Trustworthy confidential virtual machines for the masses

Publikation: Beitrag in Buch/Konferenzbericht/Sammelband/GutachtenBeitrag in KonferenzbandBeigetragenBegutachtung

Beitragende

Abstract

Confidential computing alleviates the concerns of distrustful customers by removing the cloud provider from their trusted computing base and resolves their disincentive to migrate their workloads to the cloud. This is facilitated by new hardware extensions, like AMD's SEV Secure Nested Paging (SEV-SNP), which can run a whole virtual machine with confidentiality and integrity protection against a potentially malicious hypervisor owned by an untrusted cloud provider. However, the assurance of such protection to either the service providers deploying sensitive workloads or the end-users passing sensitive data to services requires sending proof to the interested parties. Service providers can retrieve such proof by performing remote attestation while end-users have typically no means to acquire this proof or validate its correctness and therefore have to rely on the trustworthiness of the service providers. In this paper, we present Revelio, an approach that features two main contributions: i) it allows confidential virtual machine (VM)-based workloads to be designed and deployed in a way that disallows any tampering even by the service providers and ii) it empowers users to easily validate their integrity. In particular, we focus on web-facing workloads, protect them leveraging SEV-SNP, and enable end-users to remotely attest them seamlessly each time a new web session is established. To highlight the benefits of Revelio, we discuss how a standalone stateful VM that hosts an open-source collaboration office suite can be secured and present a replicated protocol proxy that enables commodity users to securely access the Internet Computer, a decentralized blockchain infrastructure.

Details

OriginalspracheEnglisch
TitelMiddleware 2023 - Proceedings of the 24th ACM/IFIP International Middleware Conference
Seiten316–328
Seitenumfang13
ISBN (elektronisch)9798400701771
PublikationsstatusVeröffentlicht - 27 Nov. 2023
Peer-Review-StatusJa

Externe IDs

Scopus 85179884949
Mendeley 175822b3-b3ec-39fc-8498-4d9a13ed83b2

Schlagworte

ASJC Scopus Sachgebiete

Schlagwörter

  • AMD SEV-SNP, Attestation, Confidential Computing, TEEs, TLS