pith. sign in

arxiv: 2507.12364 · v2 · pith:3SYZ74HKnew · submitted 2025-07-16 · 💻 cs.CR · cs.OS

Tyche: Composable Isolation as a Foundation to Manage Trust in the Cloud

Adrien Ghosn , Charly Castes , Neelu S. Kalani , Yuchen Qian , Marios Kogias , Edouard Bugnion This is my paper

Pith reviewed 2026-05-22 13:35 UTC · model grok-4.3

classification 💻 cs.CR cs.OS
keywords composable isolationsecurity domainscapabilitiescloud securityattestationtrust boundariesconfidential computing
0
0 comments X

The pith

Tyche makes composable isolation a first-class cloud primitive by centering it on security domains controlled through capabilities.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that cloud workloads involving mutually distrustful components need a way to compose isolation boundaries for confidentiality without each tenant building custom solutions from enclaves, sandboxes, or confidential VMs. Tyche addresses this by introducing a security monitor that treats security domains as the core abstraction: each domain controls access to resources like memory and cores via explicit capabilities, and these domains can nest recursively to create attestable trust boundaries. If this holds, the infrastructure itself can provide end-to-end security guarantees for complex multi-party applications, shifting the burden away from users. The approach runs on standard x86 hardware without special extensions and shows low overhead in a confidential LLM inference example with separate users, model owners, and providers.

Core claim

Tyche is a security monitor that centers isolation around security domains. An SD is an execution environment whose access to machine resources is controlled through explicit capabilities. A small set of capability operations enables SDs to partition, share, and reclaim resources; by nesting recursively, SDs compose attestable trust boundaries for confidentiality and encapsulation. Tyche attests these compositions, providing end-to-end security guarantees for workloads made of mutually distrustful components. As a first-class cloud primitive, this single abstraction subsumes enclaves, sandboxes, CVMs, and their compositions while remaining compatible with existing hardware and software.

What carries the argument

Security domains whose resource access is governed by a small set of capability operations that support recursive nesting for composable, attestable isolation boundaries.

If this is right

  • Tenants can assemble workloads from components with different trust models using a single infrastructure primitive instead of custom combinations of enclaves and sandboxes.
  • Attestation covers entire nested compositions, delivering end-to-end guarantees rather than isolated per-component assurances.
  • The same mechanism works for both strong isolation and controlled sharing, including resource reclamation after use.
  • Existing unmodified applications inside domains incur only small slowdowns, as shown by the 2 percent overhead in the LLM inference case.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Cloud providers could expose this primitive directly to users, reducing the need for specialized confidential-computing services.
  • The approach may extend to other resource types such as network queues or accelerators by defining additional capability types.
  • Auditing tools could verify isolation properties at the level of the domain nesting graph rather than inside each component.

Load-bearing premise

A small set of capability operations on security domains is enough to partition, share, and reclaim resources without any information leaks or unauthorized access across nested trust boundaries on ordinary hardware.

What would settle it

An experiment showing that a nested security domain in Tyche can still read or modify data belonging to another distrustful domain despite correct capability settings would disprove the security guarantees.

Figures

Figures reproduced from arXiv: 2507.12364 by Adrien Ghosn, Charly Castes, Edouard Bugnion, Marios Kogias, Neelu S. Kalani, Yuchen Qian.

