Mystikos is a set of tools for running applications in a hardware trusted execution environment (TEE)

Overview

Mystikos

Mystikos is a set of tools for running applications in a hardware trusted execution environment (TEE). The current release supports Intel ® SGX while other TEEs may be supported in future releases. Linux is also a supported target, though only suitable for testing purposes as it provides no additional protection.

Goals

  • Enable protection of application code and data while in memory through the use of HW TEEs. This should be combined with proper key management, attestation and hardware roots of trust, and encryption of data at rest and in transit to protect against other threats which are out of scope for this project.
  • Lift and shift applications, either native or containerized, into TEEs with little or no modification.
  • Allow users and application developers control over the makeup of the trusted computing base (TCB), ensuring that all components running inside the TEE are open source.
  • Simplify re-targeting to other TEE architectures through a plugin architecture.

Architecture

Mystikos consists of the following components:

  • a C-runtime based on musl libc
  • a "lib-os like" kernel
  • the kernel-target interface (TCALL)
  • a command-line interface
  • some related utilities

Today, two target implementations are provided:

  • The SGX target (based on the Open Enclave SDK)
  • The Linux target (for verification on non-SGX platforms)

The minimalist kernel of Mystikos manages essential computing resources inside the TEE, such as CPU/threads, memory, files, networks, etc. It handles most of the syscalls that a normal operating system would handle (with limits). Many syscalls are handled directly by the kernel while others are delegated to the target.

Installation Guide

From Binaries

You can download the latest binary release from our builds page

TODO: Include installation instructions.

From Source

You may also build Mystikos from source. In our experience, this takes about 20 minutes.

NOTE that Mystikos can only be built on Ubuntu 18.04 due to current limitations in Open Enclave SDK.

Quick Start Docs

Eager to get started with Mystikos? We've prepared a few guides, starting from a simple "hello world" C program and increasing in complexity, including demonstrations of DotNet and Python/NumPy.

Give it a try and let us know what you think!

Simple Applications

  • A Simple "Hello World" in C: click here
  • Packaging your "Hello World" app in Docker: click here
  • Introducing Enclave Configuration with a DotNet program: click here
  • Running Python & NumPy for complex calculations: click here

Enclave Aware Applications

Sometimes, you want to take advantage of specific properties of the Trusted Execution Environment, such as attestation. The following example shows how to write a C program which changes its behaviour when it detects that it has been securely launched inside an SGX enclave.

  • Getting started with a TEE-aware program: click here

More Docs!

We've got plans for a lot more documentation as the project grows, and we'd love your feedback and contributions, too.

  • Key features of Mystikos: click here
  • Deep dive into Mystikos architecture: [coming soon]
  • How to implement support for a new TEE: [coming soon]
  • Multi-processing and multi-threading in Mystikos and limitations: [coming soon]

Developer Docs

Looking for information to help you with your first PR? You've found the right section.

  • Developer's jump start guide: click here
  • Signing and packaging applications with Mystikos: click here
  • Release management: click here
  • Notable unsupported kernel features and syscalls: [coming soon]

For more information, see the Contributing Guide.

Licensing

This project is released under the MIT License.

Reporting a Vulnerability

Please DO NOT open vulnerability reports directly on GitHub.

Security issues and bugs should be reported privately via email to the Microsoft Security Response Center (MSRC) at [email protected]. You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Code of Conduct

This project has adopted the Microsoft Code of Conduct. All participants are expected to abide by these basic tenets to ensure that the community is a welcoming place for everyone.

Comments
  • Adapting attested_tls example

    Adapting attested_tls example

    Hi guys!

    This time I am trying to adapt the attested_tls example into my application, but I continue getting this error: OE

    === _verify_identity() isvprodid = 1, isvsvn=1
    
     failed! tlssrv_accept returned -29312
    
    Host: setup_tls_server failed with ecall return val: -29312
    Host:  oe_enclave app exited successfully 
    

    Client

    OE enclave identity verified successfully!
    Client: attestation certificate verified.
    tlscli_connect failed!
    INFO [11-15|15:43:55.917] server: failed to establish channel
    

    Do you have any idea about what's happening there?

    severity/moderate 
    opened by stdevMac 26
  • App not show any log in the output

    App not show any log in the output

    When I run my app outside, no matter if it breaks or success should show me some output, but when I try to run it inside sgx or using exec-linux, I don't get any output, no error, no log, nothing.

