Let’s pick up from where we left off with the previous article on CordaCon 2020 developer highlights — day one. Take your pick of these exciting talks from the second day of our annual flagship event CordaCon 2020.
Imagine a sealed bid auction in which:
1. User 1 proposes a bid to the enclave (recorded on the ledger).
2. User 2 proposes a bid to the enclave (recorded on the ledger).
3. User 3 (auctioneer) receives the output from the enclave (the winner) and stores it on the ledger.
As a result, User 3 never sees the bids.
Wallets Prototype — Deep Dive — R3 Software Engineer Will Hester
Tuning options for Artemis to control flush/ack frequencies.
p2p message compression.
New sendAll API for sending messages to multiple counterparties.
Thanks for watching the brief developer highlights from day two — stay tuned for more highlights from day three of CordaCon 2020.
Peter Li is a Developer Evangelist at R3, an enterprise blockchain software firm working with a global ecosystem of more than 350 participants across multiple industries from both the private and public sectors to develop on Corda — its open-source blockchain platform, and Corda Enterprise — a commercial version of Corda for enterprise usage.
A new Conclave release finishes off the core feature set you need Today we’re announcing a new beta release of Conclave, a platform that makes it easy to use secure hardware enclaves with Java. You can use enclaves to: Solve complex multi-party data problems, by running programs on a computer that prevents the hardware owner from seeing… Read more »…
A new Conclave release finishes off the core feature set you need
Today we’re announcing a new beta release of Conclave, a platform that makes it easy to use secure hardware enclaves with Java. You can use enclaves to:
Solve complex multi-party data problems, by running programs on a computer that prevents the hardware owner from seeing the calculations.
Protect sensitive data from the cloud.
Make your hosted service auditable and trustworthy.
Upgrade privacy on distributed ledger platforms like Corda.
Good use cases might include analytics, auctions, order books, or verifying transactions.
In Conclave Beta 3 we have fleshed out the base feature set available in earlier releases by adding Mail, our communications API, and by integrating support for a new JVM: GraalVM Native Image. You can also now build enclaves on macOS, as well as Linux and Windows when using the Avian JVM.
What are enclaves?
Conclave gives an ordinary Java JAR some new security super powers. It can:
Protect its memory from the owner of the computer where it runs, as well as the host JVM that loaded it.
Prove its identity to third parties over the internet. Loading an enclave gives you a serialisable EnclaveInstanceInfo object that describes its code hash and code signer.
Generate encryption keys that are only accessible to that enclave. Clients can then use the EnclaveInstanceInfo to exchange encrypted messages with the enclave, without the host computer or JVM being able to read them.
You can think of a Conclave enclave as a sub-JVM loaded into the same process as your host JVM. Once loaded both the host and remote clients can exchange data with it.
By encapsulating the core of your business logic in an enclave you can build perfectly auditable services which anyone can trust. How? If you share the enclave code with them under either an open source or, more commonly, a proprietary audit license then with just one command they can compile a byte-for-byte identical enclave to the one you are using. The code hash of that enclave can then be compared to the code hash in the received EnclaveInstanceInfo to be sure the code they are reading is the code that’s really running. The only party that needs to be trusted is the CPU manufacturer.
Mails are what Conclave calls the encrypted messages you can send to and from an enclave. How mail moves around is up to you — you could use HTTP, plain TCP sockets, message queues, files, embed them in other protocols or anything else you wish. Conclave handles the cryptography and leaves transport up to you.
Mail is designed to solve a variety of different problems that enclaves face:
How to communicate securely with clients, given the host is untrusted.
How to avoid needing an external database, as regular databases are not designed to stop administrators accessing the administered data and enclaves themselves have a weak grip on time.
How to stop the host dropping or re-ordering messages.
How to stop the host snooping by measuring the size of the messages going in and out of the enclave.
And other miscellaneous challenges.
The mail API is simple and presents you with an email-like interface. Behind the scenes Conclave can perform ordering checks, message padding, replay on restart and other
In beta 3 we’ve added support for truly cross-platform development. Even though enclaves only run on Linux, you can work on an enclave project on Linux, Windows and macOS. Cross-compilation support means you can compile an enclave either for upload to a server, or to reproduce a remote enclave and audit it, on any OS.
Client code can additionally run on any platform that supports Java. Enclaves can be loaded both into the protected environment and also the host JVM, allowing ordinary and convenient step-through debugging, full white-box unit testing and more. If there’s user demand we may also add support for non-JVM hosts and clients.
