Project Oak: Meaningful control of data in distributed systems (opens in new tab)

(github.com)

147 pointstiziano881y ago50 comments

50 comments

I think the authors should mention the background story for how this project originated at Google in Google Research (UK). Tried browsing through the Github project page and didn't see any obvious references, aside from the committers list.

AFAIK, the first time I heard about "Project Oak" was about four or five years ago.

This predates Apple's Private Cloud Compute.

spankalee1y ago

The lede is a little buried in that README [1]:

## Sealed Computing

A canonical use of Oak is to build privacy-preserving sealed computing applications.

In a sealed computing application, a node (usually a client device) sends data to an enclave application (usually a server), which processes data without the service provider hosting the enclave application being able to see the inputs, outputs, or side effects of the computation.

[1]: https://github.com/project-oak/oak?tab=readme-ov-file#sealed...

---

Seems like an attempt at a privacy-preserving alternative to running your whole phone OS image on a server?

JimDabell1y ago

Sounds like Apple’s Private Cloud Compute:

https://security.apple.com/blog/private-cloud-compute/

sulam1y ago

It both predates the Apple approach and is more thorough. I cannot inspect or ensure the software BoM of my image with Apple’s approach, I just have to trust them. With Oak you have trust down to the hardware.

DaiPlusPlus1y ago

> When on-device computation with Apple devices such as iPhone and Mac is possible, the security and privacy advantages are clear: users control their own devices, researchers can inspect both hardware and software, runtime transparency is cryptographically assured through Secure Boot, and Apple retains no privileged access

Waitasec - ZOOM AND ENHANCE!

> users control their own devices

I’ll believe that when Apple lets me downgrade my iOS version.

nepthar1y ago

Honestly, I think it will be used for the reverse (and unfortunately more evil) - Google wants to be able to control YOUR machine's compute environment for things like playing back of DRM'd content. They want a chain of trust that your browser cannot be modified to do things like block ads.

tiziano88OP1y ago

Oak focuses on running workloads on server-side TEEs

leoqa1y ago

From a service owner perspective, if I offer content and want to enforce strong identity from the user then this seems like a win. I may lose eyeballs but will gain higher confidence that my content is being consumed as intended.

I'm fine with more controls in place, a safer internet is clearly a social win that would reduce life alerting fraud, scams etc. If power users want to go to their peer-to-peer cesspool then go for it.

2 more replies

warkdarrior1y ago

But can it deliver ads?

nrabulinski1y ago

It’s a google project, that’s probably the first use case they considered

2 more replies

tbrownaw1y ago

So, something that can be used to run Tor relays that provably don't intentionally misbehave? Or hidden services that the hosting provider has no way to give other people access to?

ChrisArchitect1y ago

Some previous discussion:

2019

https://news.ycombinator.com/item?id=20265625

trallnag1y ago

Nice, seems like a more cost-effective alternative to homomorphic encryption

saagarjha1y ago

Attestation is to homomorphic encryption as storing things in a bank safe is to burying it out in the woods. There’s an entity providing you service and they’re trying their best to guarantee that they’re not going to decrypt your stuff but there’s usually some sort of collusion that will make it possible.

1 more reply

calmbonsai1y ago

Based on the headline, I thought this was a reference to Gosling's pre-Java language.

pluto_modadic1y ago

I was curious if someone would build something that allows the DCAP datacenter attestation to be exposed to applications, e.g. "prove via intel that the SHA of the software running on the machine is XYZ"

noja1y ago

Like Signal did for contact discovery? https://signal.org/blog/private-contact-discovery/

bobbiechen1y ago

>"prove via intel that the SHA of the software running on the machine is XYZ"

This is exactly the purpose of MRENCLAVE in Intel SGX remote attestation quotes (and similar fields in other TEE platforms), and proving the software identity to remote clients is a common use case.

Maybe I misunderstand - is that what you mean, or is there another use case you are looking for?

camgunz1y ago

Super cool. I did some reading about Secure Enclaves with I was dreaming up ways to democratize compute; very cool to see a project like this making it a reality.

nanomonkey1y ago

This reminds me of Spritely Goblins from the Spritely Institute, which has "vats" where you can run code in a distributed manner using object capabilities.

7e1y ago

How does this compare with https://github.com/confidential-containers?

topspin1y ago

How does this relate/compare to AWS Nitro Enclaves? It looks like the same concept, except integrated into Intel and AMD CPUs.

arianvanp1y ago

Nitro enclaves is a lot less ambitious than this. This is a full blown microkernel. Whilst nitro Enclave is a Linux kernel with just virtio drivers enabled + a small initrd containing your Linux application. The "Trusted compute base" of nitro enclaves is larger.