    I build my app using this as an example https://github.com/deislabs/mystikos/blob/main/doc/user-getting-started-docker-c++.md

    This example runs as expected, but my app no, is there any command or something I could do to see the logs of my app? maybe is a dep not found or something like that, but don't show the errors, just end the process.

    Thanks in advance! Amazing work you are doing here guys!

    opened by stdevMac 21
  • Nodejs: web server sample stuck in a epoll_wait loop

    Nodejs: web server sample stuck in a epoll_wait loop

    Hello,

    I am trying to build a confidential app using Nodejs and Mystikos. I am not able to run even a simple Nodejs app. This is my Nodejs file:

    const http = require('http');
    
    const hostname = '127.0.0.1';
    const port = 3000;
    
    const server = http.createServer((req, res) => {
    res.statusCode = 200;
    res.setHeader('Content-Type', 'text/plain');
    res.end('Hello World');
    });
    
    server.listen(port, hostname, () => {
    console.log(`Server running at http://${hostname}:${port}/`);
    });
    
    

    and this is my Dockerfile:

    FROM node:11-alpine
    
    WORKDIR /app
    COPY app.js /app/app.js
    

    These are the instructions I am using to run it with Mystikos:

    myst-appbuilder Dockerfile
    myst mkcpio appdir rootfs
    myst exec-linux rootfs /usr/local/bin/node /app/app.js
    
    

    I see this error message:

    Segmentation fault (core dumped)

    Would appreciate any pointers on how to debug this further.

    enhancement status/triaged area/kernel severity/moderate 
    opened by rads-1996 16
  • Memcached Sample

    Memcached Sample

    solution to run Memcached in mystikos. Will test Memcached CRUD operations. dependent issues:

    • syscall prlimit: issue https://github.com/deislabs/mystikos/issues/22
    • syscall prctl: issue https://github.com/deislabs/mystikos/issues/21
    • userid issue: issue https://github.com/deislabs/mystikos/issues/20
    • epoll issue: https://github.com/deislabs/mystikos/issues/234
    • Issue https://github.com/deislabs/mystikos/issues/318
    opened by praenubilus 13
  • Run make clean after running tests in pipeline

    Run make clean after running tests in pipeline

    Run make clean after tests in pipeline, also re-enable Pytorch solution

    This commit passes nightly pipeline https://openenclave.visualstudio.com/ACC-Services/_build/results?buildId=10818&view=logs&j=ab477ad6-9781-5b54-82ca-a0141b26726e&t=2d9b6f4f-266f-5cad-a875-41dc232b2771

    opened by asvrada 12
  • terminate called after throwing an instance of 'std::bad_alloc'

    terminate called after throwing an instance of 'std::bad_alloc'

    I am trying to run this app using mystikos, but i am getting this error:

    [email protected]:~/silkworm$ myst exec-linux silkworm /src/build/cmd/consensus
    terminate called after throwing an instance of 'std::bad_alloc'
      what():  std::bad_alloc
    Segmentation fault (core dumped)
    

    My dockerfile is:

    # stage 1 build
    FROM alpine:3.14 AS base-image
    
    RUN apk add --no-cache build-base boost-dev g++ cmake ccache gmp gmp-dev 
    
    ADD . /src
    RUN mkdir -p /src/build \
     && cd /src/build \
     && cmake .. \
     && make 
    
    FROM alpine:3.14
    
    RUN apk add libstdc++ gmp gmp-dev
    WORKDIR /src/
    COPY --from=base-image /src .
    
