Design Principles
The Enarx project adheres and champions the following Design Principles:
- Minimal Trusted Computing Base
- Every line of code in the computing base represents a possible way for the host to attack the tenant's code and data. Care will be taken to have as few lines of code as possible inside our trusted computing base. All trusted code will be measured for the code-owner's validation.
- Minimum trust relationships
- Every component of the host machine on which a Keep is running is explicitly untrusted with the exception of…
- …the CPU and its firmware. All programs must trust the processor on which they run, as this is the minimum capability required for execution.
- …the Enarx Keep platform. Enarx will deliver all additional code to enable the core application runtime.
- Every component of the host machine on which a Keep is running is explicitly untrusted with the exception of…
- Deployment-time portability
- Applications deployed with Enarx can be redeployed on different CPU architectures without recompilation.
- The set of trusted CPUs is a deployment-time configuration.
- Network stack outside the TCB
- Network stacks are large, complex and buggy, offering opportunities for privilege escalation and compromise. Enarx aims to provide a small, easily-auditable TCB, and as a result chooses to use Operating-System provided networking, whilst managing encryption/decryption of packets within the Keep.
- Security at rest, in transit and in use
- Enarx encrypts all data stored or transmitted from within a Keep at rest and in transit by default.
- Enarx is designed to enable deployment best practices, including automated, short-running Keeps.
- Enarx aims to make redeployment of Keeps trivial. Therefore, migration of Keeps is not supported.
- Auditability
- Code in Enarx will be crafted to be easily auditable.
- Enarx code will be broken into small, independent components that are easy to understand.
- Run-time modularity of the core platform makes auditing difficult and is to be avoided.
- Open source
- This guarantees people can tailor the software to their needs.
- It is also the best way to provide auditability to all, and not just to some.
- Enarx is published under the Apache 2.0 licence.
- Open standards
- Enarx uses well-known, shared open standards where possible, and aims to work to bring new ones into existence where necessary.
- Memory safety
- Enarx uses programming languages that encourage memory safety to reduce memory corruption costs.
- Exceptions to this policy need to be clearly justified, limited in scope and publicly documented.
- The primary programming language of Enarx is Rust.
- No backdoors
- The Enarx project founders and core team take a strong view that backdoors in software, firmware or hardware are never a good idea, and pledge to resist any attempts by any parties (internal or external to the project, commercial, charitable or governmental, from whatever jurisdiction) to insert backdoors into any aspect of Enarx, or to encourage, force or cajole any such backdoors to be inserted.