SlideShare une entreprise Scribd logo

WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone - Presentation slides

Jämes Ménétrey
Jämes Ménétrey

The presentation slides of the paper WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone, published in the proceedings of the 42nd IEEE International Conference on Distributed Computing Systems (ICDCS), July 2022. Read the publication here: https://arxiv.org/abs/2206.08722 This publication incorporates results from the VEDLIoT project, which received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 957197

Logiciels
1  sur  22
Télécharger pour lire hors ligne
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni University of Neuchâtel, Switzerland July 10-13, 2022 42nd IEEE International Conference on Distributed Computing Systems (ICDCS ’22), Bologna, Italy 🇮🇹
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Context Developers Your apps • We process and store sensitive data on edge or IoT devices • Developers deploy applications on those systems they assume to be trustworthy • How can we better protect deployed applications and systems? 2 IoT devices Hardware Firmware Premises OS Software stack Your apps Attack surface of your system
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Context (cont.) Hardware Firmware Premises OS Software stack Your apps Attack surface of your system • One way to better secure applications and systems is to use Trusted Execution Environments (TEEs) • There are many TEE technologies, the most widespread on IoT devices is Arm TrustZone • TEEs isolate applications from the rest of the system 3
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Primer on Arm TrustZone 4 Attack surface of your system Secure world Secure OS TA TA TA Secure Monitor Hardware OS App App App Hypervisor Communication Premises Normal world • TrustZone is split in two worlds • Trusted Application (TA) is isolated from the normal world • Limited amount of memory in the TEE, this reduces the size of the attack surface • We use OP-TEE, an open- source trusted OS
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 OP-TEE limitations and pitfalls 5 • No POSIX API (e.g., printf), but Global Platform (GP) API ➡ Hard to write or migrate existing applications • SDK only available for C programming language ➡ Constrained development environment • TrustZone does not come with attestation ➡ Lack of trust when deploying applications
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 How to ease the development experience? 6
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Introduction to WebAssembly 7 • WebAssembly (Wasm) is a standard for a lightweight bytecode format • A compilation target for most mainstream programming languages • Initially meant for the web, can be used anywhere today • Include WebAssembly System Interface (WASI) for system interactions Image: Standardising WASI, Mozilla, 2020 developer WebAssembly runtime clang user cargo tinygo
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Challenges when embedding Wasm into TrustZone 8 • Interoperability: Leverage WASI to replace POSIX and deliver features bound to the TEE • Performance: Execution of ahead-of-time compiled Wasm binaries App Secure world Normal world Suppl. Trusted app Wasm runtime WASI Secure OS Wasm app RPC OS GP Wasm app Contributions
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Results 9 • Language agnostic: Wasm introduces an intermediate bytecode, enabling to use various programming languages • Abstraction: Wasm applications no longer depend on TEE-specific concerns • Sandbox: The hosted app and the secure OS are mutually distrusted App Secure world Normal world Suppl. Trusted app Wasm runtime WASI Secure OS Wasm app RPC OS GP Wasm app Contributions
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Contributions 10 • An embedded Wasm runtime in the TEE to abstract TEE-specific concerns for the hosted applications, called WaTZ • An easy way to run applications in the TEE Secure world Secure OS TA WaTZ TA Secure Monitor Hardware OS App App App Hypervisor Communication Premises Normal world Wasm App Contributions
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: How to trust a remotely executed application? 11
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Attestation of applications • Attestation is a way to prove the trustworthiness of a piece of software • TEEs help obtaining such a proof, called evidence • Remote attestation provides this proof for remotely executed software • Remote attestation is present in many state-of-the-art TEEs, such as Intel SGX, but is missing from TrustZone 12
