Darragh Grealish

PARSEC - A Cloud Native Security Framework across Edge, Cloud and IoT

(co-authored together with – Marc Meunier, Sr, Manager Ecosystem Development, Infrastructure Arm and Darragh Grealish, Cloud Engineer and Co-Founder of 56K.Cloud)

Earlier this month, Marc and I hosted a talk at the CNCF where we introduced PARSEC, the security abstraction project for Edge.  During the talk, we demonstrated a use case that showcased the developer experience spanning 5G, IoT and Edge Cloud.  In this blog post we will dig a bit deeper into the design and provide some additional background details on PARSEC. In a short version here, Robert Wolff from Arm interviews Marc Meunier about PARSEC.

If you want to get get a deeper deep dive into Parsec then the Webinar Marc and I hosted on the CNCF Webinar series earlier in September. A recorded version of the talk is available here: https://www.cncf.io/webinars/arm-developer-experience-spanning-cloud-5g-and-iot/

What is ParSec and Why do we need it?

PARSEC Platform AbstRaction for SECurity, It sits between the cloud native development environment and the security Root of Trust (RoT) blocks. It provides a standard set of APIs to developers in the language of choice and routes requests to the various back-end, taking care of the particularities of different RoT implementations. One of the advantages of leveraging PARSEC is that it enables developers and operators to move applications between various devices and maintain a secure connection to RoT without having to rewrite the interface.

When did Parsec join the CNCF and who are involved?

Parsec started out as a project between Docker and Arm. During the initial development phase, we realized that this project needed to move to an independently governed body to position Parsec as a cross-architecture soln. In other words, PARSEC solves a program that spans across various HW architectures and is not limited to Arm. We encourage this proliferation and therefore donated the project to the CNCF in June 2020.

Where can I find out what is currently implemented in PARSEC?

The maintainers of Parsec have created a few tables to breakdown the features that are implemented in PARSEC. All this information is available on the Github page for the project under Service API Coverage: https://parallaxsecond.github.io/parsec-book/parsec_client/operations/service_api_coverage.html

What example use cases can we show to best demonstrate PARSEC in action?

Let’s look at a development scenario where a developer is building out an edge application. They may be working on their own (Prototyping) or as part of a team. Security is a big important topic for them as they aim to deploy on the edge, outside a protected datacenter or cloud. Their work might span across many different platforms. Having to manage that array of security providers (TEE, TPM, HSM etc..) will quickly become a burden. They would like to develop towards a standard library. That library should address certain security requirement the application developers have to meet in order to appease their CISO expectation. They also would like to use this application across their software stack, be it on a device, at the edge or in the cloud. It’s not clear yet which pieces fall where, but what is clear is that they wish to avoid implementing directly with TEE and HSM, but consume it as a service on the given platform they are developing on. Looking at a use case where we have a specific application developer on 5G network, where the application makes best use of the features of 5G. It is likely that the application will not operator completely on the IoT device, but will execute its functions across Cloud, Edge (MEC), and end device. This means the developers are faced with having to implement 3 security providers:

  • HSM in the cloud,
  • Edge with a remote HSM, possible TPM,
  • and the device its self by using TEE.

Lets look at a possible use case, say you have to deliver an application that spans, from your edge devices (Handsets, Sensors, IoT), communicate over a mobile network, interfaced to an Edge. Given the rapid expansion of 5G recently, we see this use case becoming even more relevant  than ever.

Taking a deeper look at an edge application deployment, where we have 3 primary deployment setups, each address a particular need; Using AWS as an example. Lets say we have an Embedded Device application (Real-time application), Edge Compute workload, (Telco Edge Cloud) and the back-end deployment on AWS Region. In the diagram above we can clearly see the distribution of security providers. The embedded device is using TEE on a Qualcomm RB5 board, the edge cloud is using a HSM or TPM provider and finally in AWS region we have CloudHSM. Three different security providers are available to the developers in this use case. Which poses as challenge to developer in a team and meet security requirements. This is where we introduce the Parsec client library as a tool to abstract the specific security providers. It allows in this context to develop only on the Parsec client library and allow Parsec to manage the various underlying interfaces.

