Data Center
Participate in insightful discussions regarding Data Center topics
68 Discussions

Third SGX Community Day

3 0 10.6K

3rd SGX Community Day Virtual Event

July 26th, 8:00am–12:30pm PDT

July 27th, 8:00am-12:30pm PDT

Thanks a lot everyone for participating in 3rd Intel SGX community day on July 26th and 27th.  It was a great event with a mix of talks from academic community, startups and big corporations. We had over 300 people registered with strong participation on both days. The talks covered several use cases like Web3, secure AI/ML, secure stream processing, secure V2V for autonomous vehicles etc. Researchers also described challenges and enhancements for interaction with other hardware features like protection keys and persistent memory. This event provided SGX researchers and practitioners a chance to interact, build connections and get an insight into research directions and production use cases.

We have the slides linked in the schedule and videos of the presentations listed with the abstracts below. 

Visit our SGX Community Day 2020 page for more information on past events. Suggestions, comments, or questions about the workshop are very welcome. Please e-mail Mona Vij ( and Emma Call ( 

See  agenda below.

Agenda - July 26th: 

This schedule is subect to change. All updates will be posted to this page.

  Topic & Slides: Speaker(s):
8:00-8:15  Welcome Mona Vij, Richard Chow, Emma Call, Intel
8:15-9:00  Keynote Talk: Latest Innovations in the Rapidly Evolving Confidential Computing Industry Vikas Bhatia, Head of Product, Azure Confidential Computing, Microsoft
9:00-9:25  Decentralized Search for Web3 Mingyu Li, PhD Student, Shanghai Jio Tong University (SJTU)
9:25-9:50  SGX and Web3: Shifting the Paradigm on Remote Computing  Sara Drakeley, CTO, MobileCoin
9:50-10:00  Break  
10:00-10:25  Cosmian SGX Saas Solution Bruno Grieder, CTO and Co-founder, Cosmian
10:25-10:50  Introduction to MarbleRun, the Control Plane for SGX Workloads Moritz Eckert, Chief Architect, Edgeless Systems 
10:50-11:15  Enclaves in ETSI VNFs for SW Supply Chain and Inter-connect Key Security Ben Smeets, Senior Expert Security, Ericsson
11:15-11:25  Break  
11:25-11:50  Conclave Functions - Serverless Execution Using Intel SGX Roy Hopkins, Principal Engineer at R3
11:50 AM - 12:15 PM Enarx Update Nathaniel McCallum, CTO, Profian
12:15-12:30  Open Discussion / Wrap Day 1  


Agenda - July 27th: 

This schedule is subect to change. All updates will be posted to this page.

  Topic: Speaker(s):
8:00-8:10 AM Gather/Kick off   
8:10-8:35 AM A Hardware-Software Co-design for Efficient Intra-Enclave Isolation Jinyu Gu, Assistant Professor, Shanghai Jiao Tong University (SJTU)
8:35-9:00 AM

Gramine: Current State and Future Plans

Dmitrii Kuvaiskii, Research Scientist, Intel Labs

9:00-9:25 AM Why The Upcoming Occlum v1.0 Is Going To Be 10x Faster  Hongliang Tian, Ant Group
9:25-9:35 AM Break  
9:35-10:00 AM secFlink: A Secure Distributed Stream Processing System Do Le Quoc, Senior Research Engineer, Huawei Munich Research Center

Lorenzo Affetti, Senior Research Engineer, Huawei Munich Research Center

10:00-10:25 AM Securing Distributed Transactions and Persistent Memory in TEEs

Dimitrios Stavrakakis, PhD Student, TU Munich and Universityof Edinburgh

Dimitra Giantsidi, PhD Student, University of Edinburgh

10:25-10:50 AM Towards a TEE-based V2V Protocol for Connected nd Autonomous Vehicles Zhiqiang Lin, Professor, Ohio State
10:50-11:00 AM Break  
11:00-11:25 AM  Learnings From Using Intel SGX to Enable Trustworthy Federated Learning Systems

