CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Episode 4: Understanding confidential computing & web assembly to build secure apps

Nathaniel McCallum is the former CTO and co-founder of Profian and an expert in web assembly and confidential computing. This week on the security repo Dwayne McDaniel goes on a deep dive with Nathaniel to understand web assembly and how it relates to security but also peels apart the layers that surround the term confidential computing.

Video Transcript

this is the place that made nerd cool the most popular password in the United States is password123 those are some of my previous passwords who on Earth would actually fall for that sensitive information has been given to the wrong hands hey everybody welcome to this edition of the security repo podcast I am Duane McDaniels developer advocate here at get guardian and I am very pleased to introduce Nathaniel McCallum a CTO at profion who will be giving us a heads up today on a few different topics one the main reason probably tuned in was the title of this episode webassembly and building more secure apps but we'll also be talking a little bit about the history of profriend and some other security topics around that so uh with that would you care to introduce yourself give us a little bit about a bit about your background Nathaniel sure thanks Joanne it's a really a pleasure for me for me to be here um so yeah I I come from a very long uh background in the open source space I've been doing open source really for 20 plus years uh 10 years of that was at Red Hat where I was a had many different roles over the 10 years last one being the virtualization security architect and uh today I'm CTO of uh profion profion is a startup in the confidential Computing and webassembly space we see really the exciting uh Advent of two new technologies that we're trying to combine in a way that's interesting and compelling those are confidential Computing and and web assembly so again thank you for having me on the show it's a great pleasure to be here uh profion uh where does that even come from what does that mean yeah it's actually a a middle English word it's the ancestor of the modern word proven uh so uh when you uh when you've completed your mathematical proof you might say that it is proven uh so prophian comes from the Middle English which is uh which is the ancestor of that word proven so the important thing is that we're trying to uh everything that we do we want it to be mathematically proven so we want to always be transparent about all the processes that we have uh we're our security company and uh so transparency is really important to us and we want to we really want to emphasize the ability of being able to do provable compute uh so that you can always know that uh that what you are running uh is is what you would hope to be running so even though it's a middle English word it sounds French in origin and well we're a French company get Guardian who sponsors this podcast so very interesting yeah but you can thank the Normans for that yes definitely so there's a lot to dig into here um but for the audience that tuned in let's let's start with webassembly sure because that's why I think some people are watching this right now uh so for those people who are brand new to the subject let's give it a 10 000 foot view how would you describe webassembly to someone that's just getting started with web development yeah absolutely so webassembly is a technology that emerged in the browser and uh to be clear we are not a browser company we are we are taking webassembly out of the browser but webassembly emerged as a browser technology and the the fundamental problem uh was that although JavaScript has served us very well uh over the years there were specific uh Corner cases where we really needed better performance in the browser and so uh webassembly was essentially launched uh it was first launched I believe in 2015 and uh it emerged from uh really two side projects one was asm.js from Mozilla and the other was uh Google native client also called salt because it was spelled NaCl so any of the chemists that are listening uh will know why it's called salt and uh so the native client uh and as of JS were the precursors to webassembly and webassembly then emerged in the browser uh as a standard across all browsers and it basically allows you it's a compilation Target so you can take a compiled language like uh rust C go Java Etc and you can compile to a webassembly artifact uh byte code web solid by code and then you can deploy it in the browser there's a lot of interesting things happening with webassembly outside of the browser as well which is uh you know really where we are headed as a company what's the adoption footprint look like for this uh do you have any stats on that like how many developers what percentage of the web is moving with webassembly or moving to a website in terms of the the website I I don't have stats off the top of my head like I said we're focused on the the uh outside of the browser case um but webassembly does something really interesting for us as an industry which is that it gives us an industry standard byte code without a huge API surface um that we've had we've traditionally had in the past for things like jvm right where we had a byte code but it was tied to a particular vendor and it also had this massive standard library that everybody had to implement and so it saw limited traction you saw companies like you know Google of course going and creating the.net platform as a response to that webassembly for the first time is really giving us just the byte code right just the byte code runtime and what does that actually look like and how can we get really good performance and security out of it and so that's that's very usable and redeploy employable as a tool to lots of different problem sets so in the browser it's seen tremendous adoption I know that all browsers today ship with webassembly out of the box anybody that's doing anything high performance in the browser world today is using webassembly for that awesome it does sound like it solves the same promise the jvm all those years ago promised us that you could write once Run Anywhere yeah but that assumed everyone was going to have a jvm that assumed everyone was going to set up a tomcat server which I don't know if you've ever done that I haven't done any years but