Accless is a serverless access control system for confidential serverless applications. Accless takes a serverless application specified by a workflow graph, and derives an access control policy. It then uses attribute-based encryption to encrypt the code and data for each function such that it can be decrypted if-and-only-if the function execution context, including its own roles and its upstream call-stack, pass the access control policy.
Accless is integrated on top of two existing confidential serverless runtimes:
- Faasm + SGX: we extend (and upstream) Faasm to support executing Faaslets inside SGX enclaves.
- Knative + SNP: we use a port of Knative that can deploy services inside confidential VMs (as pods in k8s) based on SC2.
To execute any code snippet in this repository, we will assume that you have activated your virtual environment:
source ./bin/workon.shInstall rust and rust-analyzer. Then rustup component add rust-analyzer.
TLess currently supports being deployed on top of two serverless runtimes, Faasm and Knative.
For instructions to deploy each one of them, see:
This repository implements four different workflows:
- FINRA - Based on the AWS FINRA case study.
- ML Training - Ported from Orion and RMMap.
- ML Inference - Ported from RMMap.
- Word Count - Ported from the MapReduce example in the FunctionBench paper.
| Workflow\Baseline | Faasm | SGX-Faasm | TLess-Faasm | Knative | CC-Knative | TLess-Knative |
|---|---|---|---|---|---|---|
| FINRA | ✅ | ✅ | ✅ | ✅< 7378 /td> | ✅ | ✅ |
| ML Training | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| ML Inference | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Word Count | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
We run the following experiments:
- End-to-end latency: measures the end-to-end execution latency for each workflow.