An Extensible Orchestration and Protection Framework for Confidential Cloud Computing

Explore a 15-minute conference talk from OSDI '23 that introduces eOPF, an extensible orchestration and protection framework for confidential cloud computing. Delve into the challenges of cloud privacy and the limitations of hardware-based solutions like SGX. Learn how eOPF provides a comprehensive, secure hypervisor-level instrumentation framework that monitors enclave-OS interactions and implements protected services. Discover how eOPF overcomes challenges such as bridging the semantic gap between the hypervisor and SGX, and attesting framework co-location with enclaves. Examine two implemented protected services: platform resource orchestration and complementary enclave side-channel defense. Gain insights into eOPF's performance, with less than 2% overhead in its default state and a geometric mean of 17% on SPEC when strong side-channel defenses are enabled. Understand why eOPF is considered an efficient and practical solution for enhancing privacy and security in cloud computing environments.