Skip to content

Task 2: Create a first Policy

To protect the code, data, and secrets of an application, we need to run the application under control of a security policy. We learn in this task how to generate a simple security policy (aka session) for the simple program that we compiled in task 1.

Task 2-a: Attest CAS

To be able to create a security policy, we first need to attest and verify the CAS instance. Perform the following steps:

  • attest and verify the public CAS scone-cas.cf using the SCONE CLI
  • tolerate all vulnerabilities that might affect scone-cas.cf
  • set scone-cas.cf to be your default CAS, and
  • list all CAS instances that you have attested so far using scone session list

Please perform these steps on your development container that you set up in task 1.

Screencast

Task 2-b: Create a Security Policy

Create a session for program scone-print-arg-env from task 1. Perform the following steps:

  • check the flags for generating a session, i.e., a SCONE CAS policy scone session create --help

  • create a random session name - to avoid conflicts with others users of this CAS:

  • Inspect the provided session in file session.yaml

  • Note that scone session create session.yaml fails with error message variable $SESSION is not defined

  • fix this error using flag --use-env

  • verify that creating the session a second time will fail

Screencast

Task 2-c: Policy History

Each policy has a unique session hash similar to a git commit hash. Each policy has a unique history defined by the predecessor field

  • create a simple policy (verion 1)
  • update this policy setting the predecessor to the session hash of version 1
  • create version 3 of the policy, i.e., update version 2 and set the predecessor to the session hash of version 2.

Screencast

Task 2-d: Run application under policy control

Run application scone-print-arg-env under control of a policy. The SCONE runtime (part of application) needs to know with which policy it should.

  • Set the environment variable SCONE_CONFIG_ID. It defines which policy to use. Note that adversary could change this policy - but only correct policy grants access to right secrets.
  • Run the program and show that it prints the environment variables and arguments from the policy.
  • Try to set arguments and environment variables before executing scone-print-arg-env. Show that setting the arguments and environment variables has no impact on the application, i.e., they are all ignored.

Screencast