Vsocks in Node.js

Question

Vsocks in Node.js

abhigupta768 opened this issue 2 years ago · 9 comments

Hey, I am trying to make a Node.js application support nitro enclaves. But, I cannot find a way to implement vsock in Node.js. Can you point to something?

Answer 1 · 2022-06-12T19:57:47.000Z

Also, can you let me know if Unix IPC Sockets would work?

Answer 2 · 2022-06-13T08:41:29.000Z

Hi @abhigupta768. Looks like Node.js doesn't support it. I found that net library only implements AF_INET and AF_UNIX SOCK_STREAM while UDP/Datagram implements AF_INET SOCK_DGRAM BSD socket API. And neither of them suits for AF_VSOCK SOCK_STREAM API required for communication with nitro enclaves.

In this case you could try some relay software, which could forward vsock traffic to some other suitable for you endpoint, e.g https://github.com/stefano-garzarella/socat-vsock.

Answer 3 · 2022-06-13T09:04:13.000Z

Thanks for getting back. I am thinking of the following solution:

Have a Python script with AF_VSOCK implementation in the parent.
Have a Python script with AF_VSOCK implementation in the enclave.
Have the Node.js code in the parent initiate the Python script in the parent using a child process which in turn passes on data to the enclave using the Vsock.
Have the Python script in the enclave receive the data and initiate a child process to run the Node.js code in the enclave to process the data and return it to the Python script.
Have the Python script in the enclave send the processed data back to the Python script child process in the parent via Vsock, which in turn returns it to the Node.js code.

Can you please let me know if this would work? And also if there are any security issues around the same?

Thanks!

Answer 4 · 2022-06-13T12:05:14.000Z

Yes, Python can use vsock as you can find from the example and then it's up to you how to further arrange the communication.

Answer 5 · 2022-06-13T13:01:56.000Z

Sounds good, thanks!

Answer 6 · 2022-09-27T02:47:38.000Z

@abhigupta768 Did you ever get it working?

Answer 7 · 2022-09-27T02:49:52.000Z

@abhigupta768 Did you ever got it working?

Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.

Answer 8 · 2022-09-27T02:59:55.000Z

Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.

Very interesting. Thanks. Do you know if they support e.g. Mysql/MariaDB as external services?

Answer 9 · 2022-09-27T03:56:22.000Z

Hey, nope. I ended up using Evervault (https://evervault.com/). They provide Node.js support for AWS Nitro Enclaves.

Very interesting. Thanks. Do you know if they support e.g. Mysql/MariaDB as external services?

Umm, I am not very sure. They do intercept network requests inside the enclave, then relay them to the parent, which can then interact with whitelisted IPs. So I am guessing that using a managed service like RDS with the appropriate permissions should work. I am not entirely sure though.