Paper 2025/727

Securing Nested Attestation of Confidential Serverless Computing without Intra-Enclave Isolation

Atsuki Momose, Acompany Co., Ltd.
Kailun Qin, Intel & Shanghai Jiao Tong University
Ao Sakurai, Acompany Co., Ltd.
Mona Vij, Intel Labs
Abstract

Confidential Computing-as-a-Service has gained significant attention in recent years, driven by rapid advances in Trusted Execution Environment (TEE) technology. Among various architectures, confidential serverless computing has emerged as a promising model. A common approach to designing confidential serverless computing involves decoupling the client workload from the initial enclave image and dynamically provisioning the workload at runtime. This enables both offloading the costly enclave bootstrapping and maintaining a fixed reference measurement for attestation. This decoupling necessitates nested attestation, where the client’s workload is attested via a custom attestation module embedded in a platform-attested enclave established at boot time. The challenge in designing nested attestation, however, is to distinguish fresh enclaves from the used ones to prevent enclave reuse. Specifically, a previously used enclave may be compromised and its attestation module tampered with. If the enclave is reused for another workload, it could bypass runtime attestation, allowing unverified code to execute. In this paper, we present a novel approach to securing nested attestation for confidential serverless computing on Intel Software Guard Extensions (Intel SGX). Unlike prior works, our approach does not rely on intra-enclave isolation techniques to sandbox the client’s workload. Instead, we leverage the Key Separation and Sharing (KSS) feature of Intel SGX to track and prevent enclave reuse based on its immutable IDs. We develop a prototype system for confidential serverless computing for Python workloads, incorporating our nested attestation scheme, and present an empirical evaluation of its performance. We believe our scheme unveils a unique yet previously overlooked role of KSS---post-compromise identification, with broader implications beyond serverless computing. As a concrete example, we demonstrate how KSS can be leveraged to implement an enclave-binding TPM on Intel SGX, which is of independent interest.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Confidential ComputingAttestationIntel SGX
Contact author(s)
atsuki momose @ acompany-ac com
kailun qin @ intel com
ao sakurai @ acompany-ac com
mona vij @ intel com
History
2025-04-23: approved
2025-04-23: received
See all versions
Short URL
https://ia.cr/2025/727
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/727,
      author = {Atsuki Momose and Kailun Qin and Ao Sakurai and Mona Vij},
      title = {Securing Nested Attestation of Confidential Serverless Computing without Intra-Enclave Isolation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/727},
      year = {2025},
      url = {https://eprint.iacr.org/2025/727}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.