    
    CMD ["/src/build/cmd/consensus"]
    

    Thanks for your amazing work, if there is something else I can post here, please, let me know

    status/triaged area/kernel severity/low 
    opened by stdevMac 11
  • Unable to load non-debug mode enclave applications

    Unable to load non-debug mode enclave applications

    If we set DEBUG to 0 in config.json, Mystikos fails to load the application with the following message:

    2021-04-12T21:51:01+0000.931659Z [(H)ERROR] tid(0x7f2963974b80) | Enclave image was signed without debug flag but is being loaded with OE_ENCLAVE_FLAG_DEBUG set in oe_create_enclave call (oe_result_t=OE_DEBUG_DOWNGRADE) [/mystikos/third_party/openenclave/openenclave/host/sgx/create.c:oe_sgx_build_enclave:896] 2021-04-12T21:51:01+0000.931789Z [(H)ERROR] tid(0x7f2963974b80) | :OE_DEBUG_DOWNGRADE [/mystikos/third_party/openenclave/openenclave/host/sgx/create.c:oe_create_enclave:1129]

    status/triaged area/target severity/moderate 
    opened by jxyang 11
  • Error Sending information from oe_enclave to mystikos

    Error Sending information from oe_enclave to mystikos

    Hi guys!

    I was working in the past days and trying to send some information from oe_enclave to mystikos following the attested_tls example using tlssrv_write function and it compiles but breaks.

    Here is my repo addresss https://github.com/stdevMac/ and the branch example_break is where you can reproduce it

    This is the error I am currently getting:

    ~ make run
    # Kill the running instance of the TLS server before exit.
    tlssrv_host: no process found
    # Launch the TLS server the OE enclave
    Host: Enclave path = oe_enclave/enc/tlssrv_enc.signed, Run mode = hw, server port = 17500
    OE Enclave app started...
    # Launch the TLS client with myst
    echo "Runnig first client"
    Runnig first client
    /home/nethermind/mystikos/build/bin/myst exec-sgx rootfs /app/client 127.0.0.1 
    Host: starting_server
    
     Server in enclave: Waiting for a trusted connection
    Processing client number: 0
    *** kernel panic: enter.c(860): myst_enter_kernel(): myst_exec() failed, ret=-2
    0x1005f608e: __myst_panic()
    0x1005bfd6b: myst_enter_kernel()
    Makefile:17: recipe for target 'run' failed
    make: *** [run] Error 139
    

    Thanks in advance!

    opened by stdevMac 10
  • Move libcxx tests to a mystikos dockerhub registry

    Move libcxx tests to a mystikos dockerhub registry

    libcxx tests are currently being pulled from a container in the "sagoel" dockerhub registry, this container should be moved to be under a "mystikos" dockerhub registry since it is a part of our testing infrastructure. Building the libcxx tests takes a lot of time, so building them on every run might not be feasible.

    status/triaged area/cli severity/moderate 
    opened by salsal97 10
  • Maintain libc.threads_minus_1 correctly.

    Maintain libc.threads_minus_1 correctly.

    The thread created for the child of a fork is not created via pthread_create. Such a thread also does not call pthread_exit.

    Typically, libc.threads_minus_1 is maintained by pthread_create and pthread_exit.

    Since these functions are not invoked for a forked child, maintain the counter manually by doing increment just before cloning to create the thread and doing decrement just before invoking SYS_group_exit for the thread.

    Signed-off-by: Anand Krishnamoorthi [email protected]

    opened by anakrish 9
  • Delayed zero-fill for mmap(prot=0) pages

    Delayed zero-fill for mmap(prot=0) pages

    .NET runtime, Java runtime, and potentially other SW stack uses mmap(addr= preferred_addr, prot=0) to probe availability of preferred memory allocation. If the preferred allocation is not available (indicated by the returned memory addr not matching the preferred addr), the runtime might immediately call munmap() on the return address.

    With the current Mystikos mmap() implementation, when the kernel allocated the memory as part of mmap flow, the kernel sets the memory content to 0. When the EPC size of the platform is small, the operation will take a long time due to EPC paging.

    As the app runtime is simply probing the availability of the preferred memory allocation, and will deallocate the memory immediately if the allocated memory is not at the preferred address, zeroing the content and its associated extra latency do not yield real value.

