Skip to content

Task 2: Create a first Policy

To protect the code, data, and secrets of an application, we need to run the application under control of a security policy. We learn in this task how to generate a simple security policy (aka session) for the simple program that we compiled in task 1.

Task 2-a: Attest CAS

To be able to create a security policy, we first need to attest and verify the CAS instance. Perform the following steps:

  • attest and verify the public CAS using the SCONE CLI
  • tolerate all vulnerabilities that might affect
  • set to be your default CAS, and
  • list all CAS instances that you have attested so far using scone session list

Please perform these steps on your development container that you set up in task 1.


Task 2-b: Create a Security Policy

Create a session for program scone-print-arg-env from task 1. Perform the following steps:

  • check the flags for generating a session, i.e., a SCONE CAS policy scone session create --help

  • create a random session name - to avoid conflicts with others users of this CAS:

  • Inspect the provided session in file session.yaml

  • Note that scone session create session.yaml fails with error message variable $SESSION is not defined

  • fix this error using flag --use-env

  • verify that creating the session a second time will fail


Task 2-c: Policy History

Each policy has a unique session hash similar to a git commit hash. Each policy has a unique history defined by the predecessor field

  • create a simple policy (verion 1)
  • update this policy setting the predecessor to the session hash of version 1
  • create version 3 of the policy, i.e., update version 2 and set the predecessor to the session hash of version 2.


Task 2-d: Run application under policy control

Run application scone-print-arg-env under control of a policy. The SCONE runtime (part of application) needs to know with which policy it should.

  • Set the environment variable SCONE_CONFIG_ID. It defines which policy to use. Note that adversary could change this policy - but only correct policy grants access to right secrets.
  • Run the program and show that it prints the environment variables and arguments from the policy.
  • Try to set arguments and environment variables before executing scone-print-arg-env. Show that setting the arguments and environment variables has no impact on the application, i.e., they are all ignored.