uh not trivial yeah not trivial and I love the fact that it is agnostic and just across all the browsers uh that is again one of the big issues with the jvm in general is like which jvm are you talking about what version of job are you talking about I assume webassembly is going to hit those same issues eventually yeah so what webassembly webassembly is interesting because it's Independence in another regard not only is it cross-platform but it's also cross language right when the jvm first came out Java was really the only language in town that worked for it and so it was a byte code that was designed for a very very specific language where webassembly is not it is designed for all languages which is why you have you know tons of languages having very good support for webassembly these days that includes uh not only your standard traditional languages like C and C plus plus you have new newer compiled languages like rust and go of course A lot of people are using these languages these days but even Dynamic languages python has official builds of of webassembly these for webassembly these days Ruby has official builds um even uh you know TVM is one of the Java implementations and you can use that to generate webassembly as well so uh you know it's very very uh cross not only cross browser but also across language well we are on the security repo podcast so I have to ask what security issues is webassembly addressing is is it better than the jvm approach I mean jvm has a lot of exploits to like blog for J we saw um not too long ago or lock Rochelle um and all the exploits of that but what uh issues is webassembly trying to solve with security so the initial attempt of webassembly was not to create a better security platform but we do think it is a better security platform so we'll talk about why um the initial goal was really just to focus on on performance um however there is uh there's significant effort being put into What's called the webassembly component model uh if you Google that you'll find plenty of resources and the component model is basically a way to create interoperability across all of the languages that can compile to webassembly so this would allow you you know if you're writing a one module in Rust and you're writing another module in Python in another module in Java that they could all be able to talk to each other other and have efficient usage of the apis and there's some very specific benefits that come out of this one is this concept of shared nothing linking the idea of shared nothing linking of course is that they don't share a memory space and so a compromise in one module does not lead to compromise for another this is really great for multi-party compute use cases so if you have multiple different parties who are contributing code or data to a computation they can be able to do this computation with a high degree of confidence that even if there's a risk in somebody else's that it doesn't necessarily lead to a disclosure of their own data if it's careful carefully constructed so so that's a very big benefit all technology carries some security risk with it there's some security vulnerabilities pop up no matter what we try to do to be a more secure platform a more secure world what if any security issues are we seeing emerge around webassembly yeah we're not seeing a lot of a lot of new security issues that are being caused by webassembly I would say for example in the browser space the primary concern is that when Spectra and meltdown happened of course in the past there were certain mitigations that were put in place into JavaScript in order to prevent exploitation of those CPU vulnerabilities and there was some concern for example that webassembly would would also be able to exploit those but notice that that's a vulnerability not in webassembly but in the actual CPU and it's it's not like we don't have more modern CPUs these days you're welcome to upgrade to the latest there's also patches and such for the existing CPUs so so webassembly is not really causing any new security issues uh in that regard all right on well that's encouraging to hear we will see what the future holds though uh we can't hold our breath too much for uh everything to be perfectly secure forever black hats the uh malicious actors in the world are always going to try to find an exploit here or there so we'll be careful watching the cves and the miners of the world to see what emerges um but if someone wanted to get started with this stuff uh they wanted to go down a path of learning webassembly what would be the path you'd send them on where would you send them for more information now would you suggest they get started yeah I mean really Google is the uh is the place to go for for information um really any any search engine uh there's tons of stuff out there uh the anarchs project uh which is uh what my company backs in the confidential Computing space uh you know we we have tons of documentation on how to get started um you know a lot of the a lot of the platforms that are out there uh that allow you to uh to do things of for webassembly outside the browser they'll have tons of documentation um the big news of course outside the browser is the webassembly system interface or wazzy project which is an attempt to actually create a standard system interface for uh for webassembly outside of the browser another a topic that you mentioned earlier when you were doing your introduce uh profion was around confidential Computing and that is an interesting term especially here being on security podcast uh what what does that even mean what do you mean by confidential Computing yeah that's a great question so uh first of all um I'll say that I'm just here following the definition of the confidential Computing Consortium so there's actually a Consortium that that governs this definition so I'm not just making this up out of nowhere uh and if you want more information please check out the confidential Computing Consortium so uh the confidential Computing uh Consortium and the uh in sub industry that it represents uh really represents a new set of Technologies that's come in the latest generation of chips so these are broadly available for example in Intel ice like xeons as well as AMD Milan uh in the Epic line and these allow you to run a computation right so you can run an application where the actual pages of that application as