{"id":13641614,"url":"https://github.com/fkirc/secure-network-interface-with-sgx","last_synced_at":"2025-07-27T08:32:24.219Z","repository":{"id":113992995,"uuid":"192506878","full_name":"fkirc/secure-network-interface-with-sgx","owner":"fkirc","description":"Protecting local networks via a TEE, providing security similar to a hardware firewall","archived":false,"fork":false,"pushed_at":"2020-11-01T09:29:39.000Z","size":1997,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-11-09T12:38:51.701Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fkirc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"support_lib/interface_connector.c","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-18T09:17:16.000Z","updated_at":"2024-10-23T19:20:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"ee9237e3-96d8-4087-8c23-cceca62dbabc","html_url":"https://github.com/fkirc/secure-network-interface-with-sgx","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fkirc%2Fsecure-network-interface-with-sgx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fkirc%2Fsecure-network-interface-with-sgx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fkirc%2Fsecure-network-interface-with-sgx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fkirc%2Fsecure-network-interface-with-sgx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fkirc","download_url":"https://codeload.github.com/fkirc/secure-network-interface-with-sgx/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227782277,"owners_count":17819241,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:22.299Z","updated_at":"2024-12-02T18:43:49.094Z","avatar_url":"https://github.com/fkirc.png","language":"C","funding_links":[],"categories":["Network"],"sub_categories":["Library OSes and SDKs"],"readme":"# Secure Network Interface with SGX\n\n\nThis repo provides network security functionality within an Intel SGX enclave.\nThe [documentation](doc/main.md) provides a short overview of the functionality.\nMy [master thesis](thesis.pdf) contains technical details and background information.\n_________________________________________________________________________\n**Build Setup (Simulation Mode):**\n\n\u003e :warning: **Warning**: The build-instructions in this repo might be outdated. Please do not rely on those build-instructions and refer to official Intel-instructions instead. This has been only tested with Ubuntu 18.04.\n\nInstall the packages:    \n`make cmake git g++ cppcheck`    \n`ocaml ocamlbuild automake autoconf libtool wget python libssl-dev`    \n    \nDownload, build and install the linux-sgx sdk:    \n`git clone https://github.com/intel/linux-sgx.git`    \n`cd linux-sgx`    \n`./download_prebuilt.sh`    \n`make sdk`    \n`cd linux/installer/bin`    \n`./build-installpkg.sh sdk`    \n`./sgx_linux_x64_sdk_XXX.bin # install in \"~\" when asked`\n    \nBuild and run the tests:\n\n`./run_tests_locally.sh SIM`\n\n_________________________________________________________________________\n**Build Setup (Hardware Mode):**\n\nPlease complete the simulation mode instructions before setting up the hardware mode.\nHardware mode works only on SGX-supported platforms.\n\nConfigure your system to `SGX enabled`. You might need to enable SGX within your BIOS settings.\n\nBuild and install the SGX Driver according to the instructions in\n`https://github.com/intel/linux-sgx-driver`.    \nAfterwards, check whether the SGX Driver is running:\n`lsmod | grep isgx`\n\nInstall the packages:    \n`libprotobuf-dev protobuf-compiler libcurl4-openssl-dev`\n\nBuild and install the SGX Platform Service:   \n`cd linux-sgx`   \n`make`   \n`cd linux/installer/bin`   \n`./build-installpkg.sh psw`   \n`sudo ./sgx_linux_x64_psw_XXX.bin`   \n\nBuild and run the tests:\n\n`git clean -xfd # cleanup for a fresh build`    \n`./run_tests_locally.sh HW`    \n\n\n_________________________________________________________________________\n**Future work:**\n\nImplementing those protocol validations in C is a bad idea with respect to security.\nThe choice of the C Programming Language was only made because the Rust-SGX-support was still in its early stages at the time of writing.\nTherefore, I strongly recommend that future TEE implementations use a secure language from the beginning (e.g. Rust, Go, Kotlin).\n\nMore generally, given todays knowledge and research advancements, the usage of C for security-critical systems is a huge mistake.\nUnfortunately, this is the security-world that we have in 2020. Large systems like the Linux-kernel cannot be rewritten at once, but they need to be rewritten in a gradual manner.\n\nNevertheless, the usage of C can still be acceptable for *safety-critical* systems.\nIn this context, please be careful to correctly distinguish between security-critical systems (e.g. a parsing-library) and safety-critical systems (e.g. a flight control computer).\n\n\n\n_________________________________________________________________________\n**Limitations of SGX:**\nCurrently, SGX cannot directly access any external hardware.\nTherefore, it is necessary to establish a cryptographic channel to securely communicate between an SGX enclave and external hardware.\nIn this work, we used a \"MACSec gateway\" for this cryptographic channel.\nOther TEEs can be configured to avoid this issue altogether (e.g. ARM TrustZone).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffkirc%2Fsecure-network-interface-with-sgx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffkirc%2Fsecure-network-interface-with-sgx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffkirc%2Fsecure-network-interface-with-sgx/lists"}