AUSTIN, TEX. Back when they worked at Red Hat, Mike Bursell and Nathaniel McCallum grappled with the challenges of confidential computing isolating an organizations most sensitive data in a secure enclave while processing it.
Confidential computing is of particular use to organizations that deal in sensitive, high value data such as financial institutions, but also a wide variety of organizations.
We felt that confidential computing was going to be a very big thing be that it should be easy to use, said Bursell, was then chief security architect in the office of Red Hats chief technology officer. And rather than having to rewrite all the applications and learn how to use confidential computing, it should be simple.
But it wasnt simple. Among the biggest puzzles: attestation, the mechanism by which a host measures a workload cryptographically and communicates that measurement to a third party.
One of the significant challenges that we have is that all the attestation processes are different, said McCallum, who led Red Hats confidential computing strategy as a virtualization security architect.
And all of the technologies within confidential computing are different. And so theyre all going to produce different cryptographic caches, even if its the same underlying code thats running on all.
And with more organizations deploying their workloads to multicloud and hybrid environments, these differences pose a technical problem for workload equivalence. If a single workload is deployed to three different architectures, with three different technologies running their confidential computing, McCallum asked, how do I know that those are all the same?
At Red Hat, McCallum and Bursell worked on a solution to this issue and initiated a project called Enarx, an open source framework for running applications in Trusted Execution Environments (TEEs). Red Hat donated Enarx to the Linux Foundations Confidential Computing Consortium.
In 2021, Bursell, based near Cambridge, England, and McCallum, who lives near Raleigh, N.C., co-founded a company, Profian, built around Enarx. In doing so, they planted a flag in the rapidly growing WebAssembly territory.
At the Linux Foundations Open Source Summit North America in June, Profians two co-founders told The New Stack about their plans for the project, which CEO Bursell said include releasing a minimum viable product (MVP) this quarter.
The solution to the attestation challenge, McCallum said, was to use some sort of bytecode, like WebAssembly (Wasm). (McCallum, Profians chief technology officer, was a founding member of the Bytecode Alliance while at Red Hat; Bursell serves as a director on its governing board.)
Wasm, a binary instruction format for a stack-based virtual machine, works as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.
WebAssembly allows you to say, Ive created a single application, and I can prove that that is exactly the application thats running on all of these instances. Cryptographic proof. And thats the big win.
Mike Bursell, co-founder and CEO, Profian
WebAssemblys vaunted advantage build once, run anywhere avoids having to build systems to manage all the cryptographic caches generated from the various attestation technologies in the various deployment environments.
Enarx provides a single run-time TEE and attestation based on WebAssembly, allowing developers to deploy applications using their preferred language, such as Rust, C/C++, C#, Go, Java, Python, Haskell and more. Even COBOL.
The framework is both hardware and cloud service provider neutral; in keeping with Wasms promise of build once, run anywhere, developers can deploy the same code transparently across multiple targets.
WebAssembly allows you to say, Ive created a single application, and I can prove that that is exactly the application thats running on all of these instances. Cryptographic proof, Bursell said.
And thats the big win, quite apart from the fact that WebAssembly allows us to run on Intel boxes, ARM boxes, AMD boxes, with exactly the same binary bytecode, which is just fantastic for us.
The problem that Enarx is designed to address is widespread.
Its difficult to find people who dont have the problem, Bursell said. If youve got sensitive data or sensitive applications, and youre highly regulated, or strongly audited, or just risk-averse, you just cant put certain workloads in the cloud. Banks cant, health care, pharmaceutical, energy, telco, government, defense, security not to mention just standard enterprises.
As a result, he added, those organizations have to keep that data on-premises, forgoing the benefits of the cloud. And that means that its not just the cost of keeping all that going. Its the inability to be able to surge out into the cloud and scale up quickly, as things take off.
Mike Bursell, CEO and co-founder of Profian.
If youve got a new application, and suddenly everyones using it, can you afford to wait five weeks to get a new server? No, you cant; you want to be able to put it straight in the cloud.
Confidential computing offers the promise of ironclad privacy, Bursell noted: Not even the cloud service provider can look in, or change your application or your data. For an organization that not only deals with sensitive customer data but also proprietary information, such as an investment algorithm for a financial-service company.