they're kept in memory are encrypted by the memory controller using a unique key this provides several properties first it provides confidentiality and integrity of uh of the data that's being run in the application so if you have sensitive data like healthcare data or financial data or cryptographic keys or any of those kinds of things right all of those uh actually run encrypted in the memory and even if you get a root level vulnerability right if or you know ring zero if you can actually get the highest privilege level on x86 for example you still can't see into the data and you can't manipulate the data because it's actually enforced by the hardware so uh so that's a really big benefit but it's actually not the biggest benefit then the next benefit that you get is the Integrity of the of the code that's running this is according to the definition now anarchs also aims to provide Integrity uh and confidentiality of the code but what we mean here is that the code that's actually running runs in a way where you can't tamper with it so you can't at runtime for example attach a debugger to it and then change the instruction that actually are executing in that code the uh the third thing is that it provides and we provide attestation attestation is a cryptographic proof from a hardware route of trust that uh that the application is running in this kind of environment and this is what allows you to run a process on one system and then to be able to connect to it in another system and know that it is running in a tamper resistant environment and we think attestation is really the Big Value Point here if you look for example um you know IBM just released uh the the cloud security study a really great thing go Google it it's it's fantastic um and they you know they revealed for example that according to their study the average data breach uh costs nine million dollars and um many companies have more than one in a single year um we we have basically looked at that and we've we've pointed out that uh if you if you look at all of the examples of these these big vulnerabilities that have happened uh the big data breaches that have happened that should be more clear more clear um they they all have at their at their uh Center a root cause which is that uh people are accessing data in a way that uh is and they're successfully completing the uh authentication and authorization but uh they're doing so you know because they have keys so they can spoof another user what we're not seeing in the industry is we're not seeing a failure of authentication as designed uh it is working as designed but what we have a failure to do is a failure to scope a disclosure of data to a particular operation and this is precisely the tool that attestation brings to the Playbook of everyone out there so um a little example I like to give here is uh if you're a customer and you go to a bank and you say hey uh what is the what is the uh balance of account one two three four they're not just going to tell you that information the first thing they're going to do is they're going to say hey who are you and they want to see some ID first right that that's your your authentication and then they're going to look and see if uh if you actually own that account and if you're privileged to have that information and uh and you can they see that you own the account and therefore they are willing to give you information they tell you what the balance of that account is so you've just gone through an authorization an authentication step but what's interesting is that now that data is unscoped they've given you that information but what you can do with that information is absolutely unlimited you could tell your friends you could announce it you could send it you know to a foreign power if you wanted to um so what you can actually do with that data is unscoped and this is roughly the way that we treat all data systems on the internet today and this is the thing that fundamentally needs to change if we're going to actually make a significant Dent by the way the the inflation in terms of cost for data breaches right now is um I think it was something like 22 percent over the last two years so so that's the cost of data breaches going up right and so uh so this this is this is a pretty fundamental problem and the way we solve this with attestation is that rather than asking who gets access to the code and then letting them do whatever they want with that we actually say what are you going to do with that data so in the and this is really important because in Computing systems there are no humans directly involved even if you're sitting at the computer typing there's software in between you and that remote party right so um so what we really have is code talking to code and when we disclose data we need to ask not who owns that code or who is the host operating that code but we really need to be asking is what do you plan to do with that information and we need to be able to scope uh how we can use or when we disclose data we want to be able to scope how it's used and this is the main thing that's actually going to cause a a big decrease in security cost in the industry there there's a lot to unpack there you said some scary numbers but uh go back to something he said earlier and that is um authentication working as designed for you know getting into these systems that's definitely something we've written about a number of times on our blog something that's alarming to us uh the Toyota breach um oh the Uber breach I'm sorry uh is the one that comes to mind most recently where it looks like they did set things up appropriately it was a young team that got pushed to get to access but once they were in they were in uh and at no point did the rest of the system say hey who are you and push back on any of the access keys they found in those Powershell scripts internally so that's very relevant for the the constant conversation that nine million dollars I'd be curious I'm going to dig into that after this call actually uh after this podcast dig into that where that number understand that number a little bit better um because that's a very scary number remember so uh that comes from the from the IBM Cloud security study uh if you in 2022 so that's the most recent numbers we have uh if you Google that you'll you'll find the IBM study um it's a very comprehensive study you know there's really