Serverless compute unit for secure and attestable multi-component applications

Thumbnail Image

Files

master_Groza_Ionut_2025.pdf (8.87 MB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-09-29

Department

Major/Subject

Security and Cloud Computing

Mcode

Degree programme

Master's Programme in Security and Cloud Computing

Language

en

Pages

66

Series

Abstract

We present a mechanism for establishing trust in applications using that application subparts rather than the entire application as an opaque, monolithic block. The mechanism provides the necessary means for starting virtual machines that can testify about their supply chain from the CPU to the Operating System and Running Applications using Remote Attestation. The attestation evidence is signed with cryptographic material generated during CPU manufacturing, making it impossible for any of the components in the software stack to present a false report. The boot process starts with the microcode that measures the firmware code which measures the rest of the boot process. The chain of trust is extended to the WebAssembly Runtime and to the WebAssembly Application State which is presented to the Verifier as a graph of instances. The Verifier can now walk the instances graph to gather information about the realization of the dependencies at runtime, providing it with a mechanisms to enforce stronger yet more versatile security policies.

Description

Supervisor

Gunn, Lachlan

Thesis advisor

Onen, Melek
Gunn, Lachlan

Keywords

confidential computing, chain of trust, Intel TDX, remote attestation, secure boot, TEE, partial attestation

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202510208284

Collections

[dipl] Perustieteiden korkeakoulu / SCI