Anjuna Runtime for Intel® SGX

Each version of the Anjuna Seaglass software is supported for one year after release.

Version 1.51. Release Date - May 29th, 2024

Access the installer here.

What’s new?

The Anjuna Runtime now automatically launches a child process in an SGX enclave, if the child process application is the same application as the parent process. This will occur if a parent process runs an execve or posix_spawn of its own process binary.
Deployments of SGX no longer need to map page zero (vm.mmap_min_addr), during enclave startup, when using in-kernel drivers for DCAP. This reduces the privileged setup steps required for position-dependent executables.
Improved automatic dependency detection in the Anjuna Python Package.

Relevant security fixes

Bug number

Severity

Description

ANJ-10388

Medium

Fixed a bug in trusted_files and trusted_libs, which could cause untrusted files to be used in certain conditions.

ANJ-10395

Medium

Upgraded the Anjuna SGX Runtime’s version of glibc to 2.39 to address vulnerabilities, including CVE-2023-0687.

Version 1.50. Release Date - April 12th, 2023

Access the installer here.

What’s new?

Significantly reduced the CPU usage of the apmbroker helper process, which handles enclave communication with the Anjuna Policy Manager.

Version 1.49. Release Date - March 17th, 2023

Access the installer here.

Relevant bug fixes

Bug number

Severity

Description

ANJ-8408

Medium

Fixed a bug that could cause the Anjuna SGX Runtime to crash when running Node.js applications.

Version 1.48. Release Date - February 16th, 2023

Access the installer here.

What’s new?

Added support for Python 3.10 in anjuna.posix Python package.

Relevant bug fixes

Bug number

Severity

Description

ANJ-7500

Medium

Added support for /proc/self/exe to point to the binary running under the Anjuna SGX Runtime. Previously, it pointed to the binary for the Anjuna SGX Runtime itself, which would cause programs using /proc/self/exe to produce incorrect results.

Version 1.47. Release Date - January 19th, 2023

Access the installer here.

What’s new?

Added support for /proc/self/cmdline for applications that use it to read their own command-line arguments.
Added --aes-key option to anjuna-decrypt, which allows the user to provide a symmetric key for decryption. --aes-key was previously added to anjuna-encrypt in v1.38. This was announced in v1.43 but was not included due to a packaging issue.
Improved log messages for the Anjuna Policy Manager installer when dependencies are missing.

Relevant bug fixes

Bug number

Severity

Description

ANJ-7825

Medium

Fixed a bug related to vfork that could cause segfaults in Python 3.10 and other programs.

Version 1.46. Release Date - December 20th, 2022

Access the installer here.

What’s new?

Added a search bar for the documentation site.

Relevant bug fixes

Bug number

Severity

Description

ANJ-7837

Medium

Fixed a bug where the Anjuna Policy Manager would not check for a license at the default path.

ANJ-7839

Medium

Fixed a bug where using an environment variable larger than 8 KB would result in the error Environment variable too long. The total combined size of arguments and environment variables is still limited by Linux’s ARG_MAX.

Version 1.45. Release Date - November 17th, 2022

Access the installer here.

What’s new?

The Anjuna SGX Runtime now requires a license file to build and run enclaves. See Licensing the Anjuna SGX Runtime for more information.
Added a syscall to generate an attestation quote with custom userdata. The program inside the enclave can use the syscall to generate new attestation quotes using data only available at runtime. See the documentation for quote_generate for details.
Added new documentation for Trusting Applications Launched by the Enclave and the anjuna.posix Python module.

Relevant bug fixes

Bug number

Severity

Description

ANJ-7725

Medium

Fixed a bug where environment variables were not automatically passed from a parent enclave to a trusted child enclave.

Version 1.44. Release Date - October 28th, 2022

Access the installer here.

What’s new?

Added support for the APM to check attestation quotes generated by Azure. For configuration instructions, contact Anjuna Support (documentation coming soon).

Version 1.43. Release Date - September 30th, 2022

Access the installer here.

What’s new?

~~Added `--aes-key` option to `anjuna-decrypt`, which allows the user to provide a symmetric key for decryption.~~ Due to a packaging issue, this was actually released as part of v1.47.
Added documentation on using the Anjuna SGX Runtime with Azure Kubernetes Service.

Version 1.42. Release Date - September 2nd, 2022

Access the installer here.

What’s new?

Updated anjuna-compile-manifest help text and documentation to clarify that the full path to the executable needs to be provided, and added the --version flag.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6602

Medium

Fixed an issue with the Anjuna SGX Runtime for Docker tarball, where files were created with the wrong owner and permissions.

ANJ-7158

Medium

Removed misleading log messages (Unable to locate the sealed private key and Failed to unseal private RSA key) when an enclave was started with no files encrypted with the provision key.

Version 1.41. Release Date - August 5th, 2022

Access the installer here.

