Dipartimento di Ingegneria informatica, automatica e gestionale

Ensuring the security and confidentiality of cloud computing workloads is essential. To this end, major cloud providers offer computing instances based on trusted execution environments (TEEs) to support confidential computing in vir- tual machines. TEEs are hardware-based shielded environments building on technologies available today such as Intel TDX or AMD SEV-SNP, as well as ARM CCA in the future. To lower the barriers of experimenting with these technologies for researchers and practitioners, we developed CONFBENCH, a tool for easy evaluation of confidential virtual machines. CONFBENCH supports cloud-native workloads (function-as-a- service), as well as more generic and standard applications (i.e., DBMS, machine-learning, stress tests, etc.). CONFBENCH facilitates the management of the full lifecycle of such workloads, from their deployment to the gathering of performance metrics, taking into account the specifics of TEE-enabled confidential virtual machines. We use CONFBENCH to measure the execution overheads of different VM-enabled TEEs (e.g., Intel TDX, AMD SEV-SNP) using various programming languages through an extensive evaluation leveraging real-world datasets. We demon- strate how our architecture allows to validate hardware-based as well as simulation-based TEEs, by including preliminary results with ARM CCA. We highlight the intrinsic overheads of such confidential VMs conducting stress tests against machine learning inference tasks, DBMS and native-OS operations benchmarking, as well as evaluating the costs of attestation operations, required in the context of confidential computing. We release CONFBENCH to the research community and provide instructions to reproduce our experiments.