In this post, we look at yet another tool in Google’s massive open source trove: Asylo.
The word Asylo translates to shelter, asylum, or sanctuary in Greek. Security is exactly what Asylo is concerned with.
What Exactly is Asylo?
Asylo is an open and flexible framework and Software Development Kit (SDK) for building portable applications that run in a Trusted Execution Environment (TEE) or “enclave” provided by software or hardware. Asylo provides containers, an API, libraries and other essential tools that make it easy for developers to build confidential computing applications. Before we continue, we must look at what the terms confidential computing and Trusted Execution Environment mean.
Confidential computing, in simple terms, refers to special efforts to protect data both at rest and while in use. Such security efforts are made possible through a Trusted Execution Environment. A trusted execution environment is an isolated, secure part of a main processor and it is separate from the main operating system. It is more secure than the user-facing OS and utilizes both hardware and software in protecting data.
TEEs ensure data is secure from attackers with administrative privileges or even access to physical hardware on which data lives. Hence, TEEs mitigate the risk of data theft when an unauthorized entity exploits bugs in the underlying operating system. Applications that run in Trusted Execution Environments still have access to a device’s processor and memory.
Some technologies that support TEE implementations include AMD’s Platform Security Processor (PSP), Intel’s SGX Software Guard Extensions, ARM’s TrustZone, and Sequitur Labs’ CoreTEE. You probably have interfaced with a TEE in some way, as it is present in many payment services. Samsung devices that support Samsung Pay utilize TEEs in securing transactions.
The Asylo Architecture
Image source: https://asylo.dev/about/overview.html
Asylo provides several unique benefits while allowing developers to run trusted applications in untrusted environments without the associated risk. These benefits range from ease of use, portability (easily switch backends), and broader access to confidential computing for everyone by keeping the Asylo project open source.
TEEs typically have associated hardware dependencies, which become a major barrier to TEE adoption. Hardware dependencies add special knowledge requirements as well. With Asylo, however, the rigmarole of working with TEE hardware is removed, enabling developers to concentrate on only the important security aspects of their applications. The goal is to make it easy to run apps anywhere—from your laptop to the cloud. Support for backends based on hardware technologies such as Intel Software Guard Extensions and AMD’s Secure Encryption Virtualization is currently being explored.
The Asylo website provides all that is necessary to start creating enclave apps, including guides, framework concepts, and the C++ API reference. The guides provide fully working examples that highlight Asylo features. Concepts cover Asylo components and design. Visit the GitHub releases page for the latest build.
With data breaches on the increase, it is imperative to use state-of-the-art security measures to protect data. Traditional security measures are not enough. For this reason, some enterprises haven’t moved to the cloud, even though it may bring numerous benefits. But where traditional security measures end is where Asylo begins. Asylo provides enhanced security and eliminates some obstacles limiting some enterprises from moving to the cloud.