Confidential Computing with WebAssembly The New Stack – thenewstack.io

Posted on by

AUSTIN, TEX. Back when they worked at Red Hat, Mike Bursell and Nathaniel McCallum grappled with the challenges of confidential computing isolating an organizations most sensitive data in a secure enclave while processing it.

Confidential computing is of particular use to organizations that deal in sensitive, high value data such as financial institutions, but also a wide variety of organizations.

We felt that confidential computing was going to be a very big thing be that it should be easy to use, said Bursell, was then chief security architect in the office of Red Hats chief technology officer. And rather than having to rewrite all the applications and learn how to use confidential computing, it should be simple.

But it wasnt simple. Among the biggest puzzles: attestation, the mechanism by which a host measures a workload cryptographically and communicates that measurement to a third party.

One of the significant challenges that we have is that all the attestation processes are different, said McCallum, who led Red Hats confidential computing strategy as a virtualization security architect.

And all of the technologies within confidential computing are different. And so theyre all going to produce different cryptographic caches, even if its the same underlying code thats running on all.

And with more organizations deploying their workloads to multicloud and hybrid environments, these differences pose a technical problem for workload equivalence. If a single workload is deployed to three different architectures, with three different technologies running their confidential computing, McCallum asked, how do I know that those are all the same?

At Red Hat, McCallum and Bursell worked on a solution to this issue and initiated a project called Enarx, an open source framework for running applications in Trusted Execution Environments (TEEs). Red Hat donated Enarx to the Linux Foundations Confidential Computing Consortium.

In 2021, Bursell, based near Cambridge, England, and McCallum, who lives near Raleigh, N.C., co-founded a company, Profian, built around Enarx. In doing so, they planted a flag in the rapidly growing WebAssembly territory.

At the Linux Foundations Open Source Summit North America in June, Profians two co-founders told The New Stack about their plans for the project, which CEO Bursell said include releasing a minimum viable product (MVP) this quarter.

The solution to the attestation challenge, McCallum said, was to use some sort of bytecode, like WebAssembly (Wasm). (McCallum, Profians chief technology officer, was a founding member of the Bytecode Alliance while at Red Hat; Bursell serves as a director on its governing board.)

Wasm, a binary instruction format for a stack-based virtual machine, works as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.

WebAssembly allows you to say, Ive created a single application, and I can prove that that is exactly the application thats running on all of these instances. Cryptographic proof. And thats the big win.

Mike Bursell, co-founder and CEO, Profian

WebAssemblys vaunted advantage build once, run anywhere avoids having to build systems to manage all the cryptographic caches generated from the various attestation technologies in the various deployment environments.

Enarx provides a single run-time TEE and attestation based on WebAssembly, allowing developers to deploy applications using their preferred language, such as Rust, C/C++, C#, Go, Java, Python, Haskell and more. Even COBOL.

The framework is both hardware and cloud service provider neutral; in keeping with Wasms promise of build once, run anywhere, developers can deploy the same code transparently across multiple targets.

WebAssembly allows you to say, Ive created a single application, and I can prove that that is exactly the application thats running on all of these instances. Cryptographic proof, Bursell said.

And thats the big win, quite apart from the fact that WebAssembly allows us to run on Intel boxes, ARM boxes, AMD boxes, with exactly the same binary bytecode, which is just fantastic for us.

The problem that Enarx is designed to address is widespread.

Its difficult to find people who dont have the problem, Bursell said. If youve got sensitive data or sensitive applications, and youre highly regulated, or strongly audited, or just risk-averse, you just cant put certain workloads in the cloud. Banks cant, health care, pharmaceutical, energy, telco, government, defense, security not to mention just standard enterprises.

As a result, he added, those organizations have to keep that data on-premises, forgoing the benefits of the cloud. And that means that its not just the cost of keeping all that going. Its the inability to be able to surge out into the cloud and scale up quickly, as things take off.

Mike Bursell, CEO and co-founder of Profian.

If youve got a new application, and suddenly everyones using it, can you afford to wait five weeks to get a new server? No, you cant; you want to be able to put it straight in the cloud.

Confidential computing offers the promise of ironclad privacy, Bursell noted: Not even the cloud service provider can look in, or change your application or your data. For an organization that not only deals with sensitive customer data but also proprietary information, such as an investment algorithm for a financial-service company.

The crown jewels of the investment bank are actually in the application, rather than the data, he said.

Also, McCallum said, new use cases are just around the corner, due to the increasingly distributed nature of networks, through the edge and the Internet of Things (IoT).

The perimeter is gone, Profians CTO said. If theres anything the last 15, 20 years told us, the attacks are both external and internal. And so if youre going to protect this stuff, even internally, even on-prem, you still need all of the same guarantees.

As it continues to develop Enarx and move toward an MVP, Profian has established partnerships with a number of tech companies, including Enarx project sponsors Equinix and PhoenixNAP. It is also working closely with chip manufacturers IBM, Intel, AMD and ARM.

Profians solution requires server chips at least the level of the Ice Lake Xeon Scalable or the AMD Milan Epyc, which the major cloud providers are now in the midst of deploying, McCallum said. The company is also making plans to support ARMs Version 9 CCA Realms and Intels forthcoming TDX.

One of the things were about is allowing people to deploy wherever the hardware is, Bursell said. There may be particular reasons to select a particular CSP or particular geography. But you get the same assurances whether youre deploying in Dublin or in San Francisco or in Shanghai because youre using the same chips with the same cryptographic proofs.

Nathaniel McCallum, co-founder and CTO of Profian.

And because Enarx is built on WebAssembly, he added, it doesnt matter where the workload is deployed.

McCallum echoes this notion. There are some people who are in desperate amounts of pain, who need this stuff yesterday, he said. And theyre deploying on existing infrastructures. So theyre coding specifically to that hardware technology. But if that becomes vulnerable, right, what are your options to switch to another hardware technology?

One of the key advantages that WebAssembly gives us is that, if there is a hardware vulnerability on one platform, youre not sunk. You can just deploy on another platform, whilst we created the mitigation with the hardware vendor.

And, he added, as new platforms become available, such as ARMs, you dont have to modify your workload at all, your workload stays exactly the same. And all of a sudden you just get new platform support. And then as soon as the hardware is available, you continue to deploy, exactly the way youve always deployed in the past.

As a model for how to introduce a new project to the developer community, Bursell looks to Docker, the Platform as a Service project that allows devs to build, test and deploy apps quickly.

One of these Docker got right in the early days, just make it really easy for people try stuff out, he said. And thats absolutely the approach that we think is right.

Therefore, Profian launched a demo of Enarx at the end of July. Anyone can use it, anyone can play with it, Bursell said. Because we want to make it easy to play with.

All of a sudden, WebAssembly is going to emerge very quickly as a mature stable platform, with very broad language support.

Nathaniel McCallum, co-founder and CTO, Profian

The demo, McCallum said, will allow users to deploy a workload for a short period of time, without having to set anything up: The hardware or the kernel, all the cloud resources, everything is set up for you. And it gives you a chance to actually experiment with the platform with zero friction, essentially.

The ease of debugging in confidential computing will be showcased as part of the demo, Bursell said. The debugging environment Profian will provide, he said, will use the same environment and the Wasm runtime.

You can test it on your Linux box, on your Mac, on your Windows box, or even on a Raspberry Pi. So you can test it and know what youre running once, then deploy it into a Trusted Execution Environment with Profian, and itll still work.

As it leaves the browser, WebAssembly is just beginning to deliver on its promise, said McCallum.

For a lot of people, it feels like its a long time coming and never here, he said. But theres a lot of work happening. And its happening in precisely those ways that dont draw a lot of attention to the people who are working on them. And so all of a sudden, WebAssembly is going to emerge very quickly as a mature stable platform, with very broad language support.

For more on whats new in Wasm, check out this recent episode of The New Stacks Makers podcast, recorded at Open Source Summit North America in June:

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.

Featured image by Jason Pofahl via Unsplash.

Go here to read the rest:
Confidential Computing with WebAssembly The New Stack - thenewstack.io

Related Post
This entry was posted in $1$s. Bookmark the permalink.