Figure 1
Figure 1. Figure 1: Example deployment of an enclave and a sandbox within a CVM. Left is based on AMD SEV-SNP, right is our solution, with management dependencies as arrows. enclaves that protect user private keys from a bug or back￾door [17, 74, 80, 81] in the OS. Meanwhile, gVisor [46, 104] uses Linux ptrace [47] to sandbox a potentially compromised LLM runtime [60, 82, 84, 91] that might leak prompts. As each isolation mec… view at source ↗
Figure 2
Figure 2. Figure 2: Mutual-distrust LLM inference deployment on top of Tyche; right-side represents physical memory available to each TD, distinguishing exclusive regions (X) and shared ones (S). The encrypted model, prompts, and replies are passed through memory along the black path, interrupts are routed as shown by red arrows. 3.1 Architecture The Tyche security monitor exposes an API that uses capabil￾ities to create and … view at source ↗
Figure 3
Figure 3. Figure 3: Memory region derivation tree and TD memory views based on [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Simplified attestation for TD1 with [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Capability operations to create and configure TD1. capabilities. Interrupt routing follows the same protocol as above, but Tyche allows backends to optimize core-routing using platform specific hardware mechanisms. TDs on the CPU interact with devices through shared regions for the de￾vice’s configuration space and MMIO ones. Tyche provides TD0 with a channel to every device. TD0 delegates device access to… view at source ↗
Figure 6
Figure 6. Figure 6: The capability engine maintains the system state across all cores. is achieved by ensuring a child TD’s regions are a subset of the parent’s exclusive regions, and that its policies prevent it from receiving or sending other capabilities after it is sealed, as shown in [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Superposed system and TD views of deployments in [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: RV8 RISC-V CPU microbenchmarks comparison between native, unmodified Keystone, and Tyche. 1 2 4 6 8 10 12 14 16 0.8 0.9 1.0 CoreMark score Relative to Native core(s) 7802 15659 29826 40683 49800 52089 53924 56390 58081 Native Native VM TD0 TD1 VM TD1 CVM [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗
Figure 12
Figure 12. Figure 12: Redis GET latency distribution as measured by memtier (max throughput) during [PITH_FULL_IMAGE:figures/full_fig_p011_12.png] view at source ↗
read the original abstract

Cloud workloads combine software components from different parties to process sensitive data. Each component has its own trust model - it must protect its assets from the rest of the system, yet share sensitive data with components it cannot trust to keep confidential. This tension requires composing isolation boundaries for confidentiality and encapsulation. Unfortunately, the cloud offers no direct way to compose such boundaries, forcing tenants to assemble, deploy, and maintain their own solutions. This paper shifts that burden back to the infrastructure by making composable, attestable isolation a first-class systems abstraction. We present Tyche, a security monitor that centers isolation around a unified composable abstraction: security domains (SDs). An SD is an execution environment whose access to machine resources - memory, cores, devices - is controlled through explicit capabilities. A small set of capability operations enables SDs to partition, share, and reclaim resources; by nesting recursively, SDs compose attestable trust boundaries for confidentiality and encapsulation. Tyche attests these compositions, providing end-to-end security guarantees for workloads made of mutually distrustful components. As a first-class cloud primitive, this single abstraction subsumes enclaves, sandboxes, CVMs, and their compositions. Tyche provides composable isolation without sacrificing compatibility with existing hardware and software stacks. It runs on commodity x86 64 hardware without security extensions, and a RISC-V prototype demonstrates portability across platforms. Our SDK composes isolation for unmodified workloads within SDs with minimal overhead. In a confidential LLM inference scenario with mutually distrustful users, model owners, and cloud providers, the slowdown is just 2% compared to bare-metal Linux.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents Tyche, a security monitor that introduces security domains (SDs) as a unified composable abstraction for isolation in the cloud. An SD is an execution environment whose access to memory, cores, and devices is governed by explicit capabilities. A small set of capability operations enables partitioning, sharing, and reclamation of resources; recursive nesting of SDs composes attestable trust boundaries for confidentiality and encapsulation. Tyche attests these compositions to deliver end-to-end guarantees for workloads composed of mutually distrustful components. The system is claimed to subsume enclaves, sandboxes, and confidential VMs, runs on commodity x86 without security extensions (with a RISC-V prototype for portability), and supports unmodified workloads via an SDK with a reported 2% slowdown in a confidential LLM inference scenario involving model owners, users, and the cloud provider.

Significance. If the isolation and attestation properties hold, the work would be significant as a first-class systems primitive that shifts the burden of composing isolation boundaries from tenants to the infrastructure. The concrete prototypes on two architectures and the low-overhead measurement in a realistic multi-party LLM workload are clear strengths. The design targets unmodified hardware and software stacks, which enhances deployability if the security arguments are complete.

