The recent integration of networking services in WASI opens new doors of possibilities and prospects one can accomplish using WebAssembly. Enarx uses Wasmtime as a WebAssembly runtime to run the workload. To demonstrate the power of networking in Confidential Computing with the help of Enarx, I am going to demonstrate a simple TCP echo server but with a slight twist. The TCP server listens to the client, but echoes back the normal data along with the ROT-13ed version of data. One doesn’t need to don the proverbial Sherlock hat to understand the direct benefits of networking in a TEE. With the help of Enarx, we can network securely even on a untrusted system.
Although simple in implementation, this ROT-13 networking demo could be the basis of a encryption/decryption service running in a Trusted Execution Environment.
Here's my video explaining the same, which was presented at the OC3 conference 2022.
The following points surmise whats happening in the demo :
- We run the TCP server in an Enarx keep.
- We connect to the server using the
ncatcommand. - We send the data to server and server echoes back the data along with the ROT13ed version of data.
The piece of code encrypting the data with ROT-13 cipher is :
if bytes_read != 0 {
let received_data = &received_data[..bytes_read];
let s = String::from_utf8_lossy(received_data);
if let Ok(str_buf) = from_utf8(received_data) {
let mut coded_string = String::from("");
for c in s.chars(){
let charcode = c as u32;
if c.is_lowercase(){
let a_code = 'a' as u32;
let rotcode = ((charcode - a_code +13)%26) + a_code;
coded_string.push(char::from_u32(rotcode).unwrap());
}
else if c.is_uppercase(){
let a_code = 'A' as u32;
let rotcode = ((charcode - a_code + 13)%26) + a_code;
coded_string.push(char::from_u32(rotcode).unwrap());
}
else{
coded_string.push(c);
}
}
println!("Received encrypted data: {}", str_buf);
println!("Decrypted received data: {}", coded_string);
The original TCP server demo’s code can be found here.
Let me explain the code to you.
We first check whether we received any bytes or not. Then, we convert the bytes to a dynamically allocated String in Rust using String::from_utf8_lossy. String::from_utf8_lossy turns invalid UTF-8 bytes to �. We also need a mutable String to store our ROT-13ed data, and we call it coded_string.
We iterate over each character of our String s which contains all the data sent by the client, so that we can rotate the alphabets by 13 places. To achieve that, we need to convert the characters into their ASCII key code, add 13 to it, convert it back to characters, and then push it to the coded_string.
The ASCII code for a is 097, while the ASCII code for A is 065, that’s why we take 2 different conditions to encrypt our data correctly, if c.is_lowercase() and else if c.is_uppercase(), respectively. An astute reader must have observed that there’s a 3rd condition, an else condition in the code. That condition is there to ensure that any other character of the received data, which is not an alphabet, is still appended to our coded_string. We only encrypt the alphabets in ROT-13 cipher, not the numbers or any other characters.
As a last step, we print the received data from client, and the ROT13 version of the data.
At last, we don’t need to worry about networking on an untrusted system, simply run your workload in Enarx. Hypervisor got infected? No issues. Firmware libraries tampered with? No worries. Operating system compromised? No problem. Take charge of your data, keep it confidential, come what may.
Hope you found this informative.
Best,
Moksh Pathak
Top comments (0)