Download PDFOpen PDF in browser

Cabin: Confining Untrusted Programs within Confidential VMs

EasyChair Preprint 13841, version 2

Versions: 12history
20 pagesDate: September 21, 2024

Abstract

Confidential computing safeguards sensitive computations from untrusted clouds, with Confidential Virtual Machines (CVMs) providing a secure environment for guest OS. However, CVMs often come with large and vulnerable operating system kernels, making them susceptible to attacks exploiting kernel weaknesses. The imprecise control over read/write access in the page table has allowed attackers to exploit vulnerabilities. The lack of security hierarchy leads to insufficient separation between user and kernel space, making the kernel susceptible to direct threats from untrusted programs. This study proposes Cabin, an isolated execution framework within guest VM utilizing the latest AMD SEV-SNP technology. Cabin shields untrusted processes to the user space of a lower VMPL by introducing a proxy-kernel between the confined processes and the guest OS. Furthermore, we propose execution protection mechanisms based on fine-gained control of VMPL privilege for vulnerable programs and the proxy-kernel to minimize the attack surface. We introduce asynchronous forwarding machanism and anonymous memory management to reduce the performance impact. The evaluation results show that the Cabin framework incurs a modest overhead (5% on average) on Nbench and WolfSSL benchmarks.

Keyphrases: Confidential Computing, Encrypted Virtualization, Execution-Only Memory, Intra-process isolation, Syscall Filtering, Trusted Execution Environment

BibTeX entry
BibTeX does not have the right entry for preprints. This is a hack for producing the correct reference:
@booklet{EasyChair:13841,
  author    = {Benshan Mei and Saisai Xia and Wenhao Wang and Dongdai Lin},
  title     = {Cabin: Confining Untrusted Programs within Confidential VMs},
  howpublished = {EasyChair Preprint 13841},
  year      = {EasyChair, 2024}}
Download PDFOpen PDF in browser