Google Launches “Asylo” Framework for Confidential Computing

Google this week announced the release of an open-source framework and software development kit (SDK) that allows developers to build applications targeting trusted execution environments.

Dubbed Asylo (Greek for “safe place”), the new framework should make it easier to protect the confidentiality and integrity of applications and data in isolated, confidential computing environments.

Aimed at defending against attacks targeting underlying layers of the stack (operating system, hypervisor, drivers, and firmware), trusted execution environments (TEEs) offer specialized execution environments called “enclaves” and can mitigate the risk of compromise by an unauthorized third-party.

The newly announced Asylo framework “includes features and services for encrypting sensitive communications and verifying the integrity of code running in enclaves, which help protect data and applications,” Google says.

Until now, specialized knowledge and tools were required for creating and running applications in a TEE, and implementations have been tied to specific hardware environments. With Asylo, TEEs become more broadly accessible to the developer community, allowing for the creation of applications that target various on-premises and in the cloud hardware.

With the Asylo framework, developers can easily build applications and make them portable, thus ensuring they can be deployed on various software and hardware backends. Google also provides a Docker image via Google Container Registry, offering all of the dependencies needed to run a container anywhere.

Because of this increased flexibility, developers can leverage hardware architectures with TEE support without having to modify their source code. Developers can quickly port their applications across different enclave backends (laptop, workstation, a virtual machine in an on-premises server, or an instance in the cloud).

“We are exploring future backends based on AMD Secure Encryption Virtualization (SEV) technology, Intel Software Guard Extensions (Intel SGX), and other industry-leading hardware technologies that could support the same rebuild-and-run portability,” Google says.

Asylo also provides increased ease-of-use, enabling apps to leverage the security properties of TEEs without requiring developers to learn a completely new programming model.

On top of that, the framework is open-source, meaning that it makes confidential computing technology available to everyone.

Now offering an SDK and tools to help developers build portable enclave applications, Asylo will soon also allow them to run existing applications in an enclave. For that, developers would simply need to copy their apps into the Asylo container, specify the backend and rebuild them.

To get started with Asylo, developers just need to download the sources and pre-built container image from Google Container Registry. The container includes samples that developers can analyze to start building their code. A quick-start guide and documentation were also published. Asylo is also available on GitHub.

Related: Microsoft Unveils New Solution for Securing Critical Infrastructure

Related: New Rowhammer Attack Bypasses Existing Defenses