Technische Universität Braunschweig
  • Study & Teaching
    • Beginning your Studies
      • Prospective Students
      • Degree Programmes
      • Application
      • Fit4TU
    • During your Studies
      • Freshmen-Hub
      • Term Dates
      • Information for Freshman
      • Practical Information
      • Additional Qualifications
      • Financing and Costs
      • Special Circumstances
      • Campus life
    • At the End of your Studies
      • Discontinuation and Credentials Certification
      • After graduation
      • Alumni
    • For Teaching Staff
      • Strategy, Offers and Information
      • Learning Management System Stud.IP
      • Team Teaching and Media Education
    • Contact
      • Student Advice Centre
      • Academic Advice Service
      • Admissions Office
  • Research
    • Research Profile
      • Core Research Areas
      • Clusters of Excellence
      • Research Projects
      • Research Centres
    • Early Stage Researchers
      • Promotion of early career scientists
      • PhD-Students
      • Postdocs
      • Junior research group leaders
      • Junior Professorship and Tenure-Track
      • Habilitation
      • Service Offers for Scientists
    • Research Data & Transparency
      • Transparency in Research
      • Research Data
      • Open Access Strategy
      • Digital Research Announcement
    • Research Funding
      • Research funding
    • Contact
      • Research Services
      • Academy for Graduates
  • International
    • International Students
      • Why Braunschweig?
      • Degree seeking students
      • Exchange Studies
      • Doctorate (PhD)
      • Refugee Students
      • Welcome Programme
      • TU Braunschweig Summer School
    • Scientists
      • Mobile Researchers at the TU Braunschweig
      • Research Services and European Office
    • Language and intercultural competence training
      • Learning German
      • Intercultural Communication
    • International Profile
      • Internationalisation
      • International Cooperation
    • International House
      • Information for first semester students
      • Contact
      • News and Events
      • Advisory Services
      • Location
      • About us
  • TU Braunschweig
    • Our Profile
      • Aims & Values
      • Regulations and Guidelines
      • Alliances & Partners
      • Facts & Figures
      • Our History
    • Career
      • Working at TU Braunschweig
      • Vacancies
    • Economy & Business
      • Knowledge and Technology Transfer
      • Entrepreneurship
    • General Public
      • Access to the University Library
    • Media Services
      • Communications and Press Service
      • Communications and Press Service
      • Film and photo permits
      • Advices for scientists
      • Topics and stories
    • Contact
      • General Contact
      • Getting here
  • Organisation
    • Presidency & Administration
      • Presidency
      • Designated Offices
      • Administration
      • Committees
    • Faculties
      • Carl-Friedrich-Gauß-Fakultät
      • Faculty of Life Sciences
      • Architecture, Civil Engineering and Environmental Sciences
      • Faculty of Mechanical Engineering
      • Fakultät für Elektrotechnik, Informationstechnik, Physik
      • Faculty of Humanities and Studies in Education
    • Institutes
      • Institutes from A to Z
    • Facilities
      • University Library
      • Gauß-IT-Zentrum
      • International House
      • Sports Centre
      • Facilities from A to Z
    • Equal Opportunity Office
      • Equal Opportunity Office
      • Family
      • Diversity for Students
  • Search
  • Quicklinks
    • People Search
    • Webmail
    • Campus map
    • CloudStorage
    • Messenger
    • Cafeteria
    • Courses
    • Stud.IP
    • Library Catalogue
    • IT Self-Service
    • Information Portal (employees)
    • Link Collection
    • DE
    • EN
    • IBR Twitter
    • IBR YouTube
    • Facebook
    • Twitter
    • Instagram
    • YouTube
    • LinkedIn
Menu
  • Organisation
  • Faculties
  • Carl-Friedrich-Gauß-Fakultät
  • Institutes
  • Institute of Operating Systems and Computer Networks
  • Current Projects
  • TFaaS: Trusted Sandboxed Execution of Serverless Functions
Logo IBR
IBR Login
  • Institute of Operating Systems and Computer Networks
    • News
    • About us
      • Whole Team
      • Directions
      • Floor Plan
      • Projects
      • Publications
      • Software
      • News Archive
    • Connected and Mobile Systems
      • Team
      • Courses
      • Theses
      • Projects
      • Publications
      • Software
      • Datasets
    • Reliable System Software
      • Team
      • Advent(2)
    • Algorithms
      • Team
      • Courses
      • Theses
      • Projects
      • Publications
    • Microprocessor Lab
    • Education
      • Winter 2023/2024
      • Summer 2023
      • Theses
    • Services
      • Library
      • Mailinglists
      • Webmail
      • Knowledge Base
      • Wiki
      • Account Management
      • Services Status
    • Spin-Offs
      • Docoloc
      • AIPARK
      • Confidential Technologies
    • Research Cooperations
      • IST.hub