Nitro enclaves also doesn't have all this high level infrastructure of composing microservices like this does

I think (but somebody smarter might correct me) that with nitro enclaves you also need to trust Amazon. Whilst with this you need to trust AMD, but don't need to trust GCP

Nice thing about nitro enclaves is that the Linux bits aren't tied to OCI. E.g. Monzo uses nix to build their enclave images https://github.com/monzo/aws-nitro-util

asterfield1y ago

Maybe I’m just paranoid, but isn’t the (possibly unwritten) intent of this project to be able to flip the client and server around and run code in your browser and phone? I don’t understand their incentive to work on this unless they can use it to gatekeep “official” youtube clients (for example).

dboreham1y ago

Incentive is that there is a small market segment that wants "actual privacy" and a concern that this segment could become very large at any moment due to publicity/awareness. Nobody wants to be caught with their pants down in that event.

katsura1y ago

At first I thought this is related to the Oak server: https://github.com/oakserver/oak

pavlov1y ago

Oak was also the original name of the language that became Java.

blahgeek1y ago

This seem to be Google's response to Apple private cloud compute [1]?

[1] https://security.apple.com/blog/private-cloud-compute/

dboreham1y ago

Except the other way around.

warkdarrior1y ago

Except that Apple actually uses this privacy stuff. Is Project Oak used by Android or Pixel?

1 more reply

xyst1y ago

A bit surprised that it’s written in rust, rather than Go. I suppose rust can take advantage of more low level apis, plus no overhead of garbage collection.

edit: love that the community is not silo’d into a proprietary chat platform as well:

> We welcome contributors! To join our community, we recommend joining the mailing list.

- https://github.com/project-oak/oak?tab=readme-ov-file#gettin...

I really wish more open source projects used mailing lists.

1) decentralized means of communication

2) able to join these communities from any type of environment (ie, corporate hell hole) without much friction. With discord, slack (especially at fortune 500s). It usually involved a whole process of approvals to get the damn thing installed and punch a hole through the firewall to get access to the service.

No, using a personal email and device for what I consider contributing from a work aspect (ie, submitting patch to OSS to solve specific problem with project) is not acceptable.

topspin1y ago

The hardware features used for this are Intel and AMD CPU extensions: they're writing a microvm to run inside special "enclave" virtual machines. Go is a fine language but it's not really intended for this sort of work. Rust is a natural fit for this work: you can write low level drivers and also ensure a number of safety properties.

jb19911y ago

> A bit surprised that it’s written in rust, rather than Go. I suppose rust can take advantage of more low level apis, plus no overhead of garbage collection.

It’s security-focused technology. Rust has huge advantages over Go in this area.

filleokus1y ago

> Rust has huge advantages over Go in this area.

Could you name some advantages? I would agree Rust has huge advantages compared to C/C++, and Rust also has a much bigger presence in the "security space". But I would say that's more because of Rust's lack of GC, smaller footprint which works in embedded systems etc.

I guess you could say that Rust's type system being more expressive might eliminate certain classes of bugs, which have security implications. But "huge advantages"?

(Honestly I'm not flame baiting, I'm genuinely curious if my worldview is wrong)

2 more replies

dijit1y ago

does it really? aside from a handful of crates and the default std hashmap i being slow but cryptographically sound: I would not have assumed so.

Go usage inside Google is actually quite low, people talk a lot about Go being a google project but in reality its a project made by some people who work at Google.

When I last checked it was a bronze supported language (with C++, Python and Java being Gold).

1 more reply

deskr1y ago

What advantages are those?

1 more reply

summerlight1y ago

I think using Go is not a popular decision in the Android ecosystem, especially for those system programming stuffs. It's very likely that the project needs tight client side integration, so they probably wanted to use a language which has a wider support especially in the case of possible iOS support.

j / k navigate · click thread line to collapse

50 comments

moandcompany1y ago

AFAIK, the first time I heard about "Project Oak" was about four or five years ago.

This predates Apple's Private Cloud Compute.

spankalee1y ago

The lede is a little buried in that README [1]:

## Sealed Computing

A canonical use of Oak is to build privacy-preserving sealed computing applications.

[1]: https://github.com/project-oak/oak?tab=readme-ov-file#sealed...

---

Seems like an attempt at a privacy-preserving alternative to running your whole phone OS image on a server?