What’s new?

Added support for applications using the getxattr system call.
Renamed anjuna-check-attestation flag from -n, --no-ias to -n, --local-checks-only to clarify usage.

Relevant bug fixes

Bug number

Severity

Description

ANJ-7091

High

Fixed a bug where EPID and DCAP tokens were not persisted in production APMs, preventing the enclave from starting.

Version 1.40. Release Date - July 8th, 2022

Access the installer here.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6811

Medium

Fixed a problem where the Anjuna Runtime issued a warning when the AZDCAP_DEBUG_LOG_LEVEL environment variable was not defined.

Relevant security fixes

Bug number

Severity

Description

ANJ-6839

Medium

Fixed a potential vulnerability when the code running in the enclave invokes the system call getcwd and gets in return a path that is not null-terminated. This could have caused the enclave application to crash or to expose sensitive data.

Version 1.39. Release Date - June 10th, 2022

Access the installer here.

What’s new?

Changed the name of the top-level Runtime for Docker archive file.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6608

High

Fixed a problem where anjuna-compile-manifest would create different software measurements for the same binary with the same manifest, in different runs of the tool.

ANJ-6126, ANJ-6549, ANJ-6651

Medium

Improved support for the case the application running in the enclave calls time system calls (clock_gettime, gettimeofday, time) when CLOCK_BOOTTIME is requested with a kernel version older than v4.20, or when the vDSO interface is unavailable.

ANJ-5240

Medium

Fixed an issue where applications running in the Anjuna Runtime were forced to use an outdated version of libcrypt.so instead of the system-provided one.

Version 1.38. Release Date - May 6th, 2022

Access the installer here.

What’s new?

Improvements

Updated anjuna-encrypt with the ability to encrypt files with a symmetric key provided by the user.
Added the --version option to anjuna-compile-manifest.
Updated the SGX packages runtime for Docker with Intel DCAP v1.13 packages.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6436

Medium

Fixed a bug that could cause deadlocks in multi-threading applications running in the enclave.

ANJ-6528

Minor

Removed the tput dependency from anjuna-sgxrun.

Version 1.37. Release Date - April 8th, 2022

Access the installer here.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6285, ANJ-6305, ANJ-6307

Medium

Fixed multiple bugs that could cause deadlocks in multi-threading applications running in the enclave.

Version 1.36. Release Date - March 11th, 2022

Access the installer here.

What’s new?

Improvements

Improved support for JAVA applications.

Relevant bug fixes

Bug number

Severity

Description

ANJ-6068

High

Fixed a potential buffer overflow issue where the file name of the socket between the enclave and the APM-broker is more than 107 characters.

ANJ-5218

Medium

Solved a file descriptor leak in the Anjuna Runtime when using misconfigured file encryption.

ANJ-6177

Medium

Fixed a bug where a child process fails to start after successful unsealing of the provisioning key.

Relevant security fixes

Bug number

Severity

Description

ANJ-5109

High

Fixed a security vulnerability where one could execute arbitrary code (ACE) in the enclave.

Version 1.35. Release Date - February 11th, 2022

Access the installer here.

What’s new?

Improvements

Improved the handling of parameters in the manifest for those that support path names with patterns.
Removed the need to manually unset the SGX_AESM_ADDR environment variable; when this variable was set, the enclave failed to start.
Upgraded some open source components to the latest version to solve known vulnerabilities.

Relevant bug fixes

Bug number

Severity

Description

ANJ-5989, ANJ-5990

High

Fixed issues that could lead to out-of-bound memory access, which in turn could cause a crash or a data leak.

ANJ-5986

High

Fixed multiple memory leaks.

ANJ-5982

Medium

Fixed a bug where race conditions in the runtime’s syscall handling code caused the runtime to stall.

Version 1.34. Release Date - January 14th, 2022

Access the installer here.

What’s new?

Improvements to the anjuna-check-attestation command in order to support different DCAP attestation caching services.
Added the ability to create an attestation quote for files that are created in an enclave. This enables users to verify that the files come from trusted software.
The anjuna-check-attestation tool and the Anjuna Policy Manager can now verify Attestation Quotes with the SGX Certificate Extension Type 1.

Relevant bug fixes

Bug number

Severity

Description

ANJ-5507, ANJ-5508, ANJ-5509

High

Fixed issues that could lead to out-of-bound memory access, which in turn could cause a crash or a data leak.

Version 1.33. Release Date - December 17th, 2021

Access the installer here.

What’s new?

Added support for the SGX driver in new Linux kernels based on the change of the path to the SGX driver in the filesystem.

Relevant bug fixes

Bug number

Severity

Description

ANJ-3454

Medium

Fixed a problem where the Anjuna runtime crashed when %X was used in print formatted messages.

