TUM Logo

Minimal Runtime in Rust for seL4-based Confidential Computing VMs

Minimal Runtime in Rust for seL4-based Confidential Computing VMs

Supervisor(s): Alexander Weidinger, Oliver Braunsdorf
Status: finished
Topic: Others
Author: Florian Freund
Submission: 2023-05-15
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


Cloud computing is becoming increasingly popular, but it raises concerns
about data security and privacy when it comes to confidential
workloads. To protect intellectual property and business secrets, the
cloud provider must be trusted. In the case of a compromised cloud
provider, confidential code and data are at high risk. One solution is
the use of confidential computing VMs with a hardware-based root of
trust. This allows customers of cloud VMs to establish trust in the
confidentiality of code and data. There are solutions that use
microkernels to minimize the TCB and that can run trusted services
written in secure programming languages. However, existing solutions
primarily focus on minimizing the TCB but do not combine only components
with the highest security level. This approach minimizes the TCB in
code size, but does not minimize the attack vector. To address this
limitation, a novel approach is needed that combines the TCB
minimization through microkernels with the exclusive use of
high-security-level components through formal verification and secure
programming languages.

We propose a solution using the formally verified seL4 with trusted services
written in Rust in a confidential computing VM to maximize the security of
confidentiality of code and data. Rust is programming language that prevents
the most common security vulnerabilities through memory safety guarantees and
data race prevention. We first survey existing solutions that enable the execution
of Rust programs on seL4 and then extend one of them with the
confidential computing concept. Our solution provides remote attestation
and a secure deployment mechanism for code. To enhance security, our
design minimizes the TCB by moving complex tasks like protocol parsing
into a separate untrusted VM.

We test the resulting design with a proof of concept trusted service.
We then evaluate its security, performance, and suitability for usage
in productive environments. The results show that the attack surface is small,
and performance is similar or even better compared to a normal Linux environment.