The crown jewels of the investment bank are actually in the application, rather than the data, he said.
Also, McCallum said, new use cases are just around the corner, due to the increasingly distributed nature of networks, through the edge and the Internet of Things (IoT).
The perimeter is gone, Profians CTO said. If theres anything the last 15, 20 years told us, the attacks are both external and internal. And so if youre going to protect this stuff, even internally, even on-prem, you still need all of the same guarantees.
As it continues to develop Enarx and move toward an MVP, Profian has established partnerships with a number of tech companies, including Enarx project sponsors Equinix and PhoenixNAP. It is also working closely with chip manufacturers IBM, Intel, AMD and ARM.
Profians solution requires server chips at least the level of the Ice Lake Xeon Scalable or the AMD Milan Epyc, which the major cloud providers are now in the midst of deploying, McCallum said. The company is also making plans to support ARMs Version 9 CCA Realms and Intels forthcoming TDX.
One of the things were about is allowing people to deploy wherever the hardware is, Bursell said. There may be particular reasons to select a particular CSP or particular geography. But you get the same assurances whether youre deploying in Dublin or in San Francisco or in Shanghai because youre using the same chips with the same cryptographic proofs.
Nathaniel McCallum, co-founder and CTO of Profian.
And because Enarx is built on WebAssembly, he added, it doesnt matter where the workload is deployed.
McCallum echoes this notion. There are some people who are in desperate amounts of pain, who need this stuff yesterday, he said. And theyre deploying on existing infrastructures. So theyre coding specifically to that hardware technology. But if that becomes vulnerable, right, what are your options to switch to another hardware technology?
One of the key advantages that WebAssembly gives us is that, if there is a hardware vulnerability on one platform, youre not sunk. You can just deploy on another platform, whilst we created the mitigation with the hardware vendor.
And, he added, as new platforms become available, such as ARMs, you dont have to modify your workload at all, your workload stays exactly the same. And all of a sudden you just get new platform support. And then as soon as the hardware is available, you continue to deploy, exactly the way youve always deployed in the past.
As a model for how to introduce a new project to the developer community, Bursell looks to Docker, the Platform as a Service project that allows devs to build, test and deploy apps quickly.
One of these Docker got right in the early days, just make it really easy for people try stuff out, he said. And thats absolutely the approach that we think is right.
Therefore, Profian launched a demo of Enarx at the end of July. Anyone can use it, anyone can play with it, Bursell said. Because we want to make it easy to play with.
All of a sudden, WebAssembly is going to emerge very quickly as a mature stable platform, with very broad language support.
Nathaniel McCallum, co-founder and CTO, Profian
The demo, McCallum said, will allow users to deploy a workload for a short period of time, without having to set anything up: The hardware or the kernel, all the cloud resources, everything is set up for you. And it gives you a chance to actually experiment with the platform with zero friction, essentially.
The ease of debugging in confidential computing will be showcased as part of the demo, Bursell said. The debugging environment Profian will provide, he said, will use the same environment and the Wasm runtime.
You can test it on your Linux box, on your Mac, on your Windows box, or even on a Raspberry Pi. So you can test it and know what youre running once, then deploy it into a Trusted Execution Environment with Profian, and itll still work.
As it leaves the browser, WebAssembly is just beginning to deliver on its promise, said McCallum.
For a lot of people, it feels like its a long time coming and never here, he said. But theres a lot of work happening. And its happening in precisely those ways that dont draw a lot of attention to the people who are working on them. And so all of a sudden, WebAssembly is going to emerge very quickly as a mature stable platform, with very broad language support.
For more on whats new in Wasm, check out this recent episode of The New Stacks Makers podcast, recorded at Open Source Summit North America in June:
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.
Featured image by Jason Pofahl via Unsplash.
