Asylo Open-Source Framework Tackles TEEs for Cloud

Asylo, an open-source framework and software development kit (SDK) for creating applications that run in trusted execution environments (TEEs), has launched to tackle the complexity involved in running a confidential computing platform for workloads in the cloud and virtual environments.

TEEs provide additional verifiable isolation for sensitive workloads, helping to defend against attacks targeting underlying layers of the cloud stack, including the operating system, hypervisor, drivers and firmware. This is done by creating secure computing islands known as enclaves. Enclaves provide isolation that can better protect use cases that depend on “secrets,” like encryption keys or algorithms. For example, voting systems may have a private key that’s used to sign ballots or encrypt data – a bedrock requirement for the integrity of the system. Enclaves are meant to ensure the continued confidentiality of the key.

Asylo takes its name from the Greek word “άσυλο,” meaning “sanctuary,” “shelter” or “safe place” — it’s the root of today’s English word, “asylum.” As its moniker suggests, its purpose is to pave the way to using TEEs to build trust across various cloud-related use cases and applications, including 5G, virtual network functions (VNFs), blockchain, payments, voting systems, secure analytics and others that require secure application secrets.

For cloud security, Asylo and confidential computing in general are looking to address a Holy Grail of sorts: Making sure that the most sensitive secrets and data are available only in the closed environment of enclaves and inaccessible to unauthorized parties, including the underlying cloud providers themselves.

However, there are some barriers to TEE adoption for cloud: For one, developing and running applications in a TEE generally requires specialized knowledge and tools; and two, implementations have been tied to specific hardware environments, which means that they’re difficult to adapt for cloud services. Asylo, initially designed by Google, aims to make TEEs much more broadly accessible to the developer community, both on-premises and in the cloud, in order to accelerate the use of secure enclaves for high-security assurance applications in cloud and container environments.

“Broader adoption of confidential computing and enclavized applications will offer strong confidentiality and integrity protection at run time,” said Nelly Porter, a Google Cloud senior product manager, in an interview with Threatpost. “This direction is aligned with the primary objectives of computer security: providing confidentiality, integrity and availability of applications and data.”

Asylo is also working with multiple academic research communities around the globe, including the University of California at Berkeley and Berkeley Lab, Imperial College in London, Technische Universität Braunschweig, and the National University of Singapore, to focus on cutting down the complexity that exists in adopting cloud applications to various TEEs.

“Every one of them had to come up with their own adoption and abstraction layer or SDK to be able to continue their research in this area,” Porter told us. “Asylo is attempting to create consensus on how to use various TEEs without complexity, by removing additional security concerns [and enabling developers to] make their enclavized apps portable and able to run on many, yet-to-come TEE environments,” she added.