Abstraction of Trusted Execution Environments as the Missing Layer for Broad Confidential Computing Adoption: A Systematization of Knowledge
Quentin Michaud, Sara Ramezanian, Dhouha Ayed, Olivier Levillain, Joaquin Garcia-Alfaro
TL;DR
The paper addresses the fragmentation of the confidential computing ecosystem by systematizing abstraction layers that sit atop TEEs. It surveys both TEE implementations (App-based and VM-based) and a broad spectrum of abstraction-layer approaches (SDK-, container-, and WebAssembly-based, plus other forms), highlighting design trade-offs, portability, deployment, and security implications. The authors argue that WebAssembly-based runtimes offer the strongest combination of portability, security, and broad feature support, while noting that container- and SDK-centric approaches have different strengths and constraints. Key contributions include a comprehensive ecosystem map, a taxonomy of abstraction-layer designs, and an analysis of their impact on development, deployment, and security, along with open research directions such as unified attestation and data-in-use protection. Overall, the work frames a future where unified abstraction layers enable broader confidential computing adoption across diverse hardware, software stacks, and edge-to-cloud environments.
Abstract
Trusted Execution Environments (TEEs) protect sensitive code and data from the operating system, hypervisor, or other untrusted software. Different solutions exist, each proposing different features. Abstraction layers aim to unify the ecosystem, allowing application developers and system administrators to leverage confidential computing as broadly and efficiently as possible. We start with an overview of representative available TEE technologies. We describe and summarize each TEE ecosystem, classifying them in different categories depending on their main design choices. Then, we propose a systematization of knowledge focusing on different abstraction layers around each design choice. We describe the underlying technologies of each design, as well as the inner workings and features of each abstraction layer. Our study reveals opportunities for improving existing abstraction layer solutions. It also highlights WebAssembly, a promising approach that supports the largest set of features. We close with a discussion on future directions for research, such as how future abstraction layers may evolve and integrate with the confidential computing ecosystem.