JimDabell1y ago

Sounds like Apple’s Private Cloud Compute:

https://security.apple.com/blog/private-cloud-compute/

sulam1y ago

DaiPlusPlus1y ago

Waitasec - ZOOM AND ENHANCE!

> users control their own devices

I’ll believe that when Apple lets me downgrade my iOS version.

nepthar1y ago

tiziano88OP1y ago

Oak focuses on running workloads on server-side TEEs

leoqa1y ago

2 more replies

warkdarrior1y ago

But can it deliver ads?

nrabulinski1y ago

It’s a google project, that’s probably the first use case they considered

2 more replies

tbrownaw1y ago

So, something that can be used to run Tor relays that provably don't intentionally misbehave? Or hidden services that the hosting provider has no way to give other people access to?

ChrisArchitect1y ago

Some previous discussion:

2019

https://news.ycombinator.com/item?id=20265625

trallnag1y ago

Nice, seems like a more cost-effective alternative to homomorphic encryption

saagarjha1y ago

1 more reply

calmbonsai1y ago

Based on the headline, I thought this was a reference to Gosling's pre-Java language.

pluto_modadic1y ago

noja1y ago

Like Signal did for contact discovery? https://signal.org/blog/private-contact-discovery/

bobbiechen1y ago

>"prove via intel that the SHA of the software running on the machine is XYZ"

This is exactly the purpose of MRENCLAVE in Intel SGX remote attestation quotes (and similar fields in other TEE platforms), and proving the software identity to remote clients is a common use case.

Maybe I misunderstand - is that what you mean, or is there another use case you are looking for?

camgunz1y ago

Super cool. I did some reading about Secure Enclaves with I was dreaming up ways to democratize compute; very cool to see a project like this making it a reality.

nanomonkey1y ago

This reminds me of Spritely Goblins from the Spritely Institute, which has "vats" where you can run code in a distributed manner using object capabilities.

7e1y ago

How does this compare with https://github.com/confidential-containers?

topspin1y ago

How does this relate/compare to AWS Nitro Enclaves? It looks like the same concept, except integrated into Intel and AMD CPUs.

arianvanp1y ago

Nitro enclaves also doesn't have all this high level infrastructure of composing microservices like this does

I think (but somebody smarter might correct me) that with nitro enclaves you also need to trust Amazon. Whilst with this you need to trust AMD, but don't need to trust GCP

Nice thing about nitro enclaves is that the Linux bits aren't tied to OCI. E.g. Monzo uses nix to build their enclave images https://github.com/monzo/aws-nitro-util

asterfield1y ago

dboreham1y ago

katsura1y ago

At first I thought this is related to the Oak server: https://github.com/oakserver/oak

pavlov1y ago

Oak was also the original name of the language that became Java.

blahgeek1y ago

This seem to be Google's response to Apple private cloud compute [1]?

[1] https://security.apple.com/blog/private-cloud-compute/

dboreham1y ago

Except the other way around.

warkdarrior1y ago

Except that Apple actually uses this privacy stuff. Is Project Oak used by Android or Pixel?

1 more reply

xyst1y ago

A bit surprised that it’s written in rust, rather than Go. I suppose rust can take advantage of more low level apis, plus no overhead of garbage collection.

edit: love that the community is not silo’d into a proprietary chat platform as well:

> We welcome contributors! To join our community, we recommend joining the mailing list.

- https://github.com/project-oak/oak?tab=readme-ov-file#gettin...

I really wish more open source projects used mailing lists.

1) decentralized means of communication

No, using a personal email and device for what I consider contributing from a work aspect (ie, submitting patch to OSS to solve specific problem with project) is not acceptable.

topspin1y ago

jb19911y ago

> A bit surprised that it’s written in rust, rather than Go. I suppose rust can take advantage of more low level apis, plus no overhead of garbage collection.

It’s security-focused technology. Rust has huge advantages over Go in this area.

filleokus1y ago

> Rust has huge advantages over Go in this area.

I guess you could say that Rust's type system being more expressive might eliminate certain classes of bugs, which have security implications. But "huge advantages"?

(Honestly I'm not flame baiting, I'm genuinely curious if my worldview is wrong)

2 more replies

dijit1y ago

does it really? aside from a handful of crates and the default std hashmap i being slow but cryptographically sound: I would not have assumed so.

Go usage inside Google is actually quite low, people talk a lot about Go being a google project but in reality its a project made by some people who work at Google.

When I last checked it was a bronze supported language (with C++, Python and Java being Gold).

1 more reply

deskr1y ago

What advantages are those?

1 more reply

summerlight1y ago

j / k navigate · click thread line to collapse