TFaaS: Trusted Sandboxed Execution of Serverless Functions

TFaaS logo

News

  • April 2020: The TFaaS project recieved funding for the third year!
  • March 2020: The code of AccTEE is now publicy available!
  • September 2019: Our paper AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting has been accepted at Middleware'19!
  • June 2019: The TFaaS project recieved funding for the second year!
  • May 2019: Our paper Trust more, serverless has been accepted at SYSTOR'19!

Project Description

Serverless cloud computing promises to be an attractive offering to both cloud users and providers. Existing serverless frameworks, including AWS Lambda, Apache OpenWhisk and OpenFaaS, follow a function-as-a-service (FaaS) model in which users express the business logic of their cloud applications as a sequence of function invocations, written in popular languages such as Java, JavaScript, and Python. Partly due to the immaturity of existing FaaS platforms, security aspects, in particular related to isolation of functions and their integrity during execution, have large been unexplored by the research community. This introduces risks, both to cloud users and cloud providers, as open source FaaS platforms gain in adoption.

We propose to explore and enhance the security of today’s FaaS platforms both for cloud users and cloud providers using a two-pronged approach: (i) from the perspective of cloud users, we plan to investigate how trusted execution capabilities of modern CPUs, can be used to shield serverless functions from the rest of the cloud FaaS stack. The goal is to develop new practical approaches to guarantee the data confidentiality and integrity of function computation. A specific research challenge will be to support short-lived functions efficiently within a trusted execution environment (TEE) with substantially larger set-up times. In addition, we will provide protocols that enhance a TEE’s attestation mechanism to efficiently and securely provide guarantees for serveless functions; and (ii) from the perspective of cloud providers, we will explore more lightweight sandboxing mechanisms for serverless functions that go beyond containers and employ language-based isolation. We will enhance modern programming language runtimes such as Python and JavaScript with isolation abstractions and investigate WebAssembly as a new portable format for executable code that is claimed to nearly run as fast as native machine code. The designed abstractions will enable the scalable execution of serverless functions, while offering security guarantees that are at least as effective as those of containers.

We will make an open-source proof-of-concept implementation of the above research ideas available as part of an extension of the OpenFaaS platform. At the hardware level, we will base our implementation on Intel SGX but also investigate the use of related more lightweight but less powerful technologies such as Intel MKTME and AMD SEV. In addition, we will publicise our research results through paper submissions to top-tier systems and security conferences.

Publication List

  • David Goltzsche, Manuel Nieke, Thomas Knauth and Rüdiger Kapitza: AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting, in Proceedings of the 20th International Middleware Conference, Middleware '19, Davis, CA, USA, ACM, 2019 (goltzsche2019acctee, DOI, BibTeX, Slides)
  • Stefan Brenner and Rüdiger Kapitza: Trust More, Serverless, in Proceedings of the 12th ACM International Conference on Systems and Storage (SysTor'19), Haifa, Israel, pages 33-43, 2019 (systor19lambda, DOI, BibTeX)

Publication Summaries

"AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting" published at Middleware'19

Download the paper!

