA cloud platform, which would allow Illuminate to store, retrieve and process sensitive data used in the service. A secondary goal is to allow the Illuminate service to be hosted on multiple cloud providers in a secure manner. The initial prototype will demonstrate how the secure communication among different providers is carried out.
More exploitable outputs might be identified later in the project lifetime, based on an analysis of potential joint exploitation initiatives.

Vertical Market: