System Software and Operation
Enabling the Use of High-Level Programming Languages in Hardware Enclaves
Data breaches have long raised concerns about the privacy and security of sensitive data in the cloud. One proven approach is encryption, which is a useful tool for data protection in the cloud and on-premise. However, its use has been limited to protecting data at rest and data in motion, which becomes vulnerable to a variety of malicious attacks.
Nowadays, a promising approach to cloud security is confidential computing powered by hardware enclaves and has the potential to become the fundamental security building blocks for the enterprise. The core value of enclaves is the ability to isolate the software and data from the underlying infrastructure (OS, hypervisors, or BIOS) using hardware-level encryption, making it difficult for attackers to unscramble private data without legitimate approval even with the physical access to the infrastructure. In any cloud infrastructure, the data and applications running within the secure enclaves become inaccessible even to the cloud service provider.
The downside is that programming in a high-level language under enclaves presents significant challenges for developers. The enclave execution environment usually only provides a set of CPU-instructions. However, many of the high-level programming language's built-in capabilities depend on API defined by the host environment instead.
In today's world, most enterprise applications are written in high-level languages. For example, Java is the most popular programming language in the world, but it cannot be well used in the enclave environment. Many businesses on the cloud, such as finance and insurance, use Java to program and have intense data security demands. This research project is designed to address these challenges specific to supporting enterprise-level languages in enclaves.
- Support high-level languages running in enclave environment (mainly SGX), including but not limited to Java, Golang. Optional technical solutions include LibOS, Graal, Wasm.
- Provide diagnostic tools for programs written in high-level languages under enclave.
- Design and implement SDK under high-level languages, allowing users to use enclave directly.
- Automatically partition the confidential part of the program, taking advantage of the ease of use and native performance.
Related Research Topics
- Java architecture for confidential computing
- Confidential computing in hardware
- Cloud infrastructures with Intel SGX
- Cloud computing system based on a confidential computing platform
- Web Assembly-based Sandbox for Trusted Resource Accounting
- Java Partitioning Framework for Hardware Enclaves
Suggested Collaboration Method
AIR (Alibaba Innovative Research), one-year collaboration project.