LUP Student Papers

Setting up WebAssembly in a Cloud Environment that Supports AMD Secure Encrypted Virtualization

• Mark

Abstract

Data confidentiality and security in cloud computing is a major concern for both
service providers and users. The industry’s approach to enhancing trust and data
security is to provide Trusted Execution Environments (TEEs) as secure and encrypted instances within Central Processing Units (CPUs) to execute and process
user data in cloud environments. However, this approach raises issues and
practical considerations, such as limitations on programming languages and functions compatible with specific TEE technology. One proposed solution to address these issues is leveraging WebAssembly (Wasm) in cloud computing environments.
Wasm is a binary instruction format built for stack-based Virtual Machines (VMs)
with a linear memory model.... (More)

Data confidentiality and security in cloud computing is a major concern for both
service providers and users. The industry’s approach to enhancing trust and data
security is to provide Trusted Execution Environments (TEEs) as secure and encrypted instances within Central Processing Units (CPUs) to execute and process
user data in cloud environments. However, this approach raises issues and
practical considerations, such as limitations on programming languages and functions compatible with specific TEE technology. One proposed solution to address these issues is leveraging WebAssembly (Wasm) in cloud computing environments.
Wasm is a binary instruction format built for stack-based Virtual Machines (VMs)
with a linear memory model. Wasm code forms self-contained modules, abstracting
the underlying architecture and operating system (OS) of the host machines
where it runs. This makes it cross-platform compatible, language-agnostic, and
well-suited for lightweight code isolation. In this thesis, we investigate the existing tools for running Wasm applications inside AMD’s Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) to strengthen AMD SEV-SNP’s ability to securely execute random code applications inside a VM. This approach, which is also called "double sandboxing", adds an additional security layer for data processed in cloud computing environments, while also utilizing Wasm’s compatibility with various high-level languages. This implementation of runningWasm in a TEE is done with the support of the WebAssembly System Interface (WASI) to enable necessary (restricted) interactions between Wasm applications and cloud system resources. This thesis details the steps and software components required to build different Wasm runtimes in a Personal Computer (PC) and in a VM secured with SEV-SNP technology. The thesis also demonstrates the performance of different runtimes through utilizing a practical application of generating RSA key pairs on an AMD server simulating a cloud computing environment. This leads to performance benchmarks across different runtimes built in two different platforms; a PC and a SEV-SNP enabled VM. (Less)

Popular Abstract

Cloud computing requires users to send data to be remotely processed by another
party, utilizing the host’s "server’s" resources. In a typical cloud setup, host resources are shared among multiple users simultaneously, known as the multi-tenant paradigm, which optimizes resource utilization and provides adaptable solutions for users. Practically, the host creates Virtual Machines (VMs) and assigns one (or multiple) to each user to process their data, with VMs managed by a highprivileged component called the hypervisor. However, sharing sensitive user data with a shared resource pool requires establishing trust among all parties involved, a challenge that cannot be fully addressed. Instead, cloud providers leverage TEEs, which isolate data... (More)

Cloud computing requires users to send data to be remotely processed by another
party, utilizing the host’s "server’s" resources. In a typical cloud setup, host resources are shared among multiple users simultaneously, known as the multi-tenant paradigm, which optimizes resource utilization and provides adaptable solutions for users. Practically, the host creates Virtual Machines (VMs) and assigns one (or multiple) to each user to process their data, with VMs managed by a highprivileged component called the hypervisor. However, sharing sensitive user data with a shared resource pool requires establishing trust among all parties involved, a challenge that cannot be fully addressed. Instead, cloud providers leverage TEEs, which isolate data in use within the CPU—protecting it from both other users and high-privileged components like the hypervisor. AMD’s SEV processor, for instance, isolates VMs by applying hardware-based encryption to the entire VM. The latest version, SEV-SNP, adds memory integrity protection by verifying VM memory pages, preventing a malicious hypervisor from altering VM memory.

Another key component used in this thesis is WebAssembly (Wasm). Wasm
is a binary instruction format, meaning Wasm programming instructions are represented in binary rather than in human-readable text, as is common in most
programming languages. These instructions are designed for execution in a stack-based VM with linear memory, enabling code execution without relying on the
system’s memory management unit. Wasm was originally developed for web applications to run efficiently within web browsers. However, using specialized software tools called runtimes, Wasm can now also run in standalone environments outside the browser.

Wasm provides lightweight isolation or sandboxing, which ensures that applications
run securely within their own Wasm modules. Each module is self-contained,
with all memory and functions needed for execution included within the module,
keeping applications and data securely separated. This isolation means that Wasm
modules are inherently isolated from high-privilege system components, such as
the Virtual Machine Monitor (VMM), which usually manages memory for VMs.
In this thesis, we study solutions to further improve isolation provided by
AMD SEV-SNP by integrating and running Wasm within SEV-SNP. These solutions
(that are called Wasm runtimes) are presented in this thesis by detailing the
procedures required to run any compiled Wasm application within the SEV-SNP
TEE. Running Wasm, inside a TEE also enables leveraging the WebAssemblySystem Interface (WASI), a system interface that simulates system calls and I/O
operations, facilitating the execution of code that requires such functions.

This thesis further reviews prominent solutions and frameworks that provide
similar functionality with different TEE technologies. Additionally, we examine
several runtimes by building them in a PC and a SEV-SNP enabled VM and
evaluate the performance of these runtimes. The result of our implementation
demonstrate that it is possible to run applications written in C in AMD SEV-SNP
via Wasm as well. In this thesis, a C program is used that is generating RSA key
pairs, as generating public keys are used in several real-life applications, such as in trust management between different nodes in a communication system. (Less)