Background
Recent advancements in platform security, standardization and software development enable radical improvements in the security and privacy of cloud data and workloads. This allows to create isolated, verifiable and user-controlled confidential computing environments that radically alter the trust relationship between customer businesses and cloud service providers. Platform vendor technologies such as Intel TDX, and AMD SEV and IBM PEF allow launching virtual machines with encrypted memory that can be remotely attested by users. This enables more businesses to migrate their data, processing, or the entire software stack to cloud premises, while significantly reducing related risks and simplifying compliance. Combined with other Privacy Enhancing Technologies, confidential computing enables new business models for data and workload collaboration. However, existing gaps in the protocol stack and tooling slow down the wider adoption of confidential computing in cloud settings.
Objectives
We use the latest hardware support for security features in commodity platforms (AMD SEV/Intel TDX/IBM PEF) to enable confidential data analytics collaboration while providing strong security and privacy guarantees about client data and workloads throughout the entire lifecycle. An important outstanding challenge is the provable destruction of the confidential computing environments once the workload has been executed. The thesis includes the following objectives:
- Review existing approaches to confidential enclave deployment and destruction;
- Identify gaps, vulnerabilities and potential attacks resulting from missing or incomplete enclave destruction mechanisms.
- Where necessary, design a mechanism for provable / verifiable enclave destruction;
- Provide a prototype implementation and a written report on the findings.
Implementation on x86 platforms, with a potential to also examine POWER9 and POWER10 server platforms. A successful project could lead to a valuable open-source contribution and an academic publication presented at a prestigious conference or workshop.
Terms
- Supervisor: Nicolae Paladi, PhD (nicolae@canarybit.eu)
- Scope: 30 points
- Start: As soon as possible.
- Compensation: 10 000 SEK upon a successful completion of the thesis.
Candidate profile:
We expect you to have good programming skills in: C, Python and Rust + UNIX skills. Furthermore, you have an interest in operating systems, virtualization, cloud computing, systems security and cryptography. Solid oral and written English skills are required.
Send in your application as soon as possible. Applications will be reviewed on a rolling basis. Applications should include:
- Your CV with your education, professional experience and specific skills
- A written report you authored or co-authored for a university level course.
- Samples of previous programming or other relevant projects.
- Recent grades (academic transcript).