Community Research and Development Information Service - CORDIS


SERECA Report Summary

Project ID: 645011
Funded under: H2020-EU.

Periodic Reporting for period 1 - SERECA (Secure Enclaves for REactive Cloud Applications)

Reporting period: 2015-03-01 to 2016-08-31

Summary of the context and overall objectives of the project

Cloud security is of immediate concern to organisations that must comply with strict confidentiality and integrity policies. More broadly, security has emerged as a commercial imperative for cloud computing across a wide range of markets. The lack of adequate security guarantees is becoming the primary barrier to the broad adoption of cloud computing.

The Secure Enclaves for REactive Cloud Applications (SERECA) project aims to remove technical impediments to secure cloud computing, and thereby encourage greater uptake of cost-effective and innovative cloud solutions in Europe. It proposes to develop secure enclaves, a new technique that exploits secure commodity CPU hardware for cloud deployments, empowering applications to ensure their own security without relying on public cloud operators. Secure enclaves additionally support regulatory-compliant data localisation by allowing applications to securely span multiple cloud data centres.

SERECA is validating its results through the development of two innovative and challenging industry led use cases: (i) monitoring a civil water supply network and (ii) a software-as-a-service application to analyze the performance of cloud applications.

Security has emerged as a commercial imperative for cloud computing across a wide range of markets. In the early days, cloud providers could compete solely on the capacity and flexibility of their services. With these services now reaching commodity pricing levels, the Secure Enclaves for REactive Cloud Applications (SERECA) project aims to remove technical impediments to secure cloud computing, and thereby encourage and enable greater uptake of cost-effective, environmentally friendly, and innovative cloud solutions throughout Europe.

The innovations we envision are challenging to attain, but if successful will help place Europe at the forefront of secure cloud operations. Concretely, we distil our goals for the project into the following four objectives:
1. Substantially improve the state-of-the-art in cloud security for interactive, latency-sensitive applications by developing innovative and effective mechanisms to enforce data integrity, availability, confidentiality, and localisation based on secure CPU hardware.
2. Seamlessly integrate the new security features into the standard cloud stack and its expected characteristics of scalability, elasticity, and availability so as to encourage easy application migration to the cloud without also compromising application responsiveness nor complicating application management.
3. Convincingly validate and demonstrate the benefits of our approach by applying it to realistic and demanding industrial use cases.
4. Widely promote and disseminate the innovative outcomes of the project by influencing the standards and best practices that will lead to broad adoption by European industry.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The project spans four technical work packages. We summarize them and the main results in the following paragraphs:

In Work Package 1 we are investigating two technologies to provide cloud applications a secure execution environment. The primary focus is on Intel Secure Guard Extensions (SGX), with ARM TrustZone as a backup solution in case SGX would be delayed. We succeeded in creating a custom toolchain to run existing applications on SGX. By running the application on SGX, the application’s data is protected against manipulation and eavesdropping – even from attackers with access to the hardware. We are currently able to run web servers (Apache, NGINX) and data stores (Memcached, Redis) securely on an otherwise untrusted cloud infrastructure.

In Work Package 2 we are extending the Vert.x framework with secure communication channels. Also, because modern applications span multiple servers, they require coordination. For example, they have to find each other and store small amounts of information consistently. To this end, we developed a secure coordination service that protects data confidentiality.

In Work Package 3 we are building a set of reusable services that form the foundation of our use case applications. The services allow to store data securely, securely recover after a failure, and control the placement of data within geographic boundaries. The latter is important to abide to regulatory requirements where data must stay within, e.g., a certain jurisdiction.

In Work Package 4 we are developing two use case applications to showcase the SERECA platform. As our first use case, we re-engineer an existing version of a water supply monitoring system to run it securely in the cloud. Our second use case, is a performance monitoring system. Here, sensitive performance data is collected and evaluated in a cloud-based system. The SERECA platform protects the integrity and confidentiality of data in both cases.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

SERECA has already, after only 18 months, extended the state of the art by running legacy Linux applications on top of Intel’s Secure Guard Extensions (SGX). The support to execute unmodified legacy Linux applications securely and with minimal effort was impossible prior to SERECA. We will continue to improve usability of executing applications securely by integrating it with the container engine Docker. This will maximize our impact, as Docker is the most popular container engine. Existing Docker users will be able to run secure versions of their programs easily, using a familiar interface and workflow.

With our industrial use cases, we will demonstrate that the SERECA platform supports complex applications consisting of multiple components.

Related information

Record Number: 195170 / Last updated on: 2017-02-22