Relevant security fixes

Bug number

Severity

Description

ANJ-4584

Medium

Fixed a security vulnerability with the handling of syscalls involving the signinfo_t function.

ANJ-4589

Medium

Production enclaves mask all pointer addresses printed from the Anjuna Runtime to the standard output and standard error in order to prevent the disclosure of memory layouts of the application running in the enclave.

Version 1.32. Release Date - November 19th, 2021

Access the installer here.

What’s new?

Improved support for readv and writev system calls when used with network sockets.

Version 1.31. Release Date - October 22nd, 2021

Access the installer here.

Relevant security fixes

Bug number

Severity

Description

ANJ-4582

High

Fixed an integer overflow vulnerability when parsing the process arguments and environment variables in the enclave.

ANJ-4581

High

Fixed a race condition vulnerability in the handling of the posix_spawn libc function inside the enclave.

ANJ-4580

High

Fixed a potential race condition vulnerability when creating a child process in the enclave.

ANJ-4579
ANJ-4586

High

Fixed TOCTOU vulnerabilities throughout the code.

Version 1.30. Release Date - September 24th, 2021

Access the installer here.

What’s new?

General improvements

Added support for Anjuna Runtime for Docker containers on Ice Lake machines.
Added support for running more than one application inside an enclave, using anjuna-sgxrun, from the same directory.
Added support to the Anjuna installer for kernels that already have the SGX driver installed.
The Anjuna Runtime Installer will no longer load the Anjuna SGX kernel driver when it is not needed.

Relevant bug fixes

Bug number

Severity

Description

ANJ-4418

Critical

Fixed a problem where the Anjuna Runtime would crash when the process was trying to allocate more memory than available.

ANJ-4490

Medium

Fixed a security issue where the application running in the enclave could be attacked due to pread/pwrite calls returning more bytes than requested.

ANJ-4419

Medium

Fixed a problem that prevented the trusted child process in the enclave configuration from working.

Version 1.29. Release Date - August 26th, 2021

Access the installer here.

What’s new?

General improvements

The Anjuna Policy Manager will reject requests from an SGX Enclave which is running in Debug mode, unless specifically set to allow so.

Relevant bug fixes

Bug number

Severity

Description

ANJ-3804

High

Fixed an issue where the enclave would get killed by the out-of-memory-killer even if there was enough available memory in the machine. Now enclaves with a memory size of up to the available memory (RAM + Swap) will succeed to run without a problem.

Version 1.28. Release Date - July 30th, 2021

Access the installer here.

What’s new?

Enforcing the execution of trusted Python code
Anjuna is now providing the ability to identify the specific Python dependencies during dev/build time, add their measurements to the enclave manifest and enforce using only these approved dependencies in runtime.

Support for additional mmap use cases
Added support for applications using mmap of a file with the MAP_PRIVATE option, when PROT_EXEC is not used.
As before, applications using mmap with the PROT_EXEC option are supported only when used for mapping a trusted file.

Other improvements

The Anjuna Policy Manager can now be installed on Ubuntu 20.
The components that are needed for Python support are now deployed by the Anjuna SGX installer.

Version 1.27. Release Date - July 2nd, 2021

Access the installer here.

What’s new?

Improved signal handling in the enclave
Additional improvements around signal handling for the process running inside the enclave, covering more use cases.

Improved security when connecting from the enclave to the Anjuna Policy Manager
The connection between the Anjuna Runtime and the Anjuna Policy Manager (APM) Broker is now secured using TLS-PSK and requires the APM Broker to run in an enclave.
If you are using the Anjuna Policy Manager, please follow the documentation to learn what needs to change in your configuration.

Version 0.26. Release Date - June 4th, 2021

Access the installer here.

What’s new?

TLS encryption
For server processes that do not provide an out-of-the-box ability to encrypt incoming connection, the Anjuna Enterprise Enclaves for Intel® SGX enables doing so, with a simple configuration setting.

Improved signal handling in the enclave
Improved signal handling for the process running inside the enclave, covering more signal use cases.

Improved Python scripts performance
Providing an Anjuna Python package to enable a more efficient implementation of subprocess.Popen when running inside an SGX enclave, with minimal modification to code.

Improved documentation

Added directions for running software in an enclave in a container that uses Ubuntu 20.04 as its base image.

Other improvements

Updated the Anjuna SGX installer to include the latest version of Intel’s SGX driver.

Relevant bug fixes

Bug number

Severity

Description

ANJ-3574

Medium

Solved a crash of the runtime in the case that a key was provisioned for the enclave but it is missing when the enclave starts to run.

ANJ-3446

Medium

Improved display of logs when the enclave runs in multiple threads. Relevant when running the enclave in debug mode.

ANJ-2439

Medium

The runtime now verifies the structure of data returned from the syscalls getdents and getdents64, preventing malicious OS’s from causing buffer overflows using corrupted dirent and dirent64 structures.