Biblio

The concept of usage control goes beyond traditional access control by regulating not only the retrieval but also the processing of data. To be able to remotely enforce usage control policy the processing party requires a trusted execution environ-ment such as Intel SGX which creates so-called enclaves. In this paper we introduce Multi Enclave based Code from Template (MECT), an SGX-based architecture for trusted remote policy enforcement. MECT uses a multi-enclave approach in which an enclave generation service dynamically generates enclaves from pre-defined code and dynamic policy parameters. This approach leads to a small trusted computing base and highly simplified attestation while preserving functionality benefits. Our proof of concept implementation consumes customisable code from templates. We compare the implementation with other architectures regarding the trusted computing base, flexibility, performance, and modularity. This comparison highlights the security benefits for remote attestation of MECT.