GraalVM Native Images
An enclave does not trust the host operating system, so it must carry everything it needs into the protected memory space. The GraalVM Native Image tool is ideally suited for this use case, as it produces small, self contained and ahead-of-time compiled native code from Java programs. An embedded JVM called SubstrateVM provides runtime services like garbage collection.
That’s why in beta 3 we’ve added support for using native images. The benefits over the alternative runtime are much better performance, reduced memory usage, and no warmup time. However, it comes at the cost of losing support for dynamic bytecode loading and for compiling enclaves on non-Linux platforms. If you want to use frameworks that do this, you will need to continue using the Avian runtime for now. In the long term we plan to phase out the use of Avian, as SubstrateVM gets better.
Using Native Image with Conclave is easy, you just specify you want it in your Gradle build and the rest is automatic.
Learn how to write an enclave, host and client
Conclave comes with a simple tutorial that takes you through the basics of enclave-oriented development. You write an enclave that simply reverses any strings sent to it, a host that loads the enclave and connects it to a raw TCP socket, and a client that verifies the identity of the enclave and then sends it encrypted strings for reversal.
Along the way you will learn everything you need to build enclave-oriented programs.
Collective Intelligence From Concealed Data How much do you earn? Are you underpaid or overpaid relative to your colleagues? Ever wanted to find out? How might you do it? You could just ask your colleagues what they earn. But you probably won’t be thanked. How much do you earn? How might you find out if you’re under… Read more »…
Collective Intelligence From Concealed Data
How much do you earn?
Are you underpaid or overpaid relative to your colleagues? Ever wanted to find out? How might you do it?
You could just ask your colleagues what they earn. But you probably won’t be thanked.
I guess you could hack into your firm’s HR systems. But some firms discourage that sort of thing. So, you will probably do what everybody else does and enter your details into Glassdoor.
It turns out companies have the same problem when it comes to accessing vital information about their industry that depends on knowledge of other companies’ confidential data. But their equivalent of Glassdoor is either really expensive or simply doesn’t exist.
For example, securities firms know what stocks and bonds they’ve bought and sold, and for what prices, but what does the whole market look like? They really need to know so they can price competitively and ensure best execution for their clients. But, at the same time, their competitors don’t want them to see their confidential data. So, each firm shares their data confidentially with a market data firm, which then sells back a processed, anonymised dataset to everybody in the market.
You can find this problem everywhere you look in fact: insurers who need to share information about fraudulent claims without breaching confidentiality rules… participants in online auctions who don’t want the auctioneer to exploit knowledge of how much they’ll pay… patients who would like to contribute their records to help fight a disease but who would be devastated if information about their disease became public.
Any situation where you have to give up valuable data in order to receive some broader valuable insight back in return is probably an example of this phenomenon.
And these situations share the same problem that makes them really hard to address:
You can’t trust somebody else’s computer.
The sad reality is that if you send data to somebody else’s computer, you only have their word for what they’ll do with it. Yes… the reassuring little green padlock in your browser can give you confidence about who you’re communicating with. But it says nothing about what they’ll do with your data when you upload it.
The result is that you either don’t send the data at all or you have to introduce a neutral third-party firm into your market to provide the aggregation function that none of you trust any of the others to perform.
This, as we’ve seen, is often expensive and there isn’t always an appropriate body to perform this activity.
But what if…
What if you could be sure what somebody else’s computer will do with your data? You and your customers and competitors could benefit from the collective intelligence that arises when multiple sets of data are brought together… whilst simultaneously being assured that your own data is concealed from everybody else, including whoever is hosting the service.
You wouldn’t even need to worry who hosted the service. If this technology worked as it should, you would learn nothing you weren’t supposed to even if you controlled the physical computer performing the calculations. You could call it “collective intelligence from concealed data”.
In effect, imagine a world where the “green padlock” didn’t tell you who was processing your data, but where it told you what they were doing with it.
It turns out that this technology actually exists!
There are various forms: “homomorphic encryption” is one approach and “trusted execution environments” are another. In this article, I’m focused on the latter.
Indeed, if you’re reading this on a PC, your computer probably has this capability hidden inside it without you even knowing. But you’re probably not using it: the technology has been just too difficult for regular developers to exploit.
Well, that’s about to change.
It will soon be possible for regular software developers to build systems that can, in effect, be remotely audited. Systems where owners of extremely valuable data can independently verify what will happen with their data before they submit it. Many firms are working on variants of this vision and it will be game-changing.
This interests me because I’m CTO of the firm behind one of the most successful blockchain platforms used by businesses today. And “taming” this capability will provide a critical building block for our aspiration to transform entire industries.
