Abstract:Confidential Computing (CC) has received increasing attention in recent years as a mechanism to protect user data from untrusted operating systems (OSes). Existing CC solutions hide confidential memory from the OS and/or encrypt it to achieve confidentiality. In doing so, they render OS memory optimization unusable or complicate the trusted computing base (TCB) required for optimization. This paper presents our results toward overcoming these limitations, synthesized in a CC design named Blindfold. Like many other CC solutions, Blindfold relies on a small trusted software component running at a higher privilege level than the kernel, called Guardian. It features three techniques that can enhance existing CC solutions. First, instead of nesting page tables, Guardian mediates how the OS accesses memory and handles exceptions by switching page and interrupt tables. Second, Blindfold employs a lightweight capability system to regulate the kernel semantic access to user memory, unifying case-by-case approaches in previous work. Finally, Blindfold provides carefully designed secure ABI for confidential memory management without encryption. We report an implementation of Blindfold that works on ARMv8-A/Linux. Using Blindfold prototype, we are able to evaluate the cost of enabling confidential memory management by the untrusted Linux kernel. We show Blindfold has a smaller runtime TCB than related systems and enjoys competitive performance. More importantly, we show that the Linux kernel, including all of its memory optimizations except memory compression, can function properly for confidential memory. This requires only about 400 lines of kernel modifications.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is to enable untrusted operating systems to manage and optimize the memory of sensitive applications without sacrificing data confidentiality. Specifically, existing Confidential Computing (CC) solutions usually protect user data by hiding or encrypting memory, which results in the operating system being unable to effectively perform its memory management tasks, such as page migration and large - page support, thus affecting the performance of big - data applications. In addition, these solutions may also lead to the expansion of the Trusted Computing Base (TCB), increasing security risks, and when dealing with situations that require plain - text access to user memory, such as system call parameters, they often adopt a case - by - case approach, increasing complexity and overhead. To solve these problems, the paper proposes a design named Blindfold. The main objectives of Blindfold include: 1. **Enhance existing CC solutions**: Blindfold introduces three technologies to overcome the limitations of existing CC solutions: - **Switch rather than nest page tables**: Blindfold manages the operating system's access to memory by switching page tables and interrupt tables instead of nesting them, thereby reducing the size and complexity of the TCB. - **Light - weight capability system**: Blindfold uses a light - weight capability system to uniformly manage the semantic access of the operating system to user memory, avoiding the TCB expansion caused by the case - by - case approach. - **Secure ABI**: Blindfold provides a secure ABI to manage non - semantic kernel access, allowing the operating system to perform necessary memory operations, such as page clearing and copying, without encryption. 2. **Support operating system optimization**: Blindfold enables the Linux kernel and most of its optimization functions (except memory compression) to work normally when dealing with confidential memory, with only about 400 lines of kernel code modification. 3. **Improve performance**: Through the above design, Blindfold has an impact on the performance of unprotected memory and computationally - intensive applications of about 3% to 25% while maintaining confidentiality, and for protected applications, it is 10% to 44%. For I/O - intensive applications, Blindfold does bring a relatively large performance overhead, but it mainly comes from encryption and control - flow changes, rather than memory access. In summary, Blindfold aims to achieve efficient memory management and optimization in a confidential computing environment through innovative technical means while maintaining system security and performance.

Blindfold: Confidential Memory Management by Untrusted Operating System

Armlock: Hardware-Based Fault Isolation For Arm

Kcpa: Towards Sensitive Pointer Full Life Cycle Authentication for OS Kernels

CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust

MemCloak

Confidential Computing—a brave new world

MProtect: Operating System Memory Management without Access

Accelerating Extra Dimensional Page Walks for Confidential Computing.

Thwarting Memory Disclosure With Efficient Hypervisor-Enforced Intra-Domain Isolation

The Road to Trust: Building Enclaves within Confidential VMs

EqualVisor: Providing Memory Protection in an Untrusted Commodity Hypervisor

Protecting In-memory Data Cache with Secure Enclaves in Untrusted Cloud.

Lejacon: A Lightweight and Efficient Approach to Java Confidential Computing on SGX.

A Confidential Computing Transparency Framework for a Comprehensive Trust Chain

Cabin: Confining Untrusted Programs within Confidential VMs

virtCCA: Virtualized Arm Confidential Compute Architecture with TrustZone

ACAI: Protecting Accelerator Execution with Arm Confidential Computing Architecture

The Design and Optimization of Memory Ballooning in SEV Confidential Virtual Machines

Memory Optimization System for SGXv2 Trusted Execution Environment

SecretSafe: A Lightweight Approach against Heap Buffer Over-Read Attack