major comments (2)
  1. [Design and Security Arguments] The central claim that a small set of capability operations on SDs suffices to enforce confidentiality and encapsulation for arbitrary nestings on commodity x86 without security extensions is load-bearing for the entire contribution. The manuscript does not demonstrate that the monitor can mediate every resource access (including shared microarchitectural state such as caches, TLBs, branch predictors, and DMA paths) to eliminate cross-boundary information flows between mutually distrustful nested SDs; the 2% overhead figure in the LLM scenario does not address this.
  2. [Evaluation and Threat Model] The assumption that capability operations alone prevent all unauthorized access and leaks across nested trust boundaries (stated as sufficient for partition/share/reclaim) requires explicit validation against side-channel vectors on x86. Without such analysis or targeted experiments, the end-to-end security guarantee for workloads with mutually distrustful components remains unverified.
minor comments (2)
  1. [Abstract] The abstract refers to 'a small set of capability operations' without enumerating them; listing the operations (e.g., grant, revoke, nest) early would improve readability.
  2. [Introduction] Notation for security domains and capabilities could be introduced with a small diagram or table in the introduction to aid readers unfamiliar with the abstraction.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. We address each major comment below with clarifications on the design and evaluation, and indicate where revisions will strengthen the manuscript.

read point-by-point responses

  1. Referee: [Design and Security Arguments] The central claim that a small set of capability operations on SDs suffices to enforce confidentiality and encapsulation for arbitrary nestings on commodity x86 without security extensions is load-bearing for the entire contribution. The manuscript does not demonstrate that the monitor can mediate every resource access (including shared microarchitectural state such as caches, TLBs, branch predictors, and DMA paths) to eliminate cross-boundary information flows between mutually distrustful nested SDs; the 2% overhead figure in the LLM scenario does not address this.

    Authors: We appreciate the referee highlighting the need for explicit demonstration of mediation. The Tyche monitor enforces all accesses to memory, cores, and devices via the capability system described in Sections 3 and 4; the small set of operations (partition, share, reclaim, and nest) is the only mechanism for resource transfer, and the monitor is the sole entity that can install or revoke mappings. For microarchitectural state, the design isolates execution on dedicated cores and uses strict memory capabilities to control TLB and cache residency where possible. We acknowledge that commodity x86 lacks hardware mechanisms to fully eliminate all shared microarchitectural channels (e.g., branch predictors or certain DMA paths) without additional software mitigations. Our claims therefore center on explicit access control and attestable boundaries rather than comprehensive side-channel resistance. We will revise the security analysis section to delineate this scope more clearly and note the assumptions regarding microarchitectural isolation. revision: partial

  2. Referee: [Evaluation and Threat Model] The assumption that capability operations alone prevent all unauthorized access and leaks across nested trust boundaries (stated as sufficient for partition/share/reclaim) requires explicit validation against side-channel vectors on x86. Without such analysis or targeted experiments, the end-to-end security guarantee for workloads with mutually distrustful components remains unverified.

    Authors: We thank the referee for this observation. The evaluation section focuses on performance overhead for unmodified workloads under the composable isolation model, using the confidential LLM scenario as a concrete multi-party case. Security arguments rest on the capability operations being the sole path for resource allocation and the attestation of the resulting SD hierarchy. We did not perform targeted side-channel experiments because the contribution emphasizes the abstraction and its composability rather than a complete side-channel-hardened implementation. We agree that an explicit discussion of the threat model and remaining vectors would improve the paper. We will add a dedicated subsection in the revised manuscript that enumerates considered side-channel vectors on x86 and states the design assumptions and mitigations. revision: yes

Circularity Check

0 steps flagged

No circularity: Tyche is a systems design presented as a new abstraction with direct measurements

full rationale

The paper introduces Tyche as a security monitor using security domains (SDs) controlled by capabilities for partitioning and composing isolation boundaries. No derivation chain, equations, or first-principles predictions are claimed that reduce to fitted inputs or self-citations by construction. The central claims concern the sufficiency of a small set of capability operations for resource control and attestation on commodity hardware, supported by prototype implementation and SDK measurements (e.g., 2% slowdown in the LLM scenario) rather than model-derived predictions. Evaluation numbers are presented as direct observations, not outputs forced by prior fits. The design subsumes existing mechanisms by construction of the abstraction itself but does not rely on self-referential loops or load-bearing self-citations for its core argument. This is a standard systems paper structure with independent content in the implementation and evaluation.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on standard hardware assumptions and the sufficiency of a small capability interface; no numerical free parameters are introduced, and the only invented entity is the security domain itself.