    This PR marks the newly allocated inaccessible memory (by mmap(prot=0)) as "pending zero-fill", and only zero-fill the memory on a following mprotect() call that makes the memory accessible.

    opened by bodzhang 9
  • strace group filter process does not cover Mystikos specific syscalls

    strace group filter process does not cover Mystikos specific syscalls

    Following syscalls are missing - SYS_myst_clone SYS_myst_get_fork_info SYS_myst_kill_wait_child_forks SYS_myst_fork_wait_exec_exit

    Current list of syscalls under "process" strace group - https://github.com/deislabs/mystikos/blob/main/utils/syscall.c#L573-L586

    opened by vtikoo 0
  • pytorch pipeline takes much longer with MYST_RELEASE flag turned on

    pytorch pipeline takes much longer with MYST_RELEASE flag turned on

    as discovered during pr https://github.com/deislabs/mystikos/pull/1436 https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FPyTorch-Tests-Pipeline/detail/PyTorch-Tests-Pipeline/809/pipeline https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FPyTorch-Tests-Pipeline/detail/PyTorch-Tests-Pipeline/794/pipeline https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FPyTorch-Tests-Pipeline/detail/PyTorch-Tests-Pipeline/787/pipeline https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FPyTorch-Tests-Pipeline/detail/PyTorch-Tests-Pipeline/783/pipeline

    opened by salsal97 0
  • dotnet-p1 pass percentage <90%

    dotnet-p1 pass percentage <90%

    Observing frequent failures in the dotnet p1 test pipeline with a pass percentage of 89% (4954/5522 tests) in pr https://github.com/deislabs/mystikos/pull/1436

    Examples - https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FDotNet-P1-Tests-Pipeline/detail/DotNet-P1-Tests-Pipeline/150/pipeline (MYST_RELEASE=1) https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FDotNet-P1-Tests-Pipeline/detail/DotNet-P1-Tests-Pipeline/148/pipeline/57/ (MSYT_RELEASE=1) https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FDotNet-P1-Tests-Pipeline/detail/DotNet-P1-Tests-Pipeline/146/pipeline/57/ (MYST_RELEASE=0) https://openenclaveci.westus.cloudapp.azure.com/blue/organizations/jenkins/Mystikos%2FStandalone-Pipelines%2FDotNet-P1-Tests-Pipeline/detail/DotNet-P1-Tests-Pipeline/144/pipeline/57/ (MYST_RELEASE=1)

    opened by salsal97 0
  • myst-gdb extension: Memory manager data structure tracker

    myst-gdb extension: Memory manager data structure tracker

    PR adds support for tracking the various memory manager data structures. From a user perspective, it currently allows querying for mapping details given an address. With the data structures being tracked its also possible to print mappings by process(not part of this PR), equivalent of info proc mappings in gdb.

    Current querying experience:

    For MAP_SHARED mappings -

    (gdb) myst-mman addr
    address: addr = 0x10436a000
    start_addr: 0x10436a000 end_addr: 0x10436b000 size=4096(0x1000)
    Page protection = PROT_READ|PROT_WRITE
    MAP_SHARED mapping, type: Regular file
    File mapping info: offset=0 filesz=10
    Owning processes: 
    101
    102
    

    For MAP_PRIVATE mappings -

    (gdb) myst-mman $rip
    address: $rip = 0x10438c9fe
    start_addr=0x10438c000 end_addr=0x10438e000 size=8192(0x2000)
    Page protection = PROT_READ|PROT_EXEC
    MAP_PRIVATE mapping, owning process: 101
    File mapping info: offset=4096 filesz=25456
    
    opened by vtikoo 2
  • Interactive bash support issues

    Interactive bash support issues

    [email protected]:/mnt/code/mystikos$ mkdir scratch
    [email protected]:/mnt/code/mystikos$ cd scratch/
    [email protected]:/mnt/code/mystikos/scratch$ ../scripts/appbuilder -i ubuntu
    <logs-elided>
    [email protected]:/mnt/code/mystikos/scratch$ ../build/bin/myst mkext2 appdir rootfs
    [email protected]:/mnt/code/mystikos/scratch$ ../build/bin/myst exec rootfs /bin/bash
    mystikos: warn: exec.c(1149): myst_exec(): 
        The thread stack size may be too small for the given program interpreter
        (link loader), which could result in stack overflows. Consider changing
        the thread stack size to at least 1048576 bytes, using the --thread-stack-size
        option or the ThreadStackSize configuration setting.
        [interpreter=/lib64/ld-linux-x86-64.so.2]
        [program=/bin/bash]
    