To see why, we need to look back to work my team and I kicked off almost five years ago. Our work to bring the power of blockchain architectures to business led to a fundamental insight: the world now possesses the tools, technology, insight and motivation to solve problems that afflict whole markets, not just individual firms. It is now possible to build systems that enable all the firms in an industry to collaborate digitally to an extent previously unimaginable outside some special cases.
The cryptographic, consensus and distributed systems techniques embedded inside the original blockchain platforms pointed the way. And firms, such as R3 and IBM IBM 0.0%, picked up the baton and built systems like Corda, Hyperledger Fabric and others to bring these concepts into the mainstream. We made it possible to build applications that automated the processes of whole markets. We applied the “What You See Is What I See” property of blockchains to eliminate swathes of complexity and inconsistency between firms.
Bringing firms into sync about data they share in common is only one part of the puzzle, however. As we discussed above, sometimes firms in a market need to collaborate but absolutely must not share their data with each other. They need to be sure that “What You See Is Absolutely NOT What I See”!
This is why the industry has been working, for years now, to master and tame the “trusted execution” – some call it “confidential computing” – technology necessary to make the “collective intelligence from concealed data” vision a reality. You need both approaches, transparency and privacy, in your platform to cover all scenarios.
In my firm’s case, the capability we’re working on to do this is called Conclave. We feel privileged to sit alongside our peers and competitors working in the same field as members of the Confidential Computing Consortium, which is helping drive collaboration between all the firms in this field.
It’s immensely exciting to see the pieces fall into place for what could become a wholesale reimagining of how firms do business with each other.
Making enclaves easy We are pleased to announce the first beta release of Conclave, our new platform for building secure hardware enclaves in Java. In this post we’ll look at what Conclave is, take a brief look at how you can use it and then look at the roadmap towards the first production release. What is Conclave?… Read more »…
Making enclaves easy
We are pleased to announce the first beta release of Conclave, our new platform for building secure hardware enclaves in Java.
In this post we’ll look at what Conclave is, take a brief look at how you can use it and then look at the roadmap towards the first production release.
What is Conclave?
Modern CPUs from Intel and others include support for creating enclaves. Enclaves create a tamper-proofed space for programs to execute, so that they can process data without the owner of the physical hardware being able to inspect or interfere with it.
If you can run computations without anyone having access to them, not even people who can open the computer up and modify it, then you have a powerful tool for solving all sorts of business problems. Anywhere collaboration is needed but trust is expensive can benefit from enclave technology.
Unfortunately, enclaves can be tricky to develop. The technology is complex and it’s typical for enclaves to be written in relatively low level, low productivity languages like C or Rust. As such, virtually no line-of-business applications benefit from this technology today, even though they theoretically could.
Conclave brings secure multi-party computation (or ‘confidential computing’) to the business world with three key advantages:
Easily write business logic in any JVM bytecode compatible language like Java, Kotlin and Scala. The JVM eliminates memory management errors that could otherwise undermine the security of the enclave, without needing complex linear type systems.
Designed with Corda in mind, R3’s distributed ledger platform.
Existing approaches to making enclaves require a great deal of expertise in a brand new technology. Conclave makes it easy for any Java developer to get started in less than an hour.
Conclave is the foundation of the SGX support we’re developing to protect Corda transaction histories. By running smart contract logic inside an enclave it becomes possible to build a private and peer to peer yet also completely consistent database.
Beta 1 and the roadmap
Today we’re announcing the availability of the first release in the Conclave beta program. Over the upcoming beta releases the feature set will be fleshed out, usability enhanced and performance upgraded. Some of the things we’re researching include:
A higher level API for encrypted asynchronous messaging. In Beta 1 you must handle message encryption to/from enclaves using the standard Java APIs for it. In future we plan both a standalone API and integration into the Corda flow framework for authenticated, peer-to-peer inter-organizational messaging.
Support for the Intel DCAP/FLC features, which give hardware owners direct control over which enclaves are authorized to run on their systems.
Support for developing enclaves on Windows and macOS without the need for Docker/Linux VMs.
Ability to fully audit the enclave contents via a source sharing license.
Support for storing enclave signing keys in HSMs.
Upgrades to the embedded JVM running inside the enclave.
Even higher level APIs for modeling common business problems, such as a joint computation that occurs once per day with a threshold of participants.
Automated mitigation of side channel attacks, including those that involve the design of your own application logic.
How to join the beta program
Conclave Beta is open to all! It only takes three steps:
Visit https://www.r3.com/conclave-beta/ and accept the license agreement to download the SDK. If you find our ideas intriguing you might also want to subscribe to our newsletter.