axioms (2)
  • domain assumption Commodity x86-64 and RISC-V hardware without security extensions can support the required isolation primitives through software mechanisms.
    Invoked when stating that Tyche runs on ordinary hardware.
  • ad hoc to paper A small set of capability operations is sufficient to enforce all necessary isolation, sharing, and reclamation without introducing covert channels.
    Central to the claim that SDs compose attestable trust boundaries.
invented entities (1)
  • Security Domain (SD) no independent evidence
    purpose: Unified execution environment whose resource access is controlled by explicit capabilities and that can be nested to form composable trust boundaries.
    New abstraction introduced by the paper to serve as the foundation for composable isolation.

pith-pipeline@v0.9.0 · 5851 in / 1516 out tokens · 37218 ms · 2026-05-22T13:35:58.440932+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

108 extracted references · 108 canonical work pages

  1. [1]

    https://github.com/RedisLabs/memtier_bench mark

    Memtier benchmark. https://github.com/RedisLabs/memtier_bench mark

    work page

  2. [2]

    https://github.com/lkvm/lkvm

    Native kvm linux tool. https://github.com/lkvm/lkvm

    work page

  3. [3]

    https://github.com/redis/redis

    Redis. https://github.com/redis/redis

    work page

  4. [4]

    https://github.com/riscv-non-isa/iopmp- spec

    Risc-v iopmp specification. https://github.com/riscv-non-isa/iopmp- spec

    work page

  5. [5]

    https://www.rust-lang.org/

    The rust programming language. https://www.rust-lang.org/

    work page

  6. [6]

    https://gramine.readthedocs.io/en/stable/manifes t-syntax.html?highlight=exitless#number-of-rpc-threads-exitless- feature, 2020

    Gramine: Exitless. https://gramine.readthedocs.io/en/stable/manifes t-syntax.html?highlight=exitless#number-of-rpc-threads-exitless- feature, 2020

    work page 2020

  7. [7]

    https://gramineproject.io/, 2020

    The gramine library os. https://gramineproject.io/, 2020

    work page 2020

  8. [8]

    https://gramine.readthedocs.io/en/stable/manif est-syntax.html?highlight=num, 2020

    Gramine: threading. https://gramine.readthedocs.io/en/stable/manif est-syntax.html?highlight=num, 2020

    work page 2020

  9. [9]

    https://docs.kernel.org/core-api/swiotlb.ht ml, 2021

    Linux - dma and swiotlb. https://docs.kernel.org/core-api/swiotlb.ht ml, 2021

    work page 2021

  10. [10]

    https://pcisig.com/tee- device-interface-security-protocol-tdisp , August 2022

    Tee device interface security protocol (tdisp). https://pcisig.com/tee- device-interface-security-protocol-tdisp , August 2022

    work page 2022

  11. [11]

    AMD-V ™ Nested Paging

    Advanced Micro Devices, Inc. AMD-V ™ Nested Paging. http://de veloper.amd.com/wordpress/media/2012/10/NPT-WP-1%201-final- TM.pdf, 2008

    work page 2012

  12. [12]

    Fire- cracker: Lightweight Virtualization for Serverless Applications

    Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. Fire- cracker: Lightweight Virtualization for Serverless Applications. In Proceedings of the 17th Symposium on Networked Systems Design and Implementation (NSDI), pages 419–434, 2020

    work page 2020

  13. [13]

    Veil: A Protected Services Framework for Confidential Virtual Machines

    Adil Ahmad, Botong Ou, Congyu Liu, Xiaokuan Zhang, and Pedro Fonseca. Veil: A Protected Services Framework for Confidential Virtual Machines. In Proceedings of the 28th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-XXVIII), pages 378–393, 2023

    work page 2023

  14. [14]

    Norton, Simon W

    Saar Amar, David Chisnall, Tony Chen, Nathaniel Wesley Filardo, Ben Laurie, Kunyan Liu, Robert M. Norton, Simon W. Moore, Yucong Tao, Robert N. M. Watson, and Hongyan Xia. CHERIoT: Complete Memory Safety for Embedded Devices. In Proceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO) , pages 641–653, 2023

    work page 2023

  15. [15]

    Sev-snp: Strengthening vm isolation with integrity protection and more

    AMD. Sev-snp: Strengthening vm isolation with integrity protection and more. White Paper, January, 2020

    work page 2020

  16. [16]

