TEE support in GraalVM CE for sensitive data protection in the cloud

Project

TEE support in GraalVM CE for sensitive data protection in the cloud

Principal Investigator

Université de Neuchâtel

Oracle Fellowship Recipient

Jämes Ménétrey, Peterson Yuhala

Oracle Principal Investigator

Jean-Pierre Lozi, Principal Member of Technical Staff

Summary

The rapid growth of cloud computing raises security concerns, as customers have to trust both the cloud provider but also users. To address this, CPU vendors have recently introduced Trusted Execution Environments (TEEs), which make it possible to run secure code on untrusted hardware. TEEs are not very widespread however, as (1) from the user's point of view, writing code for TEEs is complex as it has to be done in low-level languages and naively written code can results in high overheads, and (2) from the cloud provider's point of view, TEEs can be seen as dangerous as the provider cannot monitor code execution at runtime. In this project, we propose to add TEE support to GraalVM CE [GRAALVM] in a way that addresses both of these issues: GraalVM CE will make it possible to easily write high-level code that is optimized for TEEs, and it will sandbox the code execution, thus protecting the cloud provider. The project will first target entire applications whose entire code needs to be protected by a TEE, and the focus will then shift to applications in which only parts of the code need to be protected.

[GRAALVM] GraalVM - https://www.graalvm.org/