    bash: cannot set terminal process group (-1): Not supported
    bash: no job control in this shell
    bash: fork: Not supported
    [email protected]:/# *** kernel panic: syscall.c(7703): _syscall(): unhandled syscall: SYS_pselect6()
    0x1007f4fd2: __myst_panic()
    0x1008075a0: _syscall()
    0x10082bb02: __morestack()
    *** Kernel segmentation fault 
    0x1007bcd82: myst_signal_process()
    0x1008075ac: _syscall()
    0x10082bb02: __morestack()
    0x10080773e: myst_syscall()
    0x104938b0c: <unknown address>
    0x10499edc0: <unknown address>
    0x10499ede8: <unknown address>
    0x1046c2288: <unknown address> ```
    status/triaged type/feature area/kernel severity/moderate 
    opened by vtikoo 3
Releases(v0.9.1)
  • v0.9.0(Jun 22, 2022)

    Added:

    • Abstract namespace addresses support for Unix domain sockets: Conventionally Unix domain socket addresses are a path in the file hierarchy. Abstract namespace identifiers allow addresses without creating a corresponding file path. They are differentiated from conventional UDS addresses by starting the address with a null character.

    • Support for SOCK_STREAM Unix domain sockets bound to hostfs paths.

    Changed:

    • Track kernel and user time on a per-process basis: Previously, we were incorrectly tracking system and user time usage as a global variable.A number of the time commands actually require this to be reported on a per-process basis.

    • Clock resolution in the Mystikos kernel is changed to 100ns.

    • MUSL’s pathconf and fpathconf is patched to report invalid input for option PC_NAME_MAX.

    Security

    • Updated to use Open Enclave SDK v0.18.0 which mitigates CVE-2022-21166 described in INTEL-SA-00615.
    Source code(tar.gz)
    Source code(zip)
    Ubuntu-1804_mystikos-0.9.0-x86_64.deb(4.10 MB)
    Ubuntu-1804_mystikos-0.9.0-x86_64.tar.gz(5.86 MB)
    Ubuntu-2004_mystikos-0.9.0-x86_64.deb(4.23 MB)
    Ubuntu-2004_mystikos-0.9.0-x86_64.tar.gz(6.04 MB)
  • v0.8.0(Mar 25, 2022)

    Containers:

    Ubuntu 18.04: mystikos.azurecr.io/mystikos-bionic:v0.8.0 Ubuntu 20.04: mystikos.azurecr.io/mystikos-focal:v0.8.0

    Added:

    · Implemented Unix-domain sockets in which all data is exchanged within the kernel (inside the enclave), added support for AF_LOCAL dup()

    · Added support and tests for .NET and ASP.NET v6

    · Added PyTorch core tests, CPython 3.10 tests

    · Documented support and limitations for .NET https://github.com/deislabs/mystikos/blob/main/doc/dotnet-support.md

    · Documented support and limitations for Python https://github.com/deislabs/mystikos/blob/main/doc/PythonSupport.md

    · Enabled full 32-bit uid/gid support in ext2fs implementation

    · Added address validity check and set error code to match Linux spec for sched_getaffinity and sched_setaffinity

    · Implemented AF_LOCAL ioctl() FIONREAD, ppoll, SYS_kill, /proc/sys/kernel/pid_max, SYS_linkat, SYS_copy_file_range, FIOCLEX/FIONCLEX ioctl support for pipe

    · Improved signal handling

    · Added warning for small stacksize for glibc applications

    · Enabled tests on Intel Ice Lake platform which has SGX2 support

    Changed:

    · Breaking change: Host environment variables are no longer exported unless there is a config. "HostApplicationParameters" and "HostEnvironmentVariables" are used to pass host environment variables to the enclave

    · Removed glibc ifaddrs due to known limitation

    · Improved stability in general

    Source code(tar.gz)
    Source code(zip)
    Ubuntu-1804_mystikos-0.8.0-x86_64.deb(4.04 MB)
    Ubuntu-1804_mystikos-0.8.0-x86_64.tar.gz(5.78 MB)
    Ubuntu-2004_mystikos-0.8.0-x86_64.deb(4.17 MB)
    Ubuntu-2004_mystikos-0.8.0-x86_64.tar.gz(5.96 MB)
  • v0.7.0(Dec 9, 2021)

    Added:

    • Added support for Ubuntu 20.04

    • Added sample and design for secure secret release, see https://github.com/deislabs/mystikos/blob/main/doc/design/secret-provisioning.md and https://github.com/deislabs/mystikos/tree/main/solutions/confidential_ml

    • Added tests for Python Flask, PANDAS, Azure Python SDK

    • Added mpd.py to debug Python applications in Mystikos.

