Table of Contents
Fetching ...

Abstraction of Trusted Execution Environments as the Missing Layer for Broad Confidential Computing Adoption: A Systematization of Knowledge

Quentin Michaud, Sara Ramezanian, Dhouha Ayed, Olivier Levillain, Joaquin Garcia-Alfaro

TL;DR

The paper addresses the fragmentation of the confidential computing ecosystem by systematizing abstraction layers that sit atop TEEs. It surveys both TEE implementations (App-based and VM-based) and a broad spectrum of abstraction-layer approaches (SDK-, container-, and WebAssembly-based, plus other forms), highlighting design trade-offs, portability, deployment, and security implications. The authors argue that WebAssembly-based runtimes offer the strongest combination of portability, security, and broad feature support, while noting that container- and SDK-centric approaches have different strengths and constraints. Key contributions include a comprehensive ecosystem map, a taxonomy of abstraction-layer designs, and an analysis of their impact on development, deployment, and security, along with open research directions such as unified attestation and data-in-use protection. Overall, the work frames a future where unified abstraction layers enable broader confidential computing adoption across diverse hardware, software stacks, and edge-to-cloud environments.

Abstract

Trusted Execution Environments (TEEs) protect sensitive code and data from the operating system, hypervisor, or other untrusted software. Different solutions exist, each proposing different features. Abstraction layers aim to unify the ecosystem, allowing application developers and system administrators to leverage confidential computing as broadly and efficiently as possible. We start with an overview of representative available TEE technologies. We describe and summarize each TEE ecosystem, classifying them in different categories depending on their main design choices. Then, we propose a systematization of knowledge focusing on different abstraction layers around each design choice. We describe the underlying technologies of each design, as well as the inner workings and features of each abstraction layer. Our study reveals opportunities for improving existing abstraction layer solutions. It also highlights WebAssembly, a promising approach that supports the largest set of features. We close with a discussion on future directions for research, such as how future abstraction layers may evolve and integrate with the confidential computing ecosystem.

Abstraction of Trusted Execution Environments as the Missing Layer for Broad Confidential Computing Adoption: A Systematization of Knowledge

TL;DR

The paper addresses the fragmentation of the confidential computing ecosystem by systematizing abstraction layers that sit atop TEEs. It surveys both TEE implementations (App-based and VM-based) and a broad spectrum of abstraction-layer approaches (SDK-, container-, and WebAssembly-based, plus other forms), highlighting design trade-offs, portability, deployment, and security implications. The authors argue that WebAssembly-based runtimes offer the strongest combination of portability, security, and broad feature support, while noting that container- and SDK-centric approaches have different strengths and constraints. Key contributions include a comprehensive ecosystem map, a taxonomy of abstraction-layer designs, and an analysis of their impact on development, deployment, and security, along with open research directions such as unified attestation and data-in-use protection. Overall, the work frames a future where unified abstraction layers enable broader confidential computing adoption across diverse hardware, software stacks, and edge-to-cloud environments.

Abstract

Trusted Execution Environments (TEEs) protect sensitive code and data from the operating system, hypervisor, or other untrusted software. Different solutions exist, each proposing different features. Abstraction layers aim to unify the ecosystem, allowing application developers and system administrators to leverage confidential computing as broadly and efficiently as possible. We start with an overview of representative available TEE technologies. We describe and summarize each TEE ecosystem, classifying them in different categories depending on their main design choices. Then, we propose a systematization of knowledge focusing on different abstraction layers around each design choice. We describe the underlying technologies of each design, as well as the inner workings and features of each abstraction layer. Our study reveals opportunities for improving existing abstraction layer solutions. It also highlights WebAssembly, a promising approach that supports the largest set of features. We close with a discussion on future directions for research, such as how future abstraction layers may evolve and integrate with the confidential computing ecosystem.
Paper Structure (80 sections, 4 figures, 4 tables)

This paper contains 80 sections, 4 figures, 4 tables.

Figures (4)

  • Figure 1: Organization of the main sections.
  • Figure 2: An overview of each isolation technology and their interactions with the untrusted host. The red dashed color represents each isolation technology. The blue color represents the interfaces that interact outside the isolation solution.
  • Figure 3: Representation of where the abstraction layer lays inside various TEE approaches. Dotted red represents the areas where abstraction layers are intervening. Blue arrows represent the classic TEE protection.
  • Figure 4: Representation of the lifecycle of a TEE-protected application leveraging an abstraction layer. Improvements proposed by abstraction layers are indicated using blue dashed arrows.