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Remote attestation primer Attester (TrustZone) Veri fi er Reference Value Provider 13 Reference values = ? Provision references values Forward results Evidence Claims H( ) Code measurement Issue evidence Provision confidential data Relying party
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: Trust remote execution of Wasm applications 14 • Root of Trust: A secret value only available in the secure world for signature • Secure boot: The system cannot be booted without signed bootloader and OS Secure world Secure OS Firmware Hardware OS Hypervisor Normal world Boot Root of trust Verify Verify Start
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 ⑤ Provision data RQ2: Protocol for remote attestation 15 • Protocol: Inspired by SIGMA and Intel SGX, enables us to authenticate remotely executing Wasm applications and detect genuine platforms Wasm runtime (TA) Attestation service (Secure OS) Cloud (Veri fi er) ① Challenge ② Request signing Code measurement (Wasm bytecode) ③ Send Evidence ④ Forward evidence Download certificates Certi fi cates catalog Extract public key IoT device
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: Contributions 16 • The foundation to protect the platform and infer trust • A remote attestation protocol to establish trust with remote Wasm software Secure world Secure OS TA WaTZ TA Firmware Hardware OS App App Hypervisor Communication Premises Normal world Wasm App Veri fi er Cloud Trust insurance & data provisioning Root of trust Verify Verify Attestation service Contributions
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ3: What about performance? 17
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 2mm 3mm adi ata bic cho cor cov der doi dur f2d flo gem ges gev gra h3d j1d j2d lu lud mvt nus s2d s2k sym syr tri trm 0 1 2 3 4 1.14 1.16 1.03 1.47 1.26 1.29 1.07 1.06 1.15 1.25 1.49 1.83 1.13 2.47 1.15 1.26 1.03 1.47 1.98 1.77 1.1 1.27 1.13 1.35 1.12 1.72 1.1 1.89 1.14 1.09 1.13 1.15 1.03 1.47 1.26 1.29 1.07 1.06 1.14 1.24 1.49 1.82 1.13 2.46 1.16 1.27 1.03 1.47 1.99 1.76 1.1 1.27 1.14 1.33 1.12 1.72 1.1 1.88 1.15 1.08 Normalised run time J better Native: REE (= 1) Wasm: REE (WAMR) TEE (WaTZ) Wasm performance: micro-benchmarks 18 Polybench/C: slowdown of 1.34x compared to native • Polybench/C is a compiler performance benchmark We made these
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 160 161 170 320 140 145 240 142 280 310 230 150 410 260 110 0 1 2 3 4 0.99 0.98 1.01 0.99 1.3 1.14 1.2 1.18 1.22 1.18 1.4 1.38 1.1 0.96 1.28 1.85 1.88 1.89 1.96 1.94 1.98 1.96 1.96 1.95 1.99 2.05 2.01 2.1 2.09 2.08 1.85 1.87 1.91 1.94 1.94 1.96 1.97 1.97 1.97 2.03 2.04 2.06 2.08 2.09 2.1 Native: REE (= 1) TEE Wasm: REE (WAMR) TEE (WaTZ) 130 100 980 250 400 270 510 120 300 210 190 180 290 990 500 520 0 1 2 3 4 1 1.3 1.23 1.62 1.51 1.34 1.22 1.5 1.74 1.27 1.71 1.7 1.66 1.28 1.53 1.78 2.12 2.11 2.06 2.14 2.15 2.14 2.23 2.22 2.21 2.2 2.22 2.23 2.23 2.32 2.32 2.52 2.1 2.11 2.12 2.13 2.14 2.18 2.23 2.24 2.26 2.26 2.28 2.28 2.28 2.3 2.35 2.54 Normalised run time J better Wasm performance: macro-benchmarks 19 SQLite Speedtest1 benchmarks Native (REE) Wasm (REE) Native (TEE) Wasm (TEE) 2.1x 1.31x 1.01x 1.62x 2.12x We made these We made these
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Wasm attestation: benchmarks 20 • We tested the remote attestation protocol using Genann, a neural network library • The Wasm application has access to API to control the remote attestation process: handshake, collect_quote, send_quote and receive_data Wasm runtime Genann Cloud (Veri fi er) handshake Secure OS collect_quote send_quote receive_data
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 handshake collect quote send quote Baseline 1.34 s 239 ms 1 ms 1.58 s ,! Baseline Size receive data Total 1.58 s 0.1 MB 168 ms 1.75 s 1.58 s 1 MB 209 ms 1.79 s Wasm attestation: benchmarks 21 0 2 4 6 8 10 12 14 16 18 0.5 1.0 1.5 2.0 2.5 3.0 Time [ms] (J Lower is better) Data size [MB] Encrypt Decrypt Execution time of the function receive_data in more details Time taken for the receive_data based on the size of the data handshake collect quote send quote Baseline 1.34 s 239 ms 1 ms 1.58 s ,! Baseline Size receive data Total 1.58 s 0.1 MB 168 ms 1.75 s 1.58 s 1 MB 209 ms 1.79 s Execution time of the functions handshake, collect_quote and send_quote
Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Thanks for your attention! Takeaway • WaTZ is a trusted WebAssembly runtime in TrustZone for edge and IoT devices with sufficient performance for practical deployments • Applications compiled into WebAssembly do not need to be modified, as long as the system calls are covered by WASI • Remote attestation is supported thanks to additional hardware components and integration in the Wasm runtime • WaTZ is open-source with all the instructions to reproduce the experiments 22 Read me online!