Prakash Narayana Moorthy, Research Scientist, Intel Labs 

Shih-han Wang, Research Scientist, Intel Labs

11:25-11:50 AM Microsoft Azure Attestation — A Unified Solution for Remotely Verifying Trustworthiness of Trusted Execution Environments (TEEs)
Sindhuri Dittakavi, Product Manager, Microsoft
11:50 AM - 12:15 PM Fortanix Confidential AI:  Using SGX to Accelerate the Use of AI and Machine Learning
Patrick Conte, Vice President, Business Development, Fortanix
12:15 - 12:30 PM Open Discussion / Wrap Day 2  


Abstracts & Presentations:

Latest Innovations in the Rapidly Evolving Confidential Computing Industry 

Abstract TBD


Decentralized Search for Web3

The current ecosystem of Web3 apps (e.g., Steemit, OpenBazaar) lacks decentralized, verifiable, and private search. Users continue to rely on centralized search engines and indexers to access the content they seek and navigate the apps, undermining some of the key tenets behind decentralization. This talk will present DeSearch, which utilizes client-side SGX personal computers to build a decentralized search engine, guaranteeing verifiability and privacy for query keywords and search results. DeSearch introduces novel notions such as Kanban (a blockchain-regulated cloud store), Witness (a succinct proof for a procedure) and many others to combat the challenges of decentralization.

The prototype of DeSearch is released at:


SGX and Web3: Shifting the Paradigm on Remote Computing

Two major developments in remote computing stand to dramatically alter the way we use and operate services, and perhaps even alter the foundations of cloud computing. These developments are confidential compute and decentralized infrastructure. SGX leads the way in confidentiality and integrity with a remote enclave that extends the trusted computing base of a user's platform, so a user need not trust their cloud provider with their data. Decentralization is the foundation of Web3, where through replication of state and distributed verified computation, users no longer have single points of failure in their data custody and processing. In this talk, we will explore how the combination of SGX and Web3 technology powers MobileCoin, the fastest, most usable payments platform with a global reach, currently deployed in one of the largest messaging apps. We will cover one of our major contributions to the field of oblivious computing, which uses enclaves and oblivious RAM to ensure the operator of the service is completely oblivious to users' data, and we'll discuss how we overcame the challenges of a decentralized SGX deployment which requires node-to-node attestation as well as client-server attestation. To close, we'll explore the ways in which the whole of blockchain technology and SGX together are greater than the sum of their parts, looking at how each amplifies the guarantees of the other.

Cosmian SGX SaaS Solution

Abstract TBD


Introduction to MarbleRun, the Control Plane for SGX Workloads

The management, orchestration, and scaling of SGX-based services comes with unique challenges. How to ensure that each service was launched with the right parameters? How to set up secure connections between services? How to manage shared secrets? How to update code? How to map the concept of remote attestation to a microservice architecture? How to do it all on Kubernetes? The open source MarbleRun project addresses all of these. We’ll give an overview of the philosophy and design of MarbleRun and give hands-on examples for creating end-to-end confidential cloud-native apps with it.


Enclaves in ETSI VNFs for SW Supply Chain and Inter-connect Key Security

The ETSI standardization has been considering hardware based trusted execution environment and is lately progressing on detailing how these should integrate in the ETSI ecosystem of VNFs. The ETSI efforts for VNFs are particularly focused on the telco world and in have in a practical significance when MNOs deploy 5G networks. TEEs can here address concerns on the SW supply chain of the VNFs and increase the security for the protection of the keys used for the protection of the VNF interconnects. The later will, in the context of 5G, be the keys used for the mutual authenticated HTTPS connections of the SBA nodes in the 5G core network. In this presentation we explain challenges related to deployments in a 5G core network and possible solutions utilizing enclave technology. We also present an overview of current ETSI standardization where enclave technology is being considered.

