Fail-safe disconnect demoΒΆ
To our best knowledge, the Armour is the only currently available solution that off-the-shelf allows developers and security teams to distinguish between a legitimate request and a seemingly legitimate request coming from a compromised user.
The compiled program comes with ready-to-use, minimal implementation of the producer server and the consumer. This minimal implementation makes it easy to check how the failsafe-disconnect system works in practice.
You can run the demo solution on a single machine, as consumer and producer may use the same enclave for this purpose:
docker pull relock/armour
docker run --privileged --network host -it relock/armour run \
--host 127.0.0.1 --port 8111 \
--multiprocessing
Once the Armour is running on a local hostname and is ready to use, we can run a naive producer server on port 80 and all local addresses.
docker run --network host -it relock/armour producer \
--host 0.0.0.0 --port 80 \
--armour 127.0.0.1 --aport 8111 \
--multiprocessing
Next we run several consumers with differently named ticket access points and different sleep times between requests to the producer:
curl -ik http://127.0.0.1/ask
docker run --network host -it relock/armour consumer \
--host 127.0.0.1 --port 80 \
--armour 127.0.0.1 --aport 8111 \
--name Alice --sleep 100 --ticket <TICKET>
curl -ik http://127.0.0.1/ask
docker run --network host -it relock/armour consumer \
--host 127.0.0.1 --port 80 \
--armour 127.0.0.1 --aport 8111 \
--name Bob --sleep 300 --ticket <TICKET>
curl -ik http://127.0.0.1/ask
docker run --network host -it relock/armour consumer \
--host 127.0.0.1 --port 80 \
--armour 127.0.0.1 --aport 8111 \
--name Carol --sleep 500 --ticket <TICKET>
If executed correctly, you will see multiple green logs showing that our mockup users are making requests to the producer and continuously re-keying their root secrets.
Now we can simulate a ticket interception attack and an attempt of consumer identity impersonation. With the included software you can compromise a ticket by taking it over from the enclave and making a request to the producer from a separate process.
docker run --network host -it relock/armour consumer \
--host 127.0.0.1 --port 80 \
--armour 127.0.0.1 --aport 8111 \
--name Alice --ticket <ALICE TICKET>
In response to this attempt you should see multiple red logs. They represent failed requests from the legitimate user, in this case Scylla. The moment an impersonation attempt was executed, the Armour detected it and triggered a fail-safe disconnect.
In real-world applications, the Armour will include an observability function that will alert the administrator about such an incident, allowing them to respond to the attack immediately and restore a secure connection.
You can investigate the code with a demo of the fail-safe disconnect in our GitHub repository.