Shielded but Lightweight: Building Practical Confidential Containers with ARM CCA
Pith reviewed 2026-06-29 21:17 UTC · model grok-4.3
The pith
Fasco maps each confidential container directly to an ARM CCA realm to cut startup latency versus microVM designs.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Fasco shows that direct instantiation of containers as CCA Container Realms, coordinated by a System Realm via exception forwarding and shared buffers, reduces startup latency and performance overhead compared with microVM-based confidential containers while maintaining a small TCB.
What carries the argument
Container Realm instantiation under CCA hardware isolation, supported by a System Realm that uses exception forwarding and shared buffers for service delivery and inter-realm isolation.
Load-bearing premise
That CCA hardware isolation together with exception forwarding and shared buffers between Container Realms and the System Realm will preserve confidentiality and integrity without introducing new attack surfaces or high performance costs.
What would settle it
A side-channel or memory-access attack that extracts data from one Container Realm into another, or a benchmark in which Fasco startup latency equals or exceeds that of existing microVM confidential container systems.
Figures
read the original abstract
The rapid advancement of cloud-native technologies has created an urgent need for security. Currently, confidential containers are increasingly deployed in multi-tenant environments. Existing confidential container designs mainly adopt a microVM-based architecture. Although this approach improves inter-container isolation, its complex software stack leads to high startup latency and significant resource overhead, making it unsuitable for short-lived container workloads. In this paper, we propose Fasco, a lightweight confidential container runtime based on the ARM Confidential Compute Architecture (CCA). Fasco directly instantiates each container as an independent Container Realm, leveraging CCA's hardware-enforced isolation to ensure the confidentiality and integrity of application data inside the container. In addition, Fasco introduces a dedicated System Realm to provide system services and resource management for container realms. Through exception forwarding and shared buffers, Fasco ensures isolation among different container realms. We have implemented a prototype of Fasco and evaluated its performance on ARMv8 hardware. Experimental results show that Fasco reduces the startup latency and performance overhead of existing confidential container architectures while maintaining a small TCB.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes Fasco, a lightweight confidential container runtime for ARM CCA. Each container runs as an independent Container Realm with hardware-enforced isolation; a System Realm supplies services via exception forwarding and shared buffers. The design claims to reduce startup latency and performance overhead relative to microVM-based confidential containers while preserving a small TCB. A prototype was implemented and evaluated on ARMv8 hardware.
Significance. If the security properties of the forwarding and buffer mechanisms are rigorously established and the performance claims are backed by concrete, reproducible measurements with appropriate baselines, the work would offer a practical alternative for short-lived container workloads in multi-tenant clouds, addressing a recognized limitation of existing confidential-computing runtimes.
major comments (2)
- [Abstract, §4] Abstract and §4 (evaluation): the central performance claim—that Fasco reduces startup latency and overhead—is stated without any quantitative results, baselines, workload descriptions, or error bars. Because the claim is entirely experimental, the absence of these data prevents evaluation of whether the result holds.
- [§3] §3 (architecture) and threat-model discussion: the confidentiality and integrity guarantees rest on exception forwarding and shared buffers between Container Realms and the System Realm, yet no threat model, enumeration of System Realm contents, or analysis of potential cross-realm leakage or DoS vectors is supplied. This is load-bearing for both the security and “small TCB” assertions.
minor comments (2)
- [§3] Notation for realm boundaries and buffer ownership is introduced without a diagram or explicit invariants, making the isolation argument harder to follow.
- [Abstract] The abstract states “experimental results show…” but the manuscript supplies no table or figure reference for those results.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback. We address the two major comments below and will revise the manuscript to strengthen both the experimental reporting and the security analysis.
read point-by-point responses
-
Referee: [Abstract, §4] Abstract and §4 (evaluation): the central performance claim—that Fasco reduces startup latency and overhead—is stated without any quantitative results, baselines, workload descriptions, or error bars. Because the claim is entirely experimental, the absence of these data prevents evaluation of whether the result holds.
Authors: We agree the current manuscript states the performance claims without the supporting quantitative data, baselines, workload details, or error bars. In the revised version we will add concrete measurements (startup latency in ms, runtime overhead percentages), explicit baselines (e.g., microVM-based confidential containers), workload descriptions, and error bars from repeated runs to allow proper evaluation of the claims. revision: yes
-
Referee: [§3] §3 (architecture) and threat-model discussion: the confidentiality and integrity guarantees rest on exception forwarding and shared buffers between Container Realms and the System Realm, yet no threat model, enumeration of System Realm contents, or analysis of potential cross-realm leakage or DoS vectors is supplied. This is load-bearing for both the security and “small TCB” assertions.