Conclave Functions - Serverless Execution Using Intel SGX

Conclave Cloud is a new confidential computing platform for hosting privacy-preserving applications using Intel SGX. With Conclave Functions, we delivered the first service of the Conclave Cloud platform. It is a serverless execution environment that allows stateless functions to be hosted, executed, and scaled on demand whilst ensuring your data is always encrypted—even during processing.

In this talk, we will present how Conclave Cloud is taking advantage of Intel SGX to ensure the integrity and privacy of the user’s data as well as providing hardware-backed assurances over the exact code that will be processing the data.


Enarx Update 

Abstract TBD


A Hardware-Software Co-design for Efficient Intra-Enclave Isolation

The monolithic programming model has been favored for high compatibility and easing the programming for SGX enclaves, i.e., running the secure code with all dependent libraries or even library OSes (LibOSes). Yet, it inevitably bloats the trusted computing base (TCB) and thus deviates from the goal of high security. Introducing fine-grained isolation can effectively mitigate TCB bloating while existing solutions face performance issues. We observe that the off-the-shelf Intel MPK is a perfect match for efficient intra-enclave isolation. Nonetheless, the trust models between MPK and SGX are incompatible by design. We hence propose LIGHTENCLAVE, which embraces non-intrusive extensions on existing SGX hardware to incorporate MPK securely and allows multiple light-enclaves isolated within one enclave.


Gramine: Current State and Future Plans 

Gramine (formerly called "Graphene") is a lightweight library OS, designed to run a single Linux application in an isolated environment -- in particular, inside an Intel SGX enclave on a Linux host. Several major events happened to the Gramine project in the first half of 2022: we released v1.2, added support for Musl C, rewrote the sockets and FS subsystems, improved support for Golang and Rust, and many more. This talk will discuss these recent changes, as well as the project's future plans.


Why The Upcoming Occlum v1.0 Is Going To Be 10x Faster 

Occlum ( is an open-source library OS for Intel SGX. After going through three years of development and 40+ releases, Occlum is finally approaching the first stable version of v1.0 this year! One thing that takes us so long to reach v1.0 is pulling off a series of 10X speedups in various aspects, including thread scheduling, system time, network I/O, and file I/O. This talk sheds some light on how we achieve these speedups.


secFlink: A Secure Distributed Stream Processing System 

Stream processing systems are a critical part of modern online services to transform continuously arriving raw data streams into useful information. This large amount of streaming data may contain private, personal, and sensitive information related, for example, to personal finances or healthcare records. Recently, we have seen regulators’ attention increase on issues regarding how personal data is handled and processed e.g, EU’s GDPR. Thus, the confidentiality and integrity for stream data processing cannot be neglected, especially when the stream processing systems are deployed in public clouds.In this talk, we present secFlink- a secure distributed stream processing framework that supports (i) end-to-end security properties for both input stream data and code, (ii) transparent/automatic remote attestation, and (iii) secure check-pointing. secFlink relies on a trusted execution environment (TEE) such as Intel SGX to provide secure data processing over private and sensitive input data streams. Our evaluation using micro- and macro-benchmarks shows that secFlink can provide strong security guarantees for stream processing with an acceptable overhead.

Securing Distributed Transactions and Persistent Memory in TEEs 

While users of online services expect their data stored in the third-party cloud-infrastructure to remain confidential and private, powerful adversaries can compromise their security properties.
Our work attacks this problem and focuses on the design of high-performance data management systems and architectures that aim to offer strong security properties: confidentiality, integrity,
and freshness.

