Catégorie: Conférence avec actes
Auteurs: Quentin Michaud, Lukas Hertel, Louis Cailliot, Dhouha Ayed, Olivier Levillain et Joaquin Garcia-Alfaro
Date: août 2026

Confidential computing is experiencing rapid adoption as organizations increasingly seek to protect sensitive data during processing in cloud and edge environments. As this paradigm matures, there is a growing need for transparent, portable, and auditable solutions. However, existing solutions are often tied to proprietary solutions and architectures, limiting transparency, portability, and security. In this paper, we present a novel secure abstraction layer that combines WebAssembly (Wasm) with the open source RISC-V Trusted Execution Environment (TEE) framework Keystone. Our approach embeds a Wasm runtime inside a Keystone enclave and introduces a multiplexed edge call mechanism to transparently bridge the WebAssembly System Interface (WASI) with the untrusted host operating system, while respecting Keystone’s architectural constraints. This design enables unmodified Wasm applications to execute securely inside enclaves without requiring developers to write TEE-specific code. We detail the runtime adaptations required to support the latest version of WASI, discuss design trade-offs, and analyze security implications of host-mediated system calls. We evaluate our prototype using a representative Rust-based web application on both QEMU and a VisionFive 2 RISC-V board. Experimental results show an average overhead of approximately 10% compared to non-enclave execution. Our work illustrates that combining Wasm with an open RISC-V TEE provides a transparent, lightweight, and sovereign alternative to proprietary confidential computing solutions. Our complete solution and all code presented in this paper is reproducible and available as open source.

Publié dans les actes Proceedings of the 21st International Conference on Availability, Reliability and Security (pages 1 à 1)

Présenté lors de la conférence ARES à Linköping, Sweden en août 2026

BibTeX