We are going to look at a simple RUST Client implementation and demonstrate how we can directly avoid implementation of security providers such as TEE.

Parsec currently offers about 2 client library’s a RUST implantation and second a golang test implementation. We are going to take the rust client library, this is natural as Parsec is implemented in rust and a good starting point as it will have greater coverage of features.   You can find the RUST client documentation here: https://docs.rs/parsec-client/0.8.0/parsec_client/core/basic_client/struct.BasicClient.html

Below is an example where we bring up the wire protocol (https://parallaxsecond.github.io/parsec-book/parsec_client/wire_protocol.html) and interface with the parsec service.

To get to this point, there are a few steps you need to take, as we are going to show an example in RUST, its good to get started first with a RUST example here: https://www.rust-lang.org/learn/get-started

· Based on your platform (Windows, Mac or Linux), follow the instructions on rust-lang.org website

· Git clone the parsec project, >git clone https://github.com/parallaxsecond/parsec.git

· Follow instructions to install parsec service: https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html

· Once the parsec service is up, ensure that your user can see /tmp/parsec folder, as this will setup a sock for parsec client to connect to.

· The /tmp/parsec/parsec.sock should be part of “parsec-clients” group and your user show be also a part of the same group. )

· In a new directory, run cargo new hello-parsec

· Cargo will build a new RUST project including a Cargo.toml, src folder with main.rs

· Lets run the hello-world example, execute cargo run

· Now that we have a simple RUST example to build on. Lets add the following code based on the Parsec BasicClient implementation: https://docs.rs/parsec-client/0.8.0/parsec_client/core/basic_client/struct.BasicClient.html

· What we are doing here is, importing 3 functions of the parsec_client library, Secret function, AuthenticationData and the BasicClient itself.

From the text above we can see we start the main function by echoing a Hello in the console, we then prepare a mutable variable known as “writer” and allow it to echo out on the standard out in this case the console. We then create to immutable variable, app_name and app_auth_data. And setup the client also. The If statement then checks if we have managed to open up the wire protocol to the Parsec service. Failing that we will echo out the error.

Run “Cargo build” and a bunch of dependence will download (about a 1GB of data) This isn’t anything PARSEC specific, Rust has a large dependency tree of library’s .

Once done, execute >cargo run and you should see the following output

We see that the application runs, finds the parsec service, connects to the Wire protocol. So it establishes a connection to Parsec Service over the socket. However we are not running any Provider (TPM, TEE etc..) in the background we don’t get a list of providers. Hence the error. But what we have seen is, within about 5~10 lines it’s quite easy to get ParSec client library up and running and talking to the service.

We hope to expand on this demo and complete the implementation to therefore demonstrate a cross-platform test of using Parsec on an Edge device and Cloud hosting provider.

To learn more, have a read of how Parsec joined the CNCF: https://community.arm.com/developer/tools-software/tools/b/tools-software-ides-blog/posts/arm-parsec-joins-cncf-sandbox-project

On the 7th October 2020 at DevSummit 2020 there will be a talk where Marc Meunier from Arm and Justin Cormack from Docker will present a deeper perspective into ParSec from a Cloud Native Development using Docker.  Don’t forget to join, you can find the talk here

Don't forgot to joined Arm DevSummit on 6th-8th October Follow the link below to register and build your schedule, Many of the talks are covered over three days, and not more then four hours each day. You can find the registration link here: https://devsummit.arm.com/arm-infrastructure

Enjoyed learning about our work and values, If you'd like to know more 56K.Cloud and of course the benefits of Cloud Adoption, Containers and DevOps Automation, IoT, and 5G, feel free to reach out to info@56K.Cloud to learn more about our services, development, training and solutions.


Darragh Grealish

Co-Founder and CTO