Google Git
Sign in
chromium/external/github.com/project-oak/oak/refs/heads/upstream/tzn_ent_upload
commit
44999370bbee4a24b1afb6b66de0666998ec1b34
[log]
author
Tiziano Santoro <[email protected]>
Tue Apr 12 22:19:12 2022
committer
Tiziano Santoro <[email protected]>
Thu Apr 14 13:29:29 2022
tree
da793837342c10dc35edc9614a878b19192f1b8d
parent
bd071bad6822ec83d7b27a4abd0c2ee78a4d8915 [diff]
Upload binaries to Ent
1 file changed
tree: da793837342c10dc35edc9614a878b19192f1b8d
  1. .cargo/
  2. .github/
  3. chrome_extension/
  4. docs/
  5. experimental/
  6. grpc_unary_attestation/
  7. kokoro/
  8. oak_functions/
  9. oak_idl/
  10. oak_services/
  11. oak_utils/
  12. remote_attestation/
  13. rfcs/
  14. scripts/
  15. third_party/
  16. toolchain/
  17. xtask/
  18. .bazelrc
  19. .clang-format
  20. .codecov.yml
  21. .devcontainer.json
  22. .dockerignore
  23. .gitignore
  24. .hadolint.yaml
  25. .markdownlint.yaml
  26. .prettierrc.yaml
  27. .rustfmt.toml
  28. .tsan_suppress
  29. .xtask_bash_completion
  30. android.Dockerfile
  31. arm64v8.Dockerfile
  32. AUTHORS
  33. BUILD
  34. Cargo.lock
  35. Cargo.toml
  36. cloudbuild.yaml
  37. deny.toml
  38. Dockerfile
  39. FORCE_CI
  40. LICENSE
  41. README.md
  42. WORKSPACE
README.md

Project Oak

Build Status codecov Docs Slack Mailing list

The goal of Project Oak is to create a specification and a reference implementation for the secure transfer, storage and processing of data.

In present computing platforms (including virtualized, and cloud platforms), data may be encrypted at rest and in transit, but they are exposed to any part of the system that needs to process them. Even if the application is securely designed and data are encrypted, the operating system kernel (and any component with privileged access to the machine that handles the data) has unrestricted access to the machine hardware resources, and can leverage that to bypass any security mechanism on the machine itself and extract secret keys and data.

Oak Functions is a server binary that exposes an API (over gRPC / HTTP) that allows clients to send data, and the server to execute untrusted business logic code over client-provided data in a controlled way, enforcing strong privacy guarantess about its execution.

In order for these guarantees to be transferred to remote clients, Oak Functions is expected to be run in a Trusted Execution Environment (TEE), so that clients can perform Remote Attestation in order to establish that a legitimate version of the Oak trusted runtime is indeed running server side, before actually sending any data to it.

Further information is included in the following documents:

  • Oak Development covers practical steps for getting a development Oak system up and running.
  • Oak Functions presents our computing platform for developing stateless applications in a privacy preserving way.

Parties involved

  • Oak Trusted Runtime Authors: The authors of the code in this repository; mostly this corresponds to the Project Oak team, but also any contributors, and, by extension, the authors of third party dependencies used in Oak.
  • TEE Manufacturer: The entity in charge of manufacturing the CPU or System on a Chip (SoC) supporting the TEE, including hardware, software, and cryptographic keys.
  • Platform Provider: The entity in charge of maintaining and running the combined hardware and software stack surrounding the TEE, for instance a cloud provider; this includes their software, hardware, and employees.
  • Untrusted Business Logic Authors: The authors of the untrusted business logic, compiled to Wasm, that is executed by the Oak Functions Runtime.

Threat Model

  • untrusted:
    • most hardware (memory, disk, motherboard, network card, external devices)
    • Operating System (kernel, drivers, libraries, applications)
    • Platform Provider
    • Untrusted Business Logic Authors
  • trusted-but-verifiable:
  • trusted:
    • TEE Manufacturer
  • partly or conditionally trusted:
    • end users

Side channels are out of scope for Project Oak software implementation. While we acknowledge that most existing TEEs have compromises and may be vulnerable to various kinds of attacks (and therefore we do need resistance to side channels) we leave their resolution to the respective TEE Manufacturers and other researchers.

End users are considered “partly trusted” in that we assume that when two users exchange data, there is a pre-existing basic trust relationship between them; in particular we assume that the recipient of the data is not going to intentionally circumvent robust protection mechanisms on their device in order to extract the received data.

Getting involved

We welcome contributors! To join our community, we recommend joining the mailing list and the slack.