Cloud workloads combine software components from different parties to process sensitive data. Each component has its own trust model - it must protect its assets from the rest of the system, yet share sensitive data with components it cannot trust to keep confidential. This tension requires composing isolation boundaries for confidentiality and encapsulation. Unfortunately, the cloud offers no direct way to compose such boundaries, forcing tenants to assemble, deploy, and maintain their own solutions. This paper shifts that burden back to the infrastructure by making composable, attestable isolation a first-class systems abstraction. We present Tyche, a security monitor that centers isolation around a unified composable abstraction: security domains (SDs). An SD is an execution environment whose access to machine resources - memory, cores, devices - is controlled through explicit capabilities. A small set of capability operations enables SDs to partition, share, and reclaim resources; by nesting recursively, SDs compose attestable trust boundaries for confidentiality and encapsulation. Tyche attests these compositions, providing end-to-end security guarantees for workloads made of mutually distrustful components. As a first-class cloud primitive, this single abstraction subsumes enclaves, sandboxes, CVMs, and their compositions. Tyche provides composable isolation without sacrificing compatibility with existing hardware and software stacks. It runs on commodity x86 64 hardware without security extensions, and a RISC-V prototype demonstrates portability across platforms. Our SDK composes isolation for unmodified workloads within SDs with minimal overhead. In a confidential LLM inference scenario with mutually distrustful users, model owners, and cloud providers, the slowdown is just 2% compared to bare-metal Linux.

翻译：云工作负载整合了来自不同参与方的软件组件以处理敏感数据。每个组件都有其自身的信任模型——它必须保护其资产免受系统其余部分的侵害，同时与无法信任其保密性的组件共享敏感数据。这种紧张关系要求为机密性和封装性组合隔离边界。不幸的是，云环境并不提供组合此类边界的直接方法，迫使租户自行组装、部署和维护各自的解决方案。本文通过将可组合、可证明的隔离作为一等系统抽象，将这一负担转移回基础设施。我们提出Tyche，一个安全监控器，其隔离性围绕统一的组合抽象——安全域（SD）展开。安全域是一种执行环境，其对机器资源（内存、核心、设备）的访问通过显式能力控制。一组小型的能力操作使安全域能够分区、共享和回收资源；通过递归嵌套，安全域可为机密性和封装性组合可证明的信任边界。Tyche证明这些组合，为包含相互不信任组件的负载提供端到端安全保证。作为一流的云原语，这一单一抽象统一了飞地、沙箱、机密虚拟机及其组合。Tyche在不牺牲与现有硬件和软件栈兼容性的前提下提供可组合隔离。它在不具备安全扩展的商用x86 64硬件上运行，而RISC-V原型展示了跨平台的可移植性。我们的SDK为安全域内未经修改的负载以最小开销组合隔离。在一个涉及相互不信任的用户、模型所有者和云提供商的机密LLM推理场景中，相较于裸金属Linux，性能下降仅为2%。