Recommandé

ARI and AGI, a powerful combination
ARI and AGI, a powerful combinationARI and AGI, a powerful combination
ARI and AGI, a powerful combination
Jöran Vinzens
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
Robert Reiz
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
Selenium WebDriver avec Java
Selenium WebDriver avec Java Selenium WebDriver avec Java
Selenium WebDriver avec Java
Ahmed HARRAK
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
Tobias Neitzel
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 

Recommandé

ARI and AGI, a powerful combination
ARI and AGI, a powerful combinationARI and AGI, a powerful combination
ARI and AGI, a powerful combination
Jöran Vinzens
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
Robert Reiz
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
Selenium WebDriver avec Java
Selenium WebDriver avec Java Selenium WebDriver avec Java
Selenium WebDriver avec Java
Ahmed HARRAK
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
Tobias Neitzel
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
Docker, Inc.
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
Fury DevopsConf 2015
Fury DevopsConf 2015Fury DevopsConf 2015
Fury DevopsConf 2015
Gabriel Eisbruch
 
Automation Testing using Selenium
Automation Testing using SeleniumAutomation Testing using Selenium
Automation Testing using Selenium
Naresh Chintalcheru
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD Overview
An Nguyen
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Docker and WASM
Docker and WASMDocker and WASM
Docker and WASM
Antonis Kalipetis
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
Amazon Web Services
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
 
Mockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworksMockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworks
EndranNL
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
Red Hat Developers
 
Ansible
AnsibleAnsible
Ansible
Raul Leite
 
Jenkins-CI
Jenkins-CIJenkins-CI
Jenkins-CI
Gong Haibing
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Vietnam Open Infrastructure User Group
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Jenkins
JenkinsJenkins
Jenkins
Roger Xia
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
Jämes Ménétrey
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
VEDLIoT Project
 

Contenu connexe

Tendances

Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
Docker, Inc.
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
Amazon Web Services
 
Mockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworksMockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworks
EndranNL
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 

Tendances (20)

Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
 
Fury DevopsConf 2015
Fury DevopsConf 2015Fury DevopsConf 2015
Fury DevopsConf 2015
 
Automation Testing using Selenium
Automation Testing using SeleniumAutomation Testing using Selenium
Automation Testing using Selenium
 
Ansible
AnsibleAnsible
Ansible
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD Overview
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Docker and WASM
Docker and WASMDocker and WASM
Docker and WASM
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
 
Mockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworksMockito vs JMockit, battle of the mocking frameworks
Mockito vs JMockit, battle of the mocking frameworks
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
 
Ansible
AnsibleAnsible
Ansible
 
Jenkins-CI
Jenkins-CIJenkins-CI
Jenkins-CI
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Jenkins
JenkinsJenkins
Jenkins
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 

Similaire à WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone - Presentation slides

WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
Amir Zmora
 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
Spiffy
 
Microsoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanMicrosoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by Atidan
David J Rosenthal
 
eMagic-Data Center Management System
eMagic-Data Center Management SystemeMagic-Data Center Management System
eMagic-Data Center Management System
Sandesh Sonar
 

Similaire à WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone - Presentation slides (20)

Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
Attestation Mechanisms for Trusted Execution Environments Demystified - Prese...
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready Transformation
 
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...
 
IoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentationIoT Tech Expo 2023_Marcelo Pasin presentation
IoT Tech Expo 2023_Marcelo Pasin presentation
 
Dependable Cloud Comuting
Dependable Cloud ComutingDependable Cloud Comuting
Dependable Cloud Comuting
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
 
Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides
Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slidesTwine: An Embedded Trusted Runtime for WebAssembly - Presentation slides
Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides
 
DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...
DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...
DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...
 
VMworld 2015: vCloud Air 2015 – Getting Started with Hybrid Cloud
VMworld 2015: vCloud Air 2015 – Getting Started with Hybrid CloudVMworld 2015: vCloud Air 2015 – Getting Started with Hybrid Cloud
VMworld 2015: vCloud Air 2015 – Getting Started with Hybrid Cloud
 
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity SoftwareSlash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
OpenShift Taiwan Vol.1 Technology Overview
OpenShift Taiwan Vol.1 Technology OverviewOpenShift Taiwan Vol.1 Technology Overview
OpenShift Taiwan Vol.1 Technology Overview
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Instrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionInstrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in production
 
[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking
[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking
[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking
 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
 
Dotcom monitor platform overview
Dotcom monitor platform overviewDotcom monitor platform overview
Dotcom monitor platform overview
 
Microsoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanMicrosoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by Atidan
 
eMagic-Data Center Management System
eMagic-Data Center Management SystemeMagic-Data Center Management System
eMagic-Data Center Management System
 

Dernier

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Dernier (20)

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 

WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone - Presentation slides

  • 1. WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni University of Neuchâtel, Switzerland July 10-13, 2022 42nd IEEE International Conference on Distributed Computing Systems (ICDCS ’22), Bologna, Italy 🇮🇹
  • 2. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Context Developers Your apps • We process and store sensitive data on edge or IoT devices • Developers deploy applications on those systems they assume to be trustworthy • How can we better protect deployed applications and systems? 2 IoT devices Hardware Firmware Premises OS Software stack Your apps Attack surface of your system
  • 3. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Context (cont.) Hardware Firmware Premises OS Software stack Your apps Attack surface of your system • One way to better secure applications and systems is to use Trusted Execution Environments (TEEs) • There are many TEE technologies, the most widespread on IoT devices is Arm TrustZone • TEEs isolate applications from the rest of the system 3
  • 4. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Primer on Arm TrustZone 4 Attack surface of your system Secure world Secure OS TA TA TA Secure Monitor Hardware OS App App App Hypervisor Communication Premises Normal world • TrustZone is split in two worlds • Trusted Application (TA) is isolated from the normal world • Limited amount of memory in the TEE, this reduces the size of the attack surface • We use OP-TEE, an open- source trusted OS
  • 5. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 OP-TEE limitations and pitfalls 5 • No POSIX API (e.g., printf), but Global Platform (GP) API ➡ Hard to write or migrate existing applications • SDK only available for C programming language ➡ Constrained development environment • TrustZone does not come with attestation ➡ Lack of trust when deploying applications
  • 6. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 How to ease the development experience? 6
  • 7. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Introduction to WebAssembly 7 • WebAssembly (Wasm) is a standard for a lightweight bytecode format • A compilation target for most mainstream programming languages • Initially meant for the web, can be used anywhere today • Include WebAssembly System Interface (WASI) for system interactions Image: Standardising WASI, Mozilla, 2020 developer WebAssembly runtime clang user cargo tinygo
  • 8. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Challenges when embedding Wasm into TrustZone 8 • Interoperability: Leverage WASI to replace POSIX and deliver features bound to the TEE • Performance: Execution of ahead-of-time compiled Wasm binaries App Secure world Normal world Suppl. Trusted app Wasm runtime WASI Secure OS Wasm app RPC OS GP Wasm app Contributions
  • 9. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Results 9 • Language agnostic: Wasm introduces an intermediate bytecode, enabling to use various programming languages • Abstraction: Wasm applications no longer depend on TEE-specific concerns • Sandbox: The hosted app and the secure OS are mutually distrusted App Secure world Normal world Suppl. Trusted app Wasm runtime WASI Secure OS Wasm app RPC OS GP Wasm app Contributions
  • 10. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ1: Contributions 10 • An embedded Wasm runtime in the TEE to abstract TEE-specific concerns for the hosted applications, called WaTZ • An easy way to run applications in the TEE Secure world Secure OS TA WaTZ TA Secure Monitor Hardware OS App App App Hypervisor Communication Premises Normal world Wasm App Contributions
  • 11. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: How to trust a remotely executed application? 11
  • 12. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Attestation of applications • Attestation is a way to prove the trustworthiness of a piece of software • TEEs help obtaining such a proof, called evidence • Remote attestation provides this proof for remotely executed software • Remote attestation is present in many state-of-the-art TEEs, such as Intel SGX, but is missing from TrustZone 12
  • 13. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Remote attestation primer Attester (TrustZone) Veri fi er Reference Value Provider 13 Reference values = ? Provision references values Forward results Evidence Claims H( ) Code measurement Issue evidence Provision confidential data Relying party