In this talk, we introduce two systems: a secure distributed transactional KV with serializable distributed Txs (Treaty) and a secure persistent memory architecture (ShieldPM). 
Treaty and ShieldPM target strong security properties, confidentiality, integrity, and freshness, under the presence of powerful adversary that can gain control and compromise the entire software system stack while they offer programmability and efficiency. Treaty leverages Trusted Execution Environments (TEEs) to bootstrap its security properties, but it extends the trust provided by the limited enclave (volatile) memory region within a single node to build a secure (stateful) distributed transactional KV store over the untrusted storage, network and machines. To achieve this, Treaty embodies a secure two-phase commit protocol co-designed with a high-performance network library for TEEs. Further, Treaty ensures secure and crash-consistent persistency of committed transactions using a stabilization protocol. ShieldPM goes one step further. We design a secure persistent memory architecture; the perfect foundation for building secure systems for ground-up such as datastores. We exposes APIs for secure data management within the realms of the established PM programming model while ensuring performance and crash consistency. ShieldPM is the first system that is co-designed based on three hardware technologies: TEE, PM and kernel-bypass networking.


Towards A TEE-based V2V Protocol For Connected And Autonomous Vehicles 

Being safer, cleaner, and more efficient, connected and autonomous vehicles (CAVs) are expected to be the dominant vehicles of future transportation systems. However, there are enormous security and privacy challenges while also considering the efficiency and and scalability. One key challenge is how to efficiently authenticate a vehicle in the ad-hoc CAV network and ensure its tamper-resistance, accountability, and non-repudiation. In this paper, we present the design and implementation of Vehicleto-Vehicle (V2V) protocol by leveraging trusted execution environment (TEE), and show how this TEE-based protocol achieves the objective of authentication, privacy, accountability and revocation as well as the scalability and efficiency. We hope that our TEE-based V2V protocol can inspire further research into CAV security and privacy, particularly how to leverage TEE to solve some of the hard problems and make CAV closer to practice.


Learnings From Using Intel SGX to Enable Trustworthy Federated Learning Systems 

Federated learning is a promising privacy-preserving distributed machine learning model building technique that permits training a model on a set of distributed datasets without having to centralize the datasets. While several studies prove that federated learning can achieve model accuracy levels nearly similar to that of centralized learning, deploying an end-to-end trustworthy ML pipeline is a substantially harder problem with federated learning than with centralized learning.  A trustworthy federated learning system need to address data-science related threats such as model poisoning by data-owners, data-exfiltration by model owners, etc. as well as system level threats such as model thefts by data owners, violation of training algorithm integrity etc. 

In this talk, we will present an overview of our federated learning middleware platform that uses a combination of Intel SGX technology and a consortium-based governance module in order to address aforementioned threats. We will also share views on the limitations of existing platforms/tooling for supporting Intel SGX based decentralized workloads such as federated learning, and present some of the promising current efforts on addressing these gaps.


Microsoft Azure Attestation — A Unified Solution for Remotely Verifying Trustworthiness of Trusted Execution Environments (TEEs)

Microsoft Azure Attestation enables customers to remotely verify that hardware and software on which their workloads run are trustworthy, before allowing access to their confidential data. Azure Attestation supports attestation of multiple Trusted Execution Environment (TEE) types and offers confidentiality promises by running inside an Intel® Software Guard Extensions (SGX) enclave. The talk summarizes service overview, common use cases, benefits and future roadmap. 


Fortanix Confidential AI:  Using SGX to Accelerate the Use of AI and Machine Learning

For Confidential Computing to meet the operational requirements of end-users it must support seamless deployment with full auditability. It must also integrate with standard tools, and this is of particular importance in the secure deployment of AI models for training and inference. Fortanix Confidential AI(TM) enables rapid implementation of AI workloads using Intel SGX to protect algorithms and data. We will discuss how to achieve end-to-end data security for actual AI use cases, and outline the security features supported by Intel SGX.

About the Author
Mona Vij is a Principal Engineer and Cloud and Data Center Security Research Manager at Intel Labs, where she focuses on Pervasive Confidential Computing for end-to-end Cloud to Edge security. Mona received her Master’s degree in Computer Science from University of Delhi, India. Mona leads the research engagements on Trusted execution with several universities. Her research has been featured in journals and conferences including USNIX OSDI, USENIX ATC and ACM ASPLOS, among others. Mona's research interests primarily include confidential computing, memory safety, virtualization, device drivers and operating systems.