    • Added Python PTY support

    • Added support for #! Execution

    • Added support for ioctl(FIONBIO), LD_PRELOAD, SYS_Setsid, SYS_Write, execveat,sched_getparam, umask support in create/open/mkdir syscalls, /proc/stat for enclaves, /proc/[pid]/stat for enclaves.

    • Added Support for interruptible syscalls

    • Added sample to demonstrate ONNX running in Mystikos

    • Added sample for running Mystikos on Kubernetes

    • Added feature to get the environmental variables specified in the docker container to be available inside Mystikos

    Changed:

    • Improved stability and performance in general - fixes for mprotect, msync, FUTEX, dup, sendfile, recvfrom, O_PATH, Python itimer, locale support for Ubuntu based apps

    • Enabled .NET core P1 tests

    Known issues:

    • Developers should refrain from using AF_LOCAL and AF_ALG for sensitive data exchanges. Use AF_INET or IF_INET6 and make sure the traffic over the socket is always encrypted.
    Source code(tar.gz)
    Source code(zip)
    Ubuntu-1804_mystikos-0.7.0-x86_64.deb(3.97 MB)
    Ubuntu-1804_mystikos-0.7.0-x86_64.tar.gz(5.65 MB)
    Ubuntu-2004_mystikos-0.7.0-x86_64.deb(4.08 MB)
    Ubuntu-2004_mystikos-0.7.0-x86_64.tar.gz(5.81 MB)
  • v0.7.0-rc1(Dec 3, 2021)

    First release candidate for the v0.7.0 release.

    Added:

    • Added support for Ubuntu 20.04

    • Added sample and design for secure secret release, see https://github.com/deislabs/mystikos/blob/main/doc/design/secret-provisioning.md and https://github.com/deislabs/mystikos/tree/main/solutions/confidential_ml

    • Added tests for Python Flask, PANDAS, Azure Python SDK

    • Added mpd.py to debug Python applications in Mystikos.

    • Added Python PTY support

    • Added support for #! Execution

    • Added support for ioctl(FIONBIO), LD_PRELOAD, SYS_Setsid, SYS_Write, execveat,sched_getparam, umask support in create/open/mkdir syscalls, /proc/stat for enclaves, /proc/[pid]/stat for enclaves.

    • Added Support for interruptible syscalls

    • Added sample to demonstrate ONNX running in Mystikos

    • Added sample for running Mystikos on Kubernetes

    • Added feature to get the environmental variables specified in the docker container to be available inside Mystikos

    Changed:

    • Improved stability and performance in general - fixes for mprotect, msync, FUTEX, dup, sendfile, recvfrom, O_PATH, Python itimer, locale support for Ubuntu based apps

    • Enabled .NET core P1 tests

    Known issues:

    • Developers should refrain from using AF_LOCAL and AF_ALG for sensitive data exchanges. Use AF_INET or IF_INET6 and make sure the traffic over the socket is always encrypted.
    Source code(tar.gz)
    Source code(zip)
    Ubuntu-1804_mystikos-0.7.0_rc1-x86_64.deb(3.97 MB)
    Ubuntu-1804_mystikos-0.7.0_rc1-x86_64.tar.gz(5.65 MB)
    Ubuntu-2004_mystikos-0.7.0_rc1-x86_64.deb(4.08 MB)
    Ubuntu-2004_mystikos-0.7.0_rc1-x86_64.tar.gz(5.82 MB)
  • v0.5.0(Oct 7, 2021)

    Added:

