Cloud computing is a recent model for provisioning commodity hardware with a preinstalled software environment to run a custom software executable, where the provider of the commodity environment has enormous latitude for its provisioning. The term is new and its definition still coalescing, but the provider controls the hardware and software stack. Cloud computing subverts the longstanding tenet that the computing environment is largely trusted, whereas application software is untrustworthy. From the perspective of a custom application running in the cloud, trust in the environment is misplaced, because security guarantees are puny and expensive, and trust is difficult or impossible to enforce and validate.
Very little help in support of a healthy general presumption of mutual distrust between application code and the cloud environment is available. This paper provides a proof-of-concept implementation enabling mutual distrust between a general-purpose, user-level application and its operating environment, even when the user application is written without particular care to validate and enforce trust. This remarkable goal is achieved by embracing and sensibly extending the newly available Intel Software Guard Extensions (SGX) instructions and specification.
Originally, SGX enabled only parts of an application written to take advantage of this feature some degree of execution trust guaranteed by the hardware itself. SGX has limitations precluding the extension of trust to an entire application; for instance, SGX does not allow trust when processing interrupts. Haven succeeded in defining and implementing shielded execution for an entire, unmodified legacy application affording mutual distrust in a working prototype running Microsoft SQL Server and an Apache Web Server. This brilliant accomplishment could be celebrated as a harbinger of trust in the increasingly pervasive cloud computing model.