Moritz Waser
Moritz Waser is a PhD student in the Secure Systems (SESYS) group at ISEC, Graz University of Technology.
His research interests include memory safety, confidential computing, capability systems and hardware security.
Sessions
Confidential VMs enable cloud service providers to operate a secure and trustworthy multi-tenant cloud infrastructure.
While confidential VMs ensure comprehensive protection for cloud workloads, such heavy-weight isolation is often omitted for serverless applications that co-locate thousands of cloud workers within the same process to optimize FaaS overheads through efficient context switches.
In this work, we present CAGE-V, a novel confidential computing architecture that supports lightweight enclave-based isolation for individual cloud workers running inside confidential VMs.
Guest enclaves support fast context switches within the confidential VM, as TLB entries are tagged with Domain Identifiers, eliminating overheads that stem from TLB flushes.
We present a CAGE-V prototype, consisting of a hardware extension for the CORE-V CVA6 processor and a small security monitor, and evaluate our design in terms of system performance, demonstrating a minor performance impact.
The semiconductor industry increasingly requires engineers skilled in both hardware design and software execution. This contribution presents a RISC-V-centric educational pipeline developed at our institute, bridging foundational bachelor's coursework and specialized master's programs. We outline three core courses that integrate practical hardware design, custom ISA extensions, and full-stack security. First, a computer organization course teaches students hardware design in SystemVerilog with the goal of modifying and extending a full RISC-V CPU. Second, a hardware security course tasks students with both the implementation of security-related hardware primitives for open-source RISC-V cores, and the development of software to interact with the extended hardware. Finally, a secure system architectures course addresses memory safety through full system prototyping, requiring students to modify the RISC-V Spike simulator and write custom LLVM compiler passes. This hands-on approach provides the ecosystem with engineers equipped to tackle modern microarchitectural and security challenges.