image image
Josh Eads & Cfir Cohen at Hardwear USA 2023

Josh Eads & Cfir Cohen

Securing the Unseen: Vulnerability Research in Confidential Computing

Talk Title:

Securing the Unseen: Vulnerability Research in Confidential Computing


There is an increasing demand for moving sensitive workloads into the cloud; however, the confidentiality and integrity of these workloads in the presence of a malicious or compromised hosting provider can’t be strongly guaranteed with existing commodity hardware. To address this issue, CPU vendors have started to introduce hardware and firmware additions that provide VM-scale hardware-attested and isolated trusted execution environments – generally termed Confidential Compute.

Before introducing Confidential Compute solutions to Google Cloud, we conducted in-depth security reviews driven by a unique collaboration between the Google Cloud Security & Project Zero teams and each vendors’ architecture & security teams. We recently published the results of our research into AMD SEV-SNP and Intel TDX: these provide the community with a better understanding of the security guarantees (and limitations) for each technology and provide a jumping off point for future security research.

In this presentation, we will discuss how Google’s security teams approached these large-scale security reviews of new hardware features, some of the interesting vulnerabilities that were discovered, and areas where additional research is needed. We’ll discuss bugs in crypto, IOMMUs, ACMs, and plain old C++ – there’s a little bit of everything here!

Speaker Bio:

Josh Eads is a staff security engineer within Google Cloud where he leads a team focused on finding and eliminating VM escape vectors. He has helped lead several large-scale security reviews in this capacity, including auditing Intel TDX and the joint Google/Intel developed IPU hardware. Prior to Google, Josh was part of the team at Sony responsible for securing the hardware and firmware for PlayStation and got his start in systems security working in the public sector. Outside of work, Josh enjoys spending time around the SF bay area with his wife and two Silken Windhounds and building up his woodworking skills.

Cfir Cohen is a senior staff software engineer working on Google Cloud Security for 7+ years. Cfir and his team bring {trusted, confidential} computing technologies to cloud customers. Previously, Cfir did vulnerabilityresearch on Google’s virtualization stack, and led research on Confidential Computing security. Cfir is based in Seattle, WA with a family of two plus a one hundred pound German Shepherd.