Collaborative Research: SaTC: TTP: Medium: Toward Complete, User-Friendly, and Trustworthy Confidential Computing with Gramine

协作研究：SaTC：TTP：中：使用 Gramine 实现完整、用户友好且值得信赖的机密计算

• 批准号: 2244938
• 负责人: Chia-Che Tsai
• 金额: $ 58.9万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2244938&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; TTP; Medium

This project aims to mature Gramine, previously known as Graphene or Graphene-SGX, from a successful, open-source (LGPL v3.0) research prototype into a robust, easy-to-use, and trustworthy building block for confidential computing applications. Confidential computing protects code and data in use, building upon recent hardware trusted execution environments (TEEs), such as Intel's SGX enclaves. Confidential computing is essential for cloud computing applications that use sensitive data, such as health applications, where one must balance the economic benefits of cloud computing with regulatory compliance or other security concerns. Gramine is a "lift-and-shift" framework for running unmodified applications in Intel SGX. The project addresses various barriers to adopting Gramine in production settings, including challenges in compatibility, usability, and security of Gramine. The project's novelties are creating a robust, general-purpose, open-source, Linux-compatibility layer that can easily migrate legacy application code from one platform to another---here, emerging confidential computing hardware. The project's broader significance and importance is to accelerate the study of confidential computing and other emerging computational platforms. Gramine is already a building block for over 100 academic papers and several commercial product prototypes. Gramine is publicly available at https://github.com/gramineproject/gramine.The project focuses on three aspects of Gramine development. First, the project expands the set of system interfaces and applications that work on Gramine, with the goal of supporting 90% of the applications installed on a representative Debian/Ubuntu system. Second, the project improves the Gramine user experience, by addressing deployment issues, simplifying configuration and policy decisions, better integrating with other software frameworks, and expanding the set of supported TEEs. Third, the project improves the trustworthiness of Gramine's code base with advanced testing and analysis, as well as rewriting critical code in Rust programming language.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该项目旨在将Gramine，以前称为Graphene或Graphene-SGX，从一个成功的开源(LGPL v3.0)研究原型发展为用于机密计算应用程序的强大、易于使用和值得信赖的构建块。机密计算以最新的硬件可信执行环境(TEE)为基础，保护正在使用的代码和数据，例如英特尔的SGX Enclaves。机密计算对于使用敏感数据的云计算应用程序至关重要，例如健康应用程序，在这些应用程序中，人们必须在云计算的经济效益与监管合规性或其他安全问题之间取得平衡。Gramine是一个在Intel SGX中运行未经修改的应用程序的“升降式”框架。该项目解决了在生产环境中采用Gramine的各种障碍，包括Gramine的兼容性、可用性和安全性方面的挑战。该项目的新奇之处在于创建了一个健壮的、通用的、开源的、兼容Linux的层，它可以轻松地将遗留应用程序代码从一个平台迁移到另一个平台-这里是新兴的机密计算硬件。该项目更广泛的意义和重要性在于加快了对机密计算等新兴计算平台的研究。Gramine已经成为100多篇学术论文和几个商业产品原型的基石。Gramine是在https://github.com/gramineproject/gramine.The项目上公开提供的，该项目专注于Gramine开发的三个方面。首先，该项目扩展了在Gramine上工作的系统接口和应用程序集，目标是支持Debian/Ubuntu代表性系统上安装的90%的应用程序。其次，该项目通过解决部署问题、简化配置和政策决策、更好地与其他软件框架集成以及扩大受支持的TEE集合，改善了Gramine的用户体验。第三，该项目通过先进的测试和分析，以及用铁锈编程语言重写关键代码，提高了Gramine代码库的可信度。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。