Abstract: Remote computation has numerous use cases such as cloud computing, client-side web applications or volunteer computing. Typically, these computations are executed inside a sandboxed environment for two reasons: first, to isolate the execution in order to protect the host environment from unauthorised access, and second to control and restrict resource usage. Often, there is mutual distrust between entities providing the code and the ones executing it, owing to concerns over three potential problems: (i) loss of control over code and data by the providing entity, (ii) uncertainty of the integrity of the execution environment for customers, and (iii) a missing mutually trusted accounting of resource usage. In this paper we present AccTEE, a two-way sandbox that offers remote computation with resource accounting trusted by consumers and providers. AccTEE leverages two recent technologies: hardware-protected trusted execution environments, and Web-Assembly, a novel platform independent byte-code format. We show how AccTEE uses automated code instrumentation for fine-grained resource accounting while maintaining confidentiality and integrity of code and data. Our evaluation of AccTEE in three scenarios -- volunteer computing, serverless computing, and pay-by-computation for the web -- shows a maximum accounting overhead of 10%.

"Trust more, serverless" published at SYSTOR 2019

Download the paper!

Abstract: The increasingly popular and novel Function-as-a-Service (FaaS) clouds allow users the deployment of single functions. Compared to Infrastructure-as-a-Service or Platform-as-a-Service , this enables providers even more aggressive and rigorous resource sharing and liberates customers from tedious maintenance tasks. However, as a crucial factor of cloud adoption, FaaS clouds need to provide security and privacy guarantees in order to allow sensitive data processing. In this paper, we investigate securing FaaS clouds for sensitive data processing, while respecting their new features, capabilities and benefits in a technology-aware manner. We start with the proposal of a generic approach for a JavaScript-based secure FaaS platform, then get more specific and discuss the implementation of two distinct approaches based on (a) a lightweight and (b) a high performance JavaScript engine. Our prototype implementation shows promising performance while efficiently utilising resources, thereby keeping the penalties of the added security low.

Presentation at SYSYOR 2019

Funded by Intel

Intel Logo

Project Partners

  • TU Braunschweig, Institute of Operating Systems and Computer Networks, Distributed Systems Group
  • Imperial College London, Large-Scale Data Systems Group

Project Members at IBR

Photo
Prof. Dr. Rüdiger Kapitza
Ehemaliger Abteilungsleiter
rrkapitz[[at]]ibr.cs.tu-bs.de
Photo
Dr. Stefan Brenner
Ehemaliger Wissenschaftlicher Mitarbeiter
brenner[[at]]ibr.cs.tu-bs.de
Photo
Dr. David Goltzsche
Ehemaliger Wissenschaftlicher Mitarbeiter
goltzsche[[at]]ibr.cs.tu-bs.de
Photo
Manuel Nieke
Ehemaliger Wissenschaftlicher Mitarbeiter

Theses

TitleTypeSupervisorStatus
Enabling peer-to-peer communication between cooperative trusted web applicationsBachelor ThesisDr. David Goltzschefinished
Secure Volunteer ComputingMaster ThesisDr. David Goltzschefinished
Evaluation von WebAssembly InstruktionenBachelor ThesisDr. David Goltzschefinished

If you are interested in writing a thesis regarding this project, please feel free to contact us.


last changed 2020-09-30, 07:50 (dynamic content) by Dr. David Goltzsche

For All Visitors

Vacancies of TU Braunschweig
Career Service' Job Exchange 
Merchandising

For Students

Term Dates
Courses
Degree Programmes
Information for Freshman
TUCard

Internal Tools

Glossary (GER-EN)
Change your Personal Data

Contact

Technische Universität Braunschweig
Universitätsplatz 2
38106 Braunschweig

P. O. Box: 38092 Braunschweig
GERMANY

Phone: +49 (0) 531 391-0

Getting here

© Technische Universität Braunschweig
Imprint Privacy Accessibility