search

brave / nitriding

Tool kit for building networked services on top of AWS Nitro Enclaves.
https://arxiv.org/abs/2206.04123
Mozilla Public License 2.0
19 stars 10 forks source link

Verify that EC2 host cannot affect enclave's clock #13

Closed NullHypothesis closed 2 years ago

NullHypothesis commented 2 years ago

According to https://github.com/aws/aws-nitro-enclaves-nsm-api/issues/15, an enclave's clock is automatically synced to the KVM clock. Still, we should probably verify that the EC2 host cannot affect the enclave's clock because that can cause various security problems.

rillian commented 2 years ago

Calling sudo date --set 'DATESTRING' on the host appears to have no effect on the output of date in the enclave. Any more sophisticated avenues to try?

I'm not sure how to test the synchronization part other than leaving an enclave running for a few weeks and monitoring for clock drift.

NullHypothesis commented 2 years ago

Calling sudo date --set 'DATESTRING' on the host appears to have no effect on the output of date in the enclave. Any more sophisticated avenues to try?

Thanks for testing this! I can't think of anything else to try.

I'm not sure how to test the synchronization part other than leaving an enclave running for a few weeks and monitoring for clock drift.

I don't expect this to be a problem but let's revisit this conversation if it's going to be one. In the meanwhile, I'm going to close this ticket.