    • Added support for the following syscalls: vfork, SYS_sendmsg, SYS_recvmsg, SYS_sync, SYS_pause, RLIMIT options (NPROC, AS and FSIZE), F_SETFL for fcntl, SYS_waitid, SYS_fsetxattr, SYS_mkdirat, SYS_fchmodat
    • Added samples demonstrating tensorflow_lite and NginX inside Mystikos
    • Added myst_lldb, a utility to enable debugging of .NET applications in Mystikos
    • Enabled cypthon3.9 test suite, PANDAS test suite, Microsoft C++ REST SDK test suite
    • Added NoBrk(an option to enable a safer way to run multi-process apps using fork-exec) option to configuration options
    • Added UnhandledSyscallEnosys(an option to prevent the termination of a program using myst_panic when an unimplemented syscall is encountered in the mystikos) option to configuration options
    • Added /proc/[pid]/stat
    • Support SIGSTOP and SIGCONT signals and waitpid() option WUNTRACED

    Changed:

    • Improved stability and performance in general
    • Improved coverage for cpython3.8 test suite, LTP test suite, .NET 5 test suite
    • Improved support for .NET applications in Mystikos
    • Moved to using OpenSSL 1.1.1L as the underlying crypto library for Open Enclave SDK libraries
    • Settings in config.json overwrite command line arguments. If not specified in config.json explicitly the default config setting is used.
    • Improved stability in fork mode pseudo_wait_for_exit_exec
    • Child processes now get SIGHUP when parent is shutting down
    • Main top-level process does not completely exit until all children have shutdown

    Removed:

    • Fork mode pseudo_kill_children was removed in favor of sending SIGHUP to children

    Known issues:

    • Some synchronous pipe, file and socket APIs are not interruptible with signals which can cause shutdown of applications to hang
    • Only support fork mode pseudo_wait_for_exit_exec. Fork mode pseudo is only used for testing and has many limitations

    Security updates:

    • Fixed issue# https://github.com/deislabs/mystikos/issues/772 which ensures that the configuration running inside the enclave is what is reflected in the attestation report
    Source code(tar.gz)
    Source code(zip)
    mystikos-0.5.0-x86_64.tar.gz(4.44 MB)
    sha256sum.txt(96 bytes)
  • v0.5.0-rc2(Oct 5, 2021)

  • v0.5.0-rc1(Oct 1, 2021)

  • v0.2.0-rc2(Jul 16, 2021)

  • v0.2.0(Jul 16, 2021)

    Added:

    • EXT2 file system support
    • Added an experimental pseudo-fork feature (disabled by default) that can work in similar ways to the vfork system call, except it gets its own copy of the stack
    • Included the following test suites in our test pipelines: libcxx (targeting both musl and glibc), sockperf, Azure SDK for dotnet, and Azure SDK for C++
    • Added code coverage measurement with gcov, using lcov to generate a report in our pipeline
    • Added support for identity related syscalls, and partially enforce the permissions tied to the identities
    • Added full or partial support for ~50 syscalls used by .NET runtime, Python runtime, and other key usages
    • Allowed host file systems to be auto-mounted through config.json
    • Multiple samples/solutions to showcase support for selected C/C++, C#, Java, Rust, and Python applications
    • Partial support for virtual files under /dev and /proc
    • Debugging capability of .NET applications with libsos
    • Forward hardware exceptions to the kernel
    • ‘Debug malloc’ option for detecting memory leaks and memory related bugs

    Changed:

    • Augmented musl based C-runtime for better compatibility with applications built against the glibc C-runtime
    • Adopted Open Enclave SDK version 0.17.0 and the security fix from Open Enclave version 0.17.1.
    • Enabled more tests in the following existing test suites: libc, .NET runtime, and ltp
    • The attestation credentials generated by Mystikos and the interface for applications to request such credentials during startup time
    • Retrieve DNS server configuration during Mystikos app launch time instead of build time
    • Enhancement to the memory manager
    • Separate kernel stacks from application stacks, and allocate the kernel stack on demand
    • Improved capability and usability of myst-appbuilder tool
    • Improved stability and performance in general
    • Addressed issues report by CodeQL scan

    Removed:

    • The dependency on musl-gcc or Alpine Linux
    • The need for users to specify a kernel memory size in config.json
    • The need for users to specify a maximum number of threads required in config.json

    Known issues:

    • Under certain situations, a Mystikos app might fail to exit due to a blocking I/O syscall
    • Under rare situation, a Mystikos app might crash instead of exiting normally.

