Auditability & Explainability of OBLV Deployments
Explainable Architecture

Explainable Architecture

OBLV introduces an explainable architecture for enclave-based computing, overcoming the limitations of traditional virtual machine image trust. Vanilla confidential computing relies on minimal hash-based verification, which can obscure the detailed architectural view of the system, making it challenging to confirm its operational integrity.

OBLV addresses this by implementing a detailed framework using secondary manifests. These JSON documents provide an in-depth blueprint of each enclave’s internal configuration and operational parameters. This transparency provides a clear, interpretable representation of the system's structure and functioning. Such detail is essential for enhancing transparency, security, and compliance, enabling developers and security professionals to fully understand and verify the system’s operations.

Components of the Secondary Manifests

  • Internal Structure and Data Flow: The manifests detail the arrangement and interactions of services within each enclave, outlining how data moves and is processed. This ensures intentional, secure data handling that adheres to established policies.
  • Logging and Authentication Protocols: These documents specify the logging processes and authentication protocols within the enclave. They describe how access is secured and maintained, preserving data integrity and confidentiality.
  • Health Checks and Telemetry: The manifests outline the health checks and telemetry configurations, providing assurance over the level of detail which the enclave makes visible to their administrator.
  • Outbound Traffic and Whitelisting: Control of outbound traffic is a critical security aspect. The manifests details whitelisted Fully Qualified Domain Names (FQDNs) and specify the conditions under which redirects or other routing mechanisms are allowed, ensuring secure external communications.
  • Service Communication and Permissions: The manifests define the communication channels and permissions for services within the enclave, delineating who can communicate with whom and under what conditions. This ensures a controlled environment where each service operates within its authorised scope.

OBLV's explainable architecture, anchored in these comprehensive secondary manifests, significantly enhances the system's security and compliance capabilities. It provides a transparent and detailed view of the enclave's configuration and management, strengthening trust in the system’s security and simplifying compliance with regulatory standards.

2024 Oblivious Software Ltd. All rights reserved.