What is Confidential Computing?

Naive outsourcing of sensitive computations to a remote party could lead to information leakage. In a cloud environment, users rent virtual machines created by hypervisors. The entire infrastructure is maintained by a cloud administrator who controls the hardware and software running on it. An administrator can dump the memory of a virtual machine to read sensitive data running in it. Such a feature is often provided by a hypervisor for debugging purposes.

Other cloud customers may have malicious intentions and attempt to infiltrate a cloud provider's system. With multiple cloud customers using the same system at the same time, if an attacker manages to break out of their virtual machine, they can also perform a memory dump or control the lifecycle of any virtual machine they want.

In addition, cloud customers must trust the cloud provider to securely configure their virtual machine. One type of misconfiguration would be to put two virtual machines from two different customers on the same virtual private network. If one of the cloud customers considers the virtual private network to be trustworthy, the consequences can be significant. Also, a cloud provider may be forced by law to turn over a cloud customer's data to the police/government.

For privacy-sensitive or confidential customer applications, all of the above threats can be a huge problem. Consider the healthcare industry using the cloud for remote patient monitoring and storing patient data in the cloud. Even if the data is stored in encrypted form, when the data is accessed and loaded into RAM, it must be decrypted in order to be used effectively, making it possible for someone with system access to read the data in RAM. Medical information is sensitive and should remain confidential. Here, a malicious adversary could distribute the captured data on the dark net.

Confidential computing is designed to provide a hardware-based Trusted Execution Environment (TEE) for remote computing in an untrusted environment, such as the cloud, and to protect the data used. A TEE isolates code running in the TEE from the remaining software stack. There are process-based TEEs and virtual machine-based TEEs. Applications or virtual machines using confidential computing are protected from all privileged software and hardware devices. This is achieved through hardware encryption, memory integrity protection, and isolation from other software. At the same time, users place minimal trust in CPU vendors for proper implementation. Another important feature of trusted computing is remote attestation, which allows users to verify that their code will actually run on a TEE before deploying sensitive data. In remote attestation, the trusted hardware provides a measurement of the TEE that the remote party can use to verify the measurement against an expected measurement. A TEE's measurement is equivalent to its identity.