Authors: We acknowledge that a dedicated threat-model discussion and analysis of the forwarding and buffer mechanisms are required to substantiate the security and TCB claims. We will expand §3 with a threat model that enumerates System Realm contents, examines cross-realm leakage and DoS vectors, and explains how CCA hardware isolation plus our design choices mitigate them. revision: yes
Circularity Check
No circularity: claims rest on implementation and experiments, not self-referential derivation
full rationale
The paper describes an engineering prototype (Fasco) that instantiates containers as CCA realms, adds a System Realm for services, and uses exception forwarding plus shared buffers. All load-bearing claims are supported by prototype implementation on ARMv8 hardware and measured startup/performance numbers. No equations, fitted parameters renamed as predictions, self-citation chains, uniqueness theorems, or ansatzes appear in the abstract or description. The derivation chain is therefore self-contained against external benchmarks (real hardware runs) and does not reduce to its own inputs by construction.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O’keeffe, Mark L Stillwell, et al. 2016. {SCONE}: Secure linux containers with intel {SGX}. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). 689–703
2016
-
[2]
Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven.ACM Transactions on Computer Systems (TOCS)33, 3 (2015), 1–26
2015
- [3]
-
[4]
Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2019. SANCTUARY: ARMing TrustZone with User-space Enclaves.. InNDSS
2019
-
[5]
Zhichao Hua, Jinyu Gu, Yubin Xia, Haibo Chen, Binyu Zang, and Haibing Guan
-
[6]
In26th USENIX Security Sympo- sium (USENIX Security 17)
{vTZ}: virtualizing {ARM} {TrustZone}. In26th USENIX Security Sympo- sium (USENIX Security 17). 541–556
-
[7]
Zhichao Hua, Yang Yu, Jinyu Gu, Yubin Xia, Haibo Chen, and Binyu Zang. 2021. TZ-container: Protecting container from untrusted OS with ARM TrustZone. Science China Information Sciences64, 9 (2021), 192101
2021
- [8]
-
[9]
Dingji Li, Zeyu Mi, Yubin Xia, Binyu Zang, Haibo Chen, and Haibing Guan
-
[10]
In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles
Twinvisor: Hardware-isolated confidential virtual machines for arm. In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles. 638–654
-
[11]
Fan Sang, Jaehyuk Lee, Xiaokuan Zhang, and Taesoo Kim. 2025. PORTAL: Fast and Secure Device Access with Arm CCA for Modern Arm Mobile System- on-Chips (SoCs). In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 4099–4116
2025
-
[12]
Youren Shen, Hongliang Tian, Yu Chen, Kang Chen, Runji Wang, Yi Xu, Yubin Xia, and Shoumeng Yan. 2020. Occlum: Secure and efficient multitasking inside a single enclave of intel sgx. InProceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 955–970
2020
-
[13]
Jiacheng Shi, Jinyu Gu, Yubin Xia, and Haibo Chen. 2025. Serverless functions made confidential and efficient with split containers. In34th USENIX Security Symposium (USENIX Security 25). 1091–1110
2025
-
[14]
Confidential Containers Specification. 2024. Confidential containers without confidential hardware,. https://confidentialcontainers.org/blog/2024/12/03/ confidential-containers-without-confidential-hardware/ Conference, June 03–05, 2018, Woodstock, NY Song et al
2024
-
[15]
Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. {Graphene-SGX}: A practical library {OS} for unmodified applications on {SGX}. In2017 USENIX annual technical conference (USENIX ATC 17). 645–658
2017
-
[16]
Enriquillo Valdez, Salman Ahmed, Zhongshu Gu, Christophe De Dinechin, Pau- Chen Cheng, and Hani Jamjoom. 2024. Crossing Shifted Moats: Replacing Old Bridges with New Tunnels to Confidential Containers. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 1390–1404
2024
-
[17]
Alexander Van’t Hof and Jason Nieh. 2022. {BlackBox}: a container security monitor for protecting containers on untrusted operating systems. In16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 683–700
2022
- [18]
-
[19]
Yiming Zhang, Yuxin Hu, Zhenyu Ning, Fengwei Zhang, Xiapu Luo, Haoyang Huang, Shoumeng Yan, and Zhengyu He. 2023. {SHELTER}: Extending arm {CCA} with isolation in user space. In32nd USENIX Security Symposium (USENIX Security 23). 6257–6274
2023
-
[20]
Qihang Zhou, Wenzhuo Cao, Xiaoqi Jia, Peng Liu, Shengzhi Zhang, Jiayun Chen, Shaowen Xu, and Zhenyu Song. 2025. RContainer: A Secure Container Architec- ture through Extending ARM CCA Hardware Primitives. InNDSS
2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.