    Amd64 architecture programmer’s manual volume 2: System programming

    AMD. Amd64 architecture programmer’s manual volume 2: System programming. 2023

    work page 2023

  17. [17]

    backdoor in upstream xz/liblzma leading to ssh server compromise

    Andres Freund. backdoor in upstream xz/liblzma leading to ssh server compromise. https://www.openwall.com/lists/oss-security/2024/03 /29/4, 2024

    work page 2024

  18. [18]

    Private cloud compute: A new frontier for ai privacy in the cloud

    Apple. Private cloud compute: A new frontier for ai privacy in the cloud. https://security.apple.com/blog/private-cloud-compute/ , June 2024

    work page 2024

  19. [19]

    Building a secure system using trustzone technology

    ARM. Building a secure system using trustzone technology. White Paper, April, 2009

    work page 2009

  20. [20]

    Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen

    Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World. InProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS) , pages 90–102, 2014

    work page 2014

  21. [21]

    CURE: A Security Architecture with CUstomizable and Resilient Enclaves

    Raad Bahmani, Ferdinand Brasser, Ghada Dessouky, Patrick Jauernig, Matthias Klimmek, Ahmad-Reza Sadeghi, and Emmanuel Stapf. CURE: A Security Architecture with CUstomizable and Resilient Enclaves. In Proceedings of the 30th USENIX Security Symposium , pages 1073–1090, 2021

    work page 2021

  22. [22]

    Xen and the art of virtualization

    Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP) , pages 164–177, 2003. 13

    work page 2003

  23. [23]

    Hardware is the new Software

    Andrew Baumann. Hardware is the new Software. In Proceedings of The 16th Workshop on Hot Topics in Operating Systems (HotOS-XVI) , pages 132–137, 2017

    work page 2017

  24. [24]

    Andrew Baumann, Marcus Peinado, and Galen C. Hunt. Shielding Applications from an Untrusted Cloud with Haven. ACM Trans. Comput. Syst., 33(3):8:1–8:26, 2015

    work page 2015

  25. [25]

    QEMU, a Fast and Portable Dynamic Translator

    Fabrice Bellard. QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41–46, 2005

    work page 2005

  26. [26]

    Sharing is leaking: blocking transient-execution attacks with core-gapped confidential vms

    Charly Castes and Andrew Baumann. Sharing is leaking: blocking transient-execution attacks with core-gapped confidential vms. In 29th ACM International Conference on Architectural Support for Pro- gramming Languages and Operating Systems, Volume 4 (ASPLOS ’24) , 2024

    work page 2024

  27. [27]

    Creating Trust by Abolishing Hierarchies

    Charly Castes, Adrien Ghosn, Neelu Shivprakash Kalani, Yuchen Qian, Marios Kogias, Mathias Payer, and Edouard Bugnion. Creating Trust by Abolishing Hierarchies. In Proceedings of The 19th Workshop on Hot Topics in Operating Systems (HotOS-XIX) , pages 231–238, 2023

    work page 2023

  28. [28]

    Christopher Lewis, Pratap Subrah- manyam, Carl A

    Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrah- manyam, Carl A. Waldspurger, Dan Boneh, Jeffrey S. Dwoskin, and Dan R. K. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceed- ings of the 13th International Conference on Architectural Support for Programming Languages an...

    work page 2008

  29. [29]

    Directvisor: virtualization for bare-metal cloud

    Kevin Cheng, Spoorti Doddamani, Tzi cker Chiueh, Yongheng Li, and Kartik Gopalan. Directvisor: virtualization for bare-metal cloud. In Proceedings of the 16th International Conference on Virtual Execution Environments (VEE), pages 45–58, 2020

    work page 2020

  30. [30]

    Linux kernel virtual machine

    The Linux Kernel Community. Linux kernel virtual machine. https: //linux-kvm.org/page/Main_Page, 2007

    work page 2007

  31. [31]

    Lebedev, and Srinivas Devadas

    Victor Costan, Ilia A. Lebedev, and Srinivas Devadas. Sanctum: Mini- mal Hardware Extensions for Strong Software Isolation. In Proceed- ings of the 25th USENIX Security Symposium , pages 857–874, 2016

    work page 2016

  32. [32]

    Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram S. Adve. Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation. In Proceedings of the 20th International Conference on Architectural Support for Program- ming Languages and Operating Systems (ASPLOS-XX) , pages 191–206, 2015

    work page 2015

  33. [33]

    Tyche github repository

    Microsoft Azure Research & EPFL DCSL. Tyche github repository. https://github.com/epfl-dcsl/tyche-devel

    work page

  34. [34]

    Whitfield Diffie and Martin E. Hellman. New directions in cryptogra- phy. IEEE Trans. Inf. Theory , 22(6):644–654, 1976

    work page 1976

  35. [35]

    Cox, and Sand- hya Dwarkadas

    Xiaowan Dong, Zhuojia Shen, John Criswell, Alan L. Cox, and Sand- hya Dwarkadas. Shielding Software From Privileged Side-Channel Attacks. In Proceedings of the 27th USENIX Security Symposium , pages 1441–1458, 2018

    work page 2018

  36. [36]

    Teaching an Old Dog New Tricks: Verifiable FHE Using Commodity Hardware

    Jules Drean, Fisher Jepsen, Edward Suh, Srini Devadas, Aamer Jaleel, and Gururaj Saileshwar. Teaching an Old Dog New Tricks: Verifiable FHE Using Commodity Hardware. CoRR, abs/2412.03550, 2024

    work page arXiv 2024

  37. [37]

    Edgeless continuum ai

    Edgeless. Edgeless continuum ai. https://docs.edgeless.systems/cont inuum/0.3/overview, 2024

    work page 2024

  38. [38]

    CoreMark PRO, July 2019

    EEMBC. CoreMark PRO, July 2019. v1.1.2743 https://www.eembc.or g/coremark-pro

    work page 2019

  39. [39]

    Engler, M

    Dawson R. Engler, M. Frans Kaashoek, and James W. O’Toole Jr. Exokernel: An Operating System Architecture for Application-Level Resource Management. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP) , pages 251–266, 1995

    work page 1995

  40. [40]

    sIOPMP: Scalable and Efficient I/O Protection for TEEs

    Erhu Feng, Dahu Feng, Dong Du, Yubin Xia, Wenbin Zheng, Siqi Zhao, and Haibo Chen. sIOPMP: Scalable and Efficient I/O Protection for TEEs. In ASPLOS (2), pages 1061–1076, 2024

    work page 2024

  41. [41]

    Komodo: Using verification to disentangle secure-enclave hardware from software

    Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th ACM Symposium on Operating Systems Principles (SOSP) , pages 287–305, 2017

    work page 2017

  42. [42]

    Microkernels Meet Recursive Virtual Machines

    Bryan Ford, Mike Hibler, Jay Lepreau, Patrick Tullmann, Godmar Back, and Stephen Clawson. Microkernels Meet Recursive Virtual Machines. In Proceedings of the 2nd Symposium on Operating System Design and Implementation (OSDI) , pages 137–151, 1996

    work page 1996

  43. [43]

    Llama-c++

    Georgi Gerganov. Llama-c++. https://github.com/ggerganov/llama.c pp, 2024

    work page 2024

  44. [44]

    Wrk - a http benchmarking tool

    Will Glozer. Wrk - a http benchmarking tool. https://github.com/w g/wrk, 2021

    work page 2021

  45. [45]

    Google confidential space security overview

    Google. Google confidential space security overview. https://cloud. google.com/docs/security/confidential-space, June 2024

    work page 2024

  46. [46]

    gvisor: The container security platform

    gVisor Authors. gvisor: The container security platform. https: //gvisor.dev/, 2023

    work page 2023

  47. [47]

    gVisor ptrace Platform

    gVisor Team. gVisor ptrace Platform. https://gvisor.dev/docs/archit ecture_guide/platforms/#ptrace, 2024

    work page 2024

  48. [48]

    The Confused Deputy (or why capabilities might have been invented)

    Norman Hardy. The Confused Deputy (or why capabilities might have been invented). ACM SIGOPS Oper. Syst. Rev., 22(4):36–38, 1988

    work page 1988

  49. [49]

    Richard Hipp

    D. Richard Hipp. Sqlite. https://www.sqlite.org/, 2000

    work page 2000

  50. [50]

