Confidential Computing Zoo (CCZoo) is a collection of code-ready reference solutions, which can be used as a copy-paste developer guide, demonstrating how to apply modern security technologies to real-life cloud business scenarios, in order to facilitate the developers to build their own end-to-end Confidential Computing solutions more easily. Some of the solutions are also validated on the public cloud services, such as Alibaba Cloud, Tencent Cloud, AWS, Azure, etc. Please see Cloud Deployment.
The concerned modern security technologies are (but not limited to): TEE (Trusted Execution Environment, such as Intel® SGX and TDX), HE (Homomorphic Encryption) and its hardware accelerations, Remote Attestation, LibOS, cryptographic and its hardware accelerations. The concerned business scenarios are (but not limited to): cloud native AI inference, vertical and horizontal federated learning, big data analytics, key management, RPC (Remote Process Call, such as gRPC), etc.
CCZoo maintains a live table, as below, to indicate the correlations between business usages (rows) and security technologies (columns). Each hyperlink will direct you to the document section that explains the corresponding details and then guides you to the source codes. Enjoy!
Solution List (Solution to Component Correlation)
| Solution | Security Components |
Validated
|
Status |
||||||||||
|
TEE |
LibOS |
Remote Attestation |
KMS |
HE |
Crypto |
TLS |
|||||||
| SGX | TDX | Gramine | Occlum | *RATS-TLS | *RA-TLS gRPC | Vault | eHSM-KMS | ||||||
| Multi-Party Compute / Federated Learning | |||||||||||||
| Horizontal Federated Learning
(TensorFlow) |
Yes | - | Yes | - | - | Yes
(2-way) |
- | - | - | Yes | Yes
(RA-gRPC) |
Published | |
| Vertical Federated
Learning (TensorFlow) |
Yes | - | Yes | - | - | Yes
(2-way) |
- | - | - | Yes | Yes
(RA-gRPC) |
Alibaba Cloud,
|
Waiting For Publish |
| Private Set
Intersection |
Yes | - | Yes | - | - | - | - | - | - | - | - | - | In Progress |
| Secure Logistic
Regression Training Base on TEE & HE |
Yes | - | Yes | - | - | - | - | - | Yes | Yes | Yes | Alibaba Cloud,
Tencent Cloud |
Waiting For Publish |
| Secure AI Inference & Training | |||||||||||||
| TensorFlow Serving
Cluster PPML (TensorFlow, K8S) |
Yes | - | Yes | Yes | - | - | - | - | - | Yes | Yes | Published | |
| Leveled HE Logical Regression Inference | - | - | - | - | - | - | - | - | Yes | - | - | - | In Progress |
| Secure BigDL
Recommend System |
- | Yes | - | - | - | - | - | - | - | - | - | - | Not Start |
| Native Application Hosting | |||||||||||||
| Cross Language
framework Based on Gramine |
Yes | - | Yes | - | - | - | - | - | - | - | - | - | In Progress |
| Attestation Server & Key Management Service | |||||||||||||
| Attestation Server | Yes | Yes | - | - | Yes | Yes | - | Yes | - | Yes | Yes | - | In Progress |
| eHSM-KMS | Yes | - | - | - | - | - | - | Yes | - | Yes | Yes | - | Published |
| Optimization on Secure Libs | |||||||||||||
| Private Set
intersection Optimization on Xeon |
- | - | - | - | - | - | - | - | Yes | Yes | - | - | Not Start |
| Secure Database | |||||||||||||
| Secure Database
Querying Based on HE |
- | - | - | - | - | - | - | - | Yes | Yes | - | - | Not Start |
Incubating Component Projects
Besides reference solutions, CCZoo is also incubating new projects of key security components that are commonly used by multiple CCZoo reference solutions. Once any of them is proven useful enough and stable enough via a thorough validation with CCZoo reference solutions running on various public cloud services, it will graduate from CCZoo and evolve to a standalone project.
| Incubating Component Project '*' | Description | Status | Validated in Public Cloud |
| RATS-TLS | This project provides a proof-of-concept implementation on how to integrate Intel SGX and TDX remote attestation into the TLS connection setup. Conceptually, it extends the standard X.509 certificate with SGX and TDX related information. It also provides two non-SGX clients (Wolfssl and OpenSSL) to show how seamless remote attestation works with different TLS libraries. | Published | Alibaba Cloud |
| RA-TLS Enhanced gRPC | This project provides an enhanced gRPC (Remote Procedure Call) framework to guarantee security during transmission and runtime via two-way RA-TLS (Intel SGX Remote Attestation with Transport Layer Security) based on TEE (Trusted Execution Environment). | Published | Alibaba Cloud,
Tencent Cloud |
Cloud Deployment
Solutions and incubating component projects in CCZoo are constantly extended to be validated in public clouds to verify the versatility, stability, robustness. We will provide detialed configurations of each public clouds for reference, and notes of the diversity in each cloud for easy delopyment.
Below table shows solutions and component projects validated in public clouds. And it will be updated continuously.
| Public Cloud | Alibaba Cloud | Tencent Cloud | |
| Instance | Type | g7t | M6ce.4XLARGE128 |
| Kernel | 4.19.91-24 | 5.4.119-19-0009.1 | |
| OS | Alibaba Cloud Linux 2.1903 | TencentOS Server 3.1 | |
| Memory | 64G(32G EPC memory) | 64G(32G EPC Memory) | |
| vCPU | 16 | 16 | |
| PCCS Server | sgx-dcap-server.cn-hangzhou.aliyuncs.com | sgx-dcap-server-tc.sh.tencent.cn | |
| Validated Solution |
|
|
|
Confidential Computing Zoo Documentation
The official confidential computing zoo documentation can be found at https://cczoo.readthedocs.io.
Community Involvement
- Please submit issues in this project if there is any question or request.
- Welcome PRs for contributions.
Welcome to join the Wechat group or Slack channel for CCZoo tech discussion.
You can check CCZoo previous PDT meeting munites here.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent