http://lattes.cnpq.br/5724024319988208; SILVA, Matteus Sthefano Leite da.
Resumo:
Software no longer runs on an isolated set of server machines protected using perimeter se-
curity strategies and tools. As companies move to the cloud and edge computing, the security
boundaries blur, turning strategies such as perimeter security and firewall management diffi-
cult in such heterogeneous environments. Also, companies with highly sensitive workloads
still worry about data confidentiality in untrusted environments. The confidential comput-
ing model emerged to address this last problem, ensuring data confidentiality in untrusted
domains via always encrypted execution.
These two problems seem to be solved when considered separately. However, issuing
identities for confidential workloads is not trivial as trusted execution environments have
strongly opinionated attestation processes. Confidential computing lift-and-shift approaches
have their attestation and configuration services capable of enabling authentication and se-
cure communication between confidential workloads. However, there is a lack of universal
identity support between confidential and regular workloads. Simply using identity distri-
bution frameworks such as SPIFFE to bootstrap identities for confidential workloads is not
applicable because their threat model assumes trust in the infrastructure and software stack
where the workloads run on. In this work, we propose an integration between a cloud native identity framework and
a lift-and-shift approach to enable confidential computing. We brought together SPIFFE
and SCONE to enable identity support for confidential workloads that interoperates with
non-confidential workloads. We designed a new component for the SPIFFE runtime envi-
ronment that delivers identities for SCONE-based confidential workloads and considers the
confidential computing threat model. To evaluate our proposal from a security perspective,
we conducted a security analysis with confidential computing specialists to assess strengths
and weaknesses under the confidential computing threat model. The security analysis results
indicated that the specialists considered the proposal robust against coming from provider
infrastructure in untrusted environments. Also, most workload-to-workloads attacks were
considered mitigated. We also conducted experiments and identified overheads in the iden-
tity issuing process. On the other hand, experiments to measure container image build times
for Python workloads showed that the builds with SCONE were faster than builds for non-
confidential workloads. Although the scope of this work is tied to confidential SCONE-based
workloads, the integration is extensible via plugins for the new SPIRE component and can
accommodate other lift-and-shift solutions for confidential computing.