    BlackBox: A Container Security Monitor for Protecting Containers on Untrusted Operating Systems

    Alexander Van’t Hof and Jason Nieh. BlackBox: A Container Security Monitor for Protecting Containers on Untrusted Operating Systems. In Proceedings of the 16th Symposium on Operating System Design and Implementation (OSDI), pages 683–700, 2022

    work page 2022

  51. [51]

    Hofmann, Sangman Kim, Alan M

    Owen S. Hofmann, Sangman Kim, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel. InkTag: secure applications on an untrusted operating system. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-XVIII), pages 265–278, 2013

    work page 2013

  52. [52]

    Llama-3.2-1b-instruct quantized

    hugging quants. Llama-3.2-1b-instruct quantized. https://huggin gface.co/hugging-quants/Llama-3.2-1B-Instruct-Q4_K_M-GGUF , September 2024

    work page 2024

  53. [53]

    Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data

    Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proceedings of the 12th Symposium on Operating System Design and Implementation (OSDI) , pages 533–549, 2016

    work page 2016

  54. [54]

    Rust hyper

    Hyperium. Rust hyper. https://hyper.rs/, 2024

    work page 2024

  55. [55]

    Trusted execution technology

    Intel. Trusted execution technology. https://www.intel.com/cont ent/www/us/en/developer/articles/tool/intel-trusted-execution- technology.html, 2014

    work page 2014

  56. [56]

    Multi-key total memory encryption

    Intel. Multi-key total memory encryption. https://edc.intel.com/co ntent/www/us/en/design/ipla/software-development-platforms/ client/platforms/alder-lake-desktop/12th-generation-intel-core- processors-datasheet-volume-1-of-2/002/intel-multi-key-total- memory-encryption/, 2017

    work page 2017

  57. [57]

    Architecture specification: Intel trust domain extensions (intel tdx) module

    Intel. Architecture specification: Intel trust domain extensions (intel tdx) module. https://software.intel.com/content/dam/develop/extern al/us/en/documents/intel-tdx-module-1eas.pdf , 2023

    work page 2023

  58. [58]

    Intel software guard extensions (intel sgx)

    Intel. Intel software guard extensions (intel sgx). https://www.in tel.com/content/www/us/en/developer/tools/software-guard- extensions/overview.html, 2023

    work page 2023

  59. [59]

    Intel virtualization technology for directed i/o, architecture specification

    Intel. Intel virtualization technology for directed i/o, architecture specification. https://www.intel.com/content/www/us/en/content- details/774206/intel-virtualization-technology-for-directed-i-o- architecture-specification.html, 2023

    work page 2023

  60. [60]

    Examining Malicious Hugging Face ML Models with Silent Backdoor

    JFrog. Examining Malicious Hugging Face ML Models with Silent Backdoor. https://jfrog.com/blog/data-scientists-targeted-by- malicious-hugging-face-ml-models-with-silent-backdoor/

    work page

  61. [61]

    HyperEnclave: An Open and Cross-platform Trusted Execution Environment

    Yuekai Jia, Shuang Liu, Wenhao Wang, Yu Chen, Zhengde Zhai, Shoumeng Yan, and Zhengyu He. HyperEnclave: An Open and Cross-platform Trusted Execution Environment. In Proceedings of the 2022 USENIX Annual Technical Conference (ATC), pages 437–454, 2022

    work page 2022

  62. [62]

    Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. NoHype: virtualized cloud infrastructure without the virtualization. InProceed- ings of the 37th International Symposium on Computer Architecture 14 (ISCA), pages 350–361, 2010

    work page 2010

  63. [63]

    Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood

    Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David A. Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4: formal verification of an OS kernel. In Pro- ceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 207–220, 2009

    work page 2009

  64. [64]

    Lighttpd

    Jan Kneschke. Lighttpd. https://www.lighttpd.net/, 2003

    work page 2003

  65. [65]

    Gramine-tdx: A lightweight os kernel for confidential vms

    Dmitrii Kuvaiskii, Dimitrios Stavrakakis, Kailun Qin, Cedric Xing, Pramod Bhatotia, and Mona Vij. Gramine-tdx: A lightweight os kernel for confidential vms. In ACM Conference on Computer and Communications Security (CCS), October 2024

    work page 2024

  66. [66]