some scary things in there for example um companies who have uh who are highly exposed to the cloud meaning they deploy a lot of things in the cloud the average cost of their data breach is 68 higher than those who are hosting on-prem right so uh so these are very very big numbers uh and uh there's there's real money that's being lost uh that could be you know redirected towards uh towards producing new value well I'm glad that you're working on this problem so we can eliminate those kind of fines and those kind of um incident costs and it's it's not just fines and incident clusters right you mentioned Uber well the Uber had a a um another data breach I think it was 2019 uh but just in the month of October uh the uh the CSO that was over that uh over that data breach was actually found criminally liable right so not only do we have significant cost increased to all of these data breaches but we also have a shifting liability landscape where uh the people who are actually in charge of these systems are going to be found increasingly liable for the data breaches that occur under their operation wow yeah that another terrifying reason uh but to go back and like boil it up a little bit um higher because again you said a lot there when we started talking it's obviously a subject you're passionate about um around confidential Computing um but it sounds kind of like that missing component um because we've talked about securing data in Flight a lot and we've talked about securing data at rest a lot and I think most people would think all right yeah I've got the database encrypted and we're good there and I got the the white pipelines my actual the pipes or were smart enough now to not but read out of the the temporary file and just redirect from the application if we're writing pipes um or most developers are are there but yeah it's interesting that's not something I think of day to day is like the actual data in use and pulling it out from there but wow challenging yeah this is precisely what confidential Computing is about right so we we talk about encrypting data at rest and we talk about encrypting it in transit uh but the the missing Gap is this data in use question right and this is why for example although encryption of data at rest is effectively a solved problem in the industry what's not solved is the key management around it uh for example 17 of data disclosures happen just simply due to misconfiguration right so uh so the fact that you can just misconfigure these things because you've you've basically been given a pile of tools and it's your job to like Cobble them together in some Rube Goldberg machine uh that is hopefully going to work uh when you're donning is going to be secure um you can't succeed in that kind of environment right you need a tool that basically integrates all of those things so that everything's encrypted while it's in use and out of that comes the properties of being encrypted in transit and at rest and this is precisely what the anarchs open source platform intends to do is to uh to shore all of this up so so let me tell you a little bit about what anarchs actually is and what it does so the anarchs platform by the way you can find out more about anarchs at narcs.dad that's enarx.dev anarchs is an application deployment platform we deploy webassembly applications into the cloud and we do this using confidential Computing so that uh so that your data is encrypted in use in transit and at rest there's no configuration to make that secure right there's no uh Double Dash make it secure option you you can't get it wrong as the is the important thing we're driving at here and so uh basically the entire time your application is running it's encrypted in use encrypted when it's writing to disk or encrypted when it's when it's writing to the network as well most importantly we also handle all the attestation for you so you can be able to uh basically generate a key pair you can get a certificate uh for that and that certificate guarantees that the application you're speaking to remotely is in fact running in what we call a keep which is the The Trusted execution environment uh and so and so that's essentially the the platform that we're offering everything's open source uh the anarchs platform is licensed under Apache 2.0 so um yeah come try it out you can go to try.narks.dev and you can literally launch and run your own applications cost you nothing you can be up and running in a few minutes and start experimenting you don't need any special access to Hardware through that everything will will just work out of the box so that that's try try dot anarchs uh that's e-n-a-rx x dot Dev well we will link that down below um excellent well uh just looking at time here don't take up your whole day but if there's any other um uh articles blog posts anything else you would recommend how people can learn more about confidential Computing or webassembly um where would you send them yeah absolutely check out the nrx.dev website we've got a lot of information there about how you can get started with webassembly outside of the browser a lot of the the same compiler tool chain information is shareable both inside and outside of the browser but we have got a lot of information there if you want to know more about the webassembly system interface this is uh the set of syscalls essentially that allow you to interact with the system you can Google for wazzy that's wasi and that's a w3c effort you can find more information there as I mentioned before information about the webassembly component model you can you can Google those terms as well you'll find the effort in the w3c there as well and yeah we just the the other thing is uh come talk with us at the anarchs uh project uh we'd love to hear your feedback uh chat.narks.dev will get you to the right place so uh really easy to get a hold of us and we're happy to help you in any way we can well that's excellent that's awesome there's a community around it and somewhere where people can actually go talk to someone knowledgeable yeah that's how we learn and grow which is awesome oh Daniel thank you so much for being on the security repo podcast uh again I've been Dwayne this has been Nathaniel And if you have any questions uh Nathaniel can be reached uh over there in the chat.nrx.dev community to follow up with you he and his team um so thank you very much great thanks Darren