  • 14. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: Trust remote execution of Wasm applications 14 • Root of Trust: A secret value only available in the secure world for signature • Secure boot: The system cannot be booted without signed bootloader and OS Secure world Secure OS Firmware Hardware OS Hypervisor Normal world Boot Root of trust Verify Verify Start
  • 15. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 ⑤ Provision data RQ2: Protocol for remote attestation 15 • Protocol: Inspired by SIGMA and Intel SGX, enables us to authenticate remotely executing Wasm applications and detect genuine platforms Wasm runtime (TA) Attestation service (Secure OS) Cloud (Veri fi er) ① Challenge ② Request signing Code measurement (Wasm bytecode) ③ Send Evidence ④ Forward evidence Download certificates Certi fi cates catalog Extract public key IoT device
  • 16. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ2: Contributions 16 • The foundation to protect the platform and infer trust • A remote attestation protocol to establish trust with remote Wasm software Secure world Secure OS TA WaTZ TA Firmware Hardware OS App App Hypervisor Communication Premises Normal world Wasm App Veri fi er Cloud Trust insurance & data provisioning Root of trust Verify Verify Attestation service Contributions
  • 17. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 RQ3: What about performance? 17
  • 18. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 2mm 3mm adi ata bic cho cor cov der doi dur f2d flo gem ges gev gra h3d j1d j2d lu lud mvt nus s2d s2k sym syr tri trm 0 1 2 3 4 1.14 1.16 1.03 1.47 1.26 1.29 1.07 1.06 1.15 1.25 1.49 1.83 1.13 2.47 1.15 1.26 1.03 1.47 1.98 1.77 1.1 1.27 1.13 1.35 1.12 1.72 1.1 1.89 1.14 1.09 1.13 1.15 1.03 1.47 1.26 1.29 1.07 1.06 1.14 1.24 1.49 1.82 1.13 2.46 1.16 1.27 1.03 1.47 1.99 1.76 1.1 1.27 1.14 1.33 1.12 1.72 1.1 1.88 1.15 1.08 Normalised run time J better Native: REE (= 1) Wasm: REE (WAMR) TEE (WaTZ) Wasm performance: micro-benchmarks 18 Polybench/C: slowdown of 1.34x compared to native • Polybench/C is a compiler performance benchmark We made these
  • 19. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 160 161 170 320 140 145 240 142 280 310 230 150 410 260 110 0 1 2 3 4 0.99 0.98 1.01 0.99 1.3 1.14 1.2 1.18 1.22 1.18 1.4 1.38 1.1 0.96 1.28 1.85 1.88 1.89 1.96 1.94 1.98 1.96 1.96 1.95 1.99 2.05 2.01 2.1 2.09 2.08 1.85 1.87 1.91 1.94 1.94 1.96 1.97 1.97 1.97 2.03 2.04 2.06 2.08 2.09 2.1 Native: REE (= 1) TEE Wasm: REE (WAMR) TEE (WaTZ) 130 100 980 250 400 270 510 120 300 210 190 180 290 990 500 520 0 1 2 3 4 1 1.3 1.23 1.62 1.51 1.34 1.22 1.5 1.74 1.27 1.71 1.7 1.66 1.28 1.53 1.78 2.12 2.11 2.06 2.14 2.15 2.14 2.23 2.22 2.21 2.2 2.22 2.23 2.23 2.32 2.32 2.52 2.1 2.11 2.12 2.13 2.14 2.18 2.23 2.24 2.26 2.26 2.28 2.28 2.28 2.3 2.35 2.54 Normalised run time J better Wasm performance: macro-benchmarks 19 SQLite Speedtest1 benchmarks Native (REE) Wasm (REE) Native (TEE) Wasm (TEE) 2.1x 1.31x 1.01x 1.62x 2.12x We made these We made these
  • 20. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Wasm attestation: benchmarks 20 • We tested the remote attestation protocol using Genann, a neural network library • The Wasm application has access to API to control the remote attestation process: handshake, collect_quote, send_quote and receive_data Wasm runtime Genann Cloud (Veri fi er) handshake Secure OS collect_quote send_quote receive_data
  • 21. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 handshake collect quote send quote Baseline 1.34 s 239 ms 1 ms 1.58 s ,! Baseline Size receive data Total 1.58 s 0.1 MB 168 ms 1.75 s 1.58 s 1 MB 209 ms 1.79 s Wasm attestation: benchmarks 21 0 2 4 6 8 10 12 14 16 18 0.5 1.0 1.5 2.0 2.5 3.0 Time [ms] (J Lower is better) Data size [MB] Encrypt Decrypt Execution time of the function receive_data in more details Time taken for the receive_data based on the size of the data handshake collect quote send quote Baseline 1.34 s 239 ms 1 ms 1.58 s ,! Baseline Size receive data Total 1.58 s 0.1 MB 168 ms 1.75 s 1.58 s 1 MB 209 ms 1.79 s Execution time of the functions handshake, collect_quote and send_quote
  • 22. Ménétrey et al. — WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone — ICDCS ’22 / 22 Thanks for your attention! Takeaway • WaTZ is a trusted WebAssembly runtime in TrustZone for edge and IoT devices with sufficient performance for practical deployments • Applications compiled into WebAssembly do not need to be modified, as long as the system calls are covered by WASI • Remote attestation is supported thanks to additional hardware components and integration in the Wasm runtime • WaTZ is open-source with all the instructions to reproduce the experiments 22 Read me online!