    Security updates:

    Source code(tar.gz)
    Source code(zip)
    mystikos-0.2.0-x86_64.tar.gz(3.26 MB)
    sha256sum.txt(96 bytes)
  • v0.2-rc1(Jul 14, 2021)

  • v0.1.2(Feb 5, 2021)

    Added

    • A kernel that handles syscalls within the constraints of a TEE environment
    • Patches to MUSL libc that adapts it to the kernel
    • An open architecture that allows plugin of different hardware TEEs
    • Tools for creating container images consumable by Mystikos
    • Documentations and solutions showcasing various use cases of Mystikos

    Changed

    • N/A

    Removed

    • N/A

    Fixed

    • N/A

    Deprecated

    • N/A

    Known issues

    Source code(tar.gz)
    Source code(zip)
    mystikos-0.1.2-x86_64.tar.gz(2.91 MB)
Owner
null
A pre-boot execution environment for Apple boards built on top of checkra1n

archOS A pre-boot execution environment for Apple boards built on top of checkra1n - currently based off the Checkra1n/PongoOS Repo. Building on macOS

ScarletAI 2 Jan 17, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
Trusted QSL from the ARRL, this repo is a manual sync and only to generate a AppImage of the app

Trusted QSL from the ARRL, this repo is a manual sync and only to generate a AppImage of the app

Pavel Milanes (CO7WT) 2 Nov 17, 2021
A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

Brandon 19 Jan 6, 2023
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

null 239 Nov 30, 2022
A complete Javascript environment for creating homebrew applications and games on PlayStation 2.

AthenaEnv is a project that seeks to facilitate and at the same time brings a complete kit for users to create homebrew software for PlayStation 2 using the JavaScript language.

Daniel Santos 29 Nov 15, 2022
General repository for all software (emulators, dev tools, etc) related to Vircon32 but not running on console itself

Vircon32: Computer software This is a general repository containing source code related to Vircon32 implementation, this is, software that does NOT ru

Vircon32 12 Nov 15, 2022
oZKS (Ordered Zero-Knowledge Set) is a library that provides an implementation of an Ordered (and Append Only) Zero-Knowledge Set.

Ordered Zero-Knowledge Set - oZKS Introduction oZKS is a library that provides an implementation of an Ordered (and Append Only) Zero Knowledge Set. A

Microsoft 11 Dec 20, 2022
6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) For detiled explanations checkout the WikiPage. What is it? With 6D-PAT you can create 6D annotations on images for

Florian Blume 71 Nov 20, 2022
A guide and set of tools for working with TinyML powered Audio Sensors

Audio Sensor Toolkit This is a guide on how to build an Audio Sensor using Machine Learning, and helpful tools. Audio Sensor Guide Audio Tools Acceler

IQT Labs 20 Sep 21, 2022
A set of tools allowing JUCE 6.1 + Cmake to build a CLAP

JUCE6/CMake Clap Support This is a set of code which, combined with a JUCE6/CMake project, allows you to build a (buggy, feature incomplete, work in p

Paul 0 Feb 15, 2022
Suckless-tools - My fork of suckless tools.

suckless-tools Here is my fork of suckless tools. I didn't include tabbed, i was using but not actively. I am using xfce4-terminal instead of st. Beca

null 2 Jan 7, 2022
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application

Copyright © 2021-2022 LunarG, Inc. Vulkan Profiles Tools (BETA) The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for

The Khronos Group 73 Dec 25, 2022
AWS Ambit Scenario Designer for Unreal Engine 4 (Ambit) is a suite of tools to streamline content creation at scale for autonomous vehicle and robotics simulation applications.

AWS Ambit Scenario Designer for Unreal Engine 4 Welcome to AWS Ambit Scenario Designer for Unreal Engine 4 (Ambit), a suite of tools to streamline 3D

AWS Samples 77 Jan 2, 2023
PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys. This is a proof of concept for CVE-2021-28476

Axel Souchet 208 Nov 26, 2022
A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

*finixbit 15 Jun 17, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 160 Dec 30, 2022
anthemtotheego 402 Dec 26, 2022