Go here to read the rest:
Confidential Computing with WebAssembly The New Stack - thenewstack.io
- Calls to Ban Open Source are Misguided and Dangerous - The New Stack - June 26th, 2024
- Delving the Risks and Rewards of the Open-Source Ecosystem - InformationWeek - June 26th, 2024
- Enhancing security through collaboration with the open-source community - Help Net Security - June 18th, 2024
- It's time to face the open source security problem - ITPro - June 18th, 2024
- Mistral AI just launched 'Codestral', its own competitor to Code Llama and GitHub Copilot and it's fluent in over 80 ... - ITPro - June 2nd, 2024
- Open-source cybersecurity could derail the internet as we know it - Quartz - May 15th, 2024
- Developer Experience Influenced by Open Source Culture - InfoQ.com - May 15th, 2024
- BLint: Open-source tool to check the security properties of your executables - Help Net Security - May 15th, 2024
- Modular Open-Sources Mojo: The Programming Language that Turns Python into a Beast - MarkTechPost - April 2nd, 2024
- Meet the 21-Year-Old Creator of Devika, the Indian Open Source Devin Alternative - Analytics India Magazine - April 2nd, 2024
- Is Open Source Under Threat or Primed to Go to the Next Level? - The New Stack - March 13th, 2024
- Where is Technology Headed in 2024? - Open Source For You - March 13th, 2024
- A Detailed Conversation on Open-Source AI Frameworks for MLOps Workflows and Projects - AiThority - March 5th, 2024
- Everything you need to know about GitHub's new push protection changes - ITPro - March 5th, 2024
- StarCoder 2 is a code-generating AI that runs on most GPUs - TechCrunch - March 5th, 2024
- Is the future of open source software at risk due to protestware? - Tech Xplore - February 25th, 2024
- Google unveils new family of open-source AI models called Gemma to take on Meta and othersdeciding open-source AI aint so bad after all - Fortune - February 25th, 2024
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauce - ZDNet - February 25th, 2024
- Open source vs closed source AI: What's the difference and why does it matter? - Euronews - February 25th, 2024
- Biden administration to debate whether all AI systems should be open-source or closed - Firstpost - February 25th, 2024
- Some Linkerd service mesh users will soon have to pay - TechTarget - February 25th, 2024
- A lone developer just open sourced a tool that could bring an end to Nvidia's AI hegemony AMD financed it for ... - TechRadar - February 25th, 2024
- Scoping Out the Software-Defined Vehicle: The Benefits of OTA Updates & Open Source - Embedded Computing Design - February 25th, 2024
- The importance and limitations of open source AI models - TechTarget - February 9th, 2024
- 15+ Popular Python IDEs in 2024: Choosing The Best One - Simplilearn - February 9th, 2024
- Balancing Innovation and Security: The Open-Source Conundrum - BNN Breaking - February 9th, 2024
- VCs and startups love open-source AI models but how will they make money? - Sifted - February 9th, 2024
- How better and cheaper software could save millions of dollars while improving Canada's health-care system - The Conversation Indonesia - February 9th, 2024
- Best of 2023: Are We Witnessing the End of Open Source? - DevOps.com - December 28th, 2023
- What comes after open source? Bruce Perens is working on it - The Register - December 28th, 2023
- 200 GB of GTA 5 source code is about to get leaked, making it an open source: Report - Sportskeeda - December 28th, 2023
- Never was so much owed by so many to so few - a look at the unheralded heroes of the open source world - TechRadar - December 28th, 2023
- Rockstar hit with another cyberattack, leaked GTA 5 source code reveal cancelled DLC plans - Times of India - December 28th, 2023
- What is open source software? - Android Police - December 20th, 2023
- Feds Warn Health Sector to Watch for Open-Source Threats - BankInfoSecurity.com - December 11th, 2023
- OpenTofu: Open-source alternative to Terraform - Help Net Security - December 11th, 2023
- AWS exec: 'Our understanding of open source has started to change' - The Register - December 11th, 2023
- Mark Jelic Rings in 40 Years Since the TEC-1 Launch with a New, Open Source, Upgraded TEC-1G SBC - Hackster.io - December 11th, 2023
- AI's future could be 'open-source' or closed. Tech giants are divided as they lobby regulators - Tech Xplore - December 11th, 2023
- Cyber Security Today, Nov. 24, 2023 A warning to tighten security on Kubernetes containers, and more - IT World Canada - November 25th, 2023