    KVM. Virtio. https://www.linux-kvm.org/page/Virtio

    work page

  67. [67]

    Lampson and Howard E

    Butler W. Lampson and Howard E. Sturgis. Reflections on an Operat- ing System Design. Commun. ACM, 19(5):251–265, 1976

    work page 1976

  68. [68]

    Keystone: an open framework for architecting trusted ex- ecution environments

    Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanovic, and Dawn Song. Keystone: an open framework for architecting trusted ex- ecution environments. In Proceedings of the 2020 EuroSys Conference , pages 38:1–38:16, 2020

    work page 2020

  69. [69]

    Towards (Really) Safe and Fast Confidential I/O

    Hugo Lefeuvre, David Chisnall, Marios Kogias, and Pierre Olivier. Towards (Really) Safe and Fast Confidential I/O. In Proceedings of The 19th Workshop on Hot Topics in Operating Systems (HotOS-XIX) , pages 214–222, 2023

    work page 2023

  70. [70]

    Bifrost: Analysis and Optimization of Network I/O Tax in Confidential Virtual Machines

    Dingji Li, Zeyu Mi, Chenhui Ji, Yifan Tan, Binyu Zang, Haibing Guan, and Haibo Chen. Bifrost: Analysis and Optimization of Network I/O Tax in Confidential Virtual Machines. In Proceedings of the 2023 USENIX Annual Technical Conference (ATC), pages 1–15, 2023

    work page 2023

  71. [71]

    Koh, and Jason Nieh

    Shih-Wei Li, John S. Koh, and Jason Nieh. Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits. In Proceedings of the 28th USENIX Security Symposium , pages 1357–1374, 2019

    work page 2019

  72. [72]

    Design and Verification of the Arm Confidential Compute Architecture

    Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. Design and Verification of the Arm Confidential Compute Architecture. In Proceedings of the 16th Symposium on Operating System Design and Implementation (OSDI) , pages 465–484, 2022

    work page 2022

  73. [73]

    On micro-Kernel Construction

    Jochen Liedtke. On micro-Kernel Construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP) , pages 237–250, 1995

    work page 1995

  74. [74]

    Understanding and Mitigating CVE-2024-42070: nfta- bles Type Confusion Vulnerability

    Linux Security. Understanding and Mitigating CVE-2024-42070: nfta- bles Type Confusion Vulnerability. https://linuxsecurity.com/news /security-vulnerabilities/understanding-and-mitigating-cve-2024- 42070-nftables-vuln , 2024. [Online; accessed 4-April-2025]

    work page 2024

  75. [75]

    libfuzzer: A library for in-process, coverage-guided fuzzing

    LLVM. libfuzzer: A library for in-process, coverage-guided fuzzing. https://llvm.org/docs/LibFuzzer.html, 2021

    work page 2021

  76. [76]

    McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil D

    Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil D. Gligor, and Adrian Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE Symposium on Security and Pri- vacy, pages 143–158, 2010

    work page 2010

  77. [77]

    Llama-3.2-1b-instruct

    Meta-LLama. Llama-3.2-1b-instruct. https://huggingface.co/meta- llama/Llama-3.2-1B-Instruct , September 2024

    work page 2024

  78. [78]

    Introducing hyperlight: Virtual machine-based security for functions at scale

    Microsoft. Introducing hyperlight: Virtual machine-based security for functions at scale. https://opensource.microsoft.com/blog/2024/ 11/07/introducing-hyperlight-virtual-machine-based-security-for- functions-at-scale/ , 2024

    work page 2024

  79. [79]

    Virtual secure mode & virtual trust level (vtl).https://learn

    Microsoft. Virtual secure mode & virtual trust level (vtl).https://learn. microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm , 2025

    work page 2025

  80. [80]

    CVE-2024-1086: Linux Ker- nel Netfilter Use-After-Free Vulnerability

    National Vulnerability Database (NVD). CVE-2024-1086: Linux Ker- nel Netfilter Use-After-Free Vulnerability. https://nvd.nist.gov/vuln/ detail/cve-2024-1086, 2024. [Online; accessed 4-April-2025]

    work page 2024

Showing first 80 references.