TUM Logo

Automatic Compartmentalization of Rust Programs to Simplify Software Development with AMD SEV

Automatic Compartmentalization of Rust Programs to Simplify Software Development with AMD SEV

Supervisor(s): Oliver Braunsdorf, Christian Epple
Status: finished
Topic: Others
Author: Thomas Nibler
Submission: 2021-09-15
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Description

As more of the world's computing shifts into the cloud, new security questions arise.
Running sensitive workloads on untrusted hardware and operating systems controlled
by cloud providers or third party attackers can expose data to malicious actors.
Virtual Machine-based Trusted Execution Environments are a proposed solution to this problem,
with implementations and technologies like AMD SEV already being available.
In this thesis, we present Teehouse, an approach to facilitate using VM-based TEEs
by automatically partitioning a Rust application such that sensitive parts run in a secure VM,
while the rest of the application runs in a "regular" VM.
Teehouse allows the application to call sensitive functions or manipulate confidential
data on the server by transparently inserting RPC logic into the code.
We use a client-server model with the sensitive component
acting as a server, accepting requests from the remaining parts of the application
which become the client.
Besides function calls, Teehouse also allows manipulating data in the TEE

from the client without ever exposing it to untrusted environments.