- This AI Paper Proposes ML-BENCH: A Novel Artificial Intelligence Approach Developed to Assess the Effectiveness of LLMs in Leveraging Existing... - November 25th, 2023
- Generative AI is a genuine breakthrough unlike most fads in tech: Zerodha CTO Kailash Nadh on the current waves in tech - The Hindu - October 27th, 2023
- Meet RedPajama: An AI Project to Create Fully Open-Source Large Language Models Beginning with the Release of a 1.2 Trillion Token Dataset -... - April 25th, 2023
- Hashtag Trending Apr.24th- Cybersecurity workers burnout; Code generated by ChatGPT and Googles Bard not very secure; Execs would want a robot to make... - April 25th, 2023
- This AI Project Brings Doodles to Life with Animation and Releases Annotated Dataset of Amateur Drawings - MarkTechPost - April 17th, 2023
- EU shares best practices with Ukrainian law enforcers on Open Source Intelligence and Criminal Analysis to - EIN News - April 8th, 2023
- 'I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts - CNN - April 8th, 2023
- With Just ~20 Lines of Python Code, You can Do Retrieval Augmented GPT Based QA Using This Open Source Repository Called PrimeQA - MarkTechPost - March 5th, 2023
- Daily Crunch: Hundreds of Salesforce workers laid off in January just discovered they were out of work today - TechCrunch - February 7th, 2023
- Unlocking the power of Open AI: how to automate information extraction - The Hindu - February 7th, 2023
- Is composable business most essential technology trend to meet challenges of 2023 and beyond? - ComputerWeekly.com - January 30th, 2023
- Open Definition & Meaning | Dictionary.com - January 22nd, 2023
- 529 Synonyms & Antonyms of OPEN - Merriam-Webster - January 22nd, 2023
- Open Definition & Meaning - Merriam-Webster - January 22nd, 2023
- Can Wazuh Become The Worlds Largest Open Source Cybersecurity Platform And IPO Without VC Funding? - Forbes - January 6th, 2023
- 8 Free/Open Source Code Review Tools for 2022 - SoftwareSuggest - December 28th, 2022
- Finding the next Log4j OpenSSFs Brian Behlendorf on pivoting to a risk-centred view of open source development - The Daily Swig - December 28th, 2022
- Nithin Kamath says FOSS is the 'pillar' on which Zerodha has been built. What is it? - Business Today - December 28th, 2022
- How Dogeliens Will Take Over the Metaverse Like Bitcoin and Stellar Took Over the Crypto World. - newsbtc.com - December 28th, 2022
- Intrinsic Buys Open Robotics' Commercial Arm, But Leaves ROS and Gazebo with the Foundation - Hackster.io - December 20th, 2022
- Open-source code is everywhere; GitHub expands security tools to help ... - December 20th, 2022
- Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification - Forbes - December 20th, 2022
- Open Source - Apple Developer - December 12th, 2022
- Your Code of Conduct | Open Source Guides - December 12th, 2022
- Code of Conduct | Meta Open Source - Facebook - December 12th, 2022
- From the creator of Homebrew, Tea raises $8.9M to build a protocol that helps open source developers get paid - TechCrunch - December 12th, 2022
- Consortium of Japan partners successfully promote domestic production and cost reduction for 5G core technology, the basis for next-generation... - November 25th, 2022
- GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages - CPO Magazine - November 17th, 2022
- GitHubs Octoverse report finds 97% of apps use open source software - VentureBeat - November 17th, 2022
- Microsoft sued for open-source piracy through GitHub Copilot - BleepingComputer - November 7th, 2022
- The White House Memorandum on Securing the Software Supply Chain: What It Means for Your Organization - Security Boulevard - November 7th, 2022
- First Timers Only - Get involved in Open Source and commit code to your ... - October 23rd, 2022
- List of free and open-source software packages - Wikipedia - October 23rd, 2022
- What is open source? - Red Hat - October 23rd, 2022
- Introducing Triton: Open-Source GPU Programming for Neural Networks - October 23rd, 2022
- Comparison of open-source and closed-source software - October 23rd, 2022
- Java 19 Brings New Patterns to Open Source Programming Language - October 23rd, 2022
- API series - OctoML: ML APIs need to take a lesson from their ancestors - ComputerWeekly.com - October 23rd, 2022
- Benefits of working with open source data quality solutions - TechRepublic - October 15th, 2022
- Microsoft's GitHub Copilot AI is making rapid progress. Here's how its human leader thinks about it - CNBC - October 15th, 2022