pith. sign in

arxiv: 2606.10615 · v2 · pith:NNR26CQRnew · submitted 2026-06-09 · 💻 cs.CR

Two-Way Confidential VMs (2cVM): Collaborative Confidential Computing for Mutually Distrustful Parties

Jordi Thijsman , Merlijn Sebrechts , Stefan Lefever , Filip De Turck , Bruno Volckaert This is my paper

Pith reviewed 2026-06-27 12:38 UTC · model grok-4.3

classification 💻 cs.CR
keywords confidential computingtrusted execution environmentWebAssembly sandboxingmutual isolationcommitment manifestcollaborative computationvirtual machinesAMD SEV-SNP
0
0 comments X

The pith

Two-Way Confidential VMs combine hardware trusted execution with an intra-VM sandbox and a locked commitment manifest to enforce mutual isolation between distrustful co-resident workloads.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces 2cVM as a two-layer system that pairs a hardware trusted execution environment with fine-grained sandboxing inside the VM. This setup allows multiple parties to run joint workloads on shared infrastructure while each party keeps exclusive control over its own code and data. A commitment manifest defines the exact participants, code components, allowed data flows, and permitted outputs; the manifest is bound to the VM and folded into the attestation evidence so that the policy stays fixed and checkable by all sides. Measurements across benchmark classes indicate that the sandbox layer does not add overhead in a simple additive way with the hardware layer, keeping total cost practical for many access patterns. The result is a concrete architecture for collaborative computation that avoids both full cryptographic overhead and the single-trust assumption of ordinary confidential VMs.

Core claim

The paper claims that a two-layer architecture using AMD SEV-SNP hardware memory protection together with the WebAssembly Component Model for intra-workload isolation, governed by a Commitment Manifest that enumerates participants, component composition, permitted data channels, and authorized outputs, produces mutual isolation. The manifest is locked to the VM instance and incorporated into attestation evidence, rendering the policy immutable and independently verifiable for the lifetime of the VM. On commodity hardware the combined layers incur workload-dependent overhead that does not grow linearly, remaining small once code runs inside the WebAssembly sandbox.

What carries the argument

The Commitment Manifest, a document that enumerates participants, component composition, permitted data channels, and authorized outputs; it is locked to the VM and included in attestation evidence so that the isolation policy remains fixed and verifiable.

If this is right

  • All participants can independently verify the exact composition and data-flow rules of the computation via the attested manifest.
  • Data exchange between workloads is restricted to the channels explicitly listed in the manifest.
  • The marginal performance cost of enabling hardware memory protection becomes small once a workload already runs inside the WebAssembly sandbox.
  • Overhead is governed mainly by memory access pattern rather than by the simple presence of both isolation layers.
  • The architecture supplies a verifiable foundation for privacy-preserving multi-party workloads without requiring fully homomorphic encryption or secure multi-party computation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same dual-layer pattern could be applied to other hardware TEEs such as Intel TDX or ARM CCA if equivalent sandbox primitives exist.
  • Independent third-party auditors could check the manifest against expected business rules before any party joins the computation.
  • If the manifest were made updatable under fresh attestation, the design could support dynamic participant addition or policy changes.
  • Workloads with sequential memory access would see the smallest relative cost and could serve as the first practical deployment targets.

Load-bearing premise

The WebAssembly Component Model sandbox, when running inside an AMD SEV-SNP protected VM, actually prevents one workload from accessing or interfering with another workload's memory or code without creating new bypasses.

What would settle it

A concrete test in which one WebAssembly component successfully reads or writes memory belonging to a second component while both execute inside the same SEV-SNP VM, or in which the commitment manifest is altered after launch without the attestation evidence becoming invalid.

Figures

Figures reproduced from arXiv: 2606.10615 by Bruno Volckaert, Filip De Turck, Jordi Thijsman, Merlijn Sebrechts, Stefan Lefever.

Figure 1
Figure 1. Figure 1: FIGURE 1 [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: FIGURE 2 [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: FIGURE 3 [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: FIGURE 5 [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 4
Figure 4. Figure 4: FIGURE 4 [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 7
Figure 7. Figure 7: FIGURE 7 [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: FIGURE 6 [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: FIGURE 8 [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: FIGURE 9 [PITH_FULL_IMAGE:figures/full_fig_p014_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: FIGURE 10 [PITH_FULL_IMAGE:figures/full_fig_p014_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: shows the distribution of attestation latency as a function of queue position when ten concurrent threads re￾quest reports simultaneously. The results exhibit a clear linear increase across queue positions: the first request completes in approximately 4.4–4.7 ms, while the tenth completes around 44 ms, with each successive request adding roughly 4.4 ms of additional latency. This closely matches the intri… view at source ↗
read the original abstract

Collaborative computation across organizations is often constrained by the need to process sensitive data and proprietary code without exposing them to untrusted infrastructure or participants. Cryptographic approaches such as fully homomorphic encryption and secure multi-party computation provide strong confidentiality but remain impractical for general workloads due to their extreme computational cost. We present the Two-Way Confidential Virtual Machine (2cVM), a two-layer architecture that pairs a hardware trusted execution environment with an intra-workload isolation layer. Unlike regular Confidential Virtual Machines, 2cVM enforces mutual isolation between co-resident workloads, ensuring that participants retain control over their data and code. All computation in 2cVM is governed by a Commitment Manifest that enumerates participants, component composition, permitted data channels, and authorized outputs; the manifest is locked to the VM and incorporated into attestation evidence, making the policy immutable and independently verifiable throughout the VM's lifetime. A proof-of-concept realization combines AMD SEV-SNP for hardware protection with the WebAssembly Component Model for fine-grained sandboxing of participant code. Evaluation on commodity hardware across four benchmark classes shows that the two isolation layers do not accumulate linearly: once a workload executes inside the WebAssembly sandbox, the marginal cost of enabling hardware memory protection is small. Overhead is workload-dependent, governed primarily by memory access pattern, ranging from negligible for sequential workloads to approximately 2x for irregular, pointer-chasing access patterns. These results indicate that 2cVM provides a practical and verifiable foundation for privacy-preserving collaborative computation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper presents the Two-Way Confidential Virtual Machine (2cVM), a two-layer architecture pairing AMD SEV-SNP hardware TEE with WebAssembly Component Model sandboxing. All computation is governed by a Commitment Manifest enumerating participants, components, channels, and outputs; the manifest is locked to the VM and bound into attestation evidence. A PoC implementation is evaluated on commodity hardware across four benchmark classes, reporting that the layers do not accumulate overhead linearly (marginal hardware cost is small once inside Wasm) with workload-dependent slowdowns ranging from negligible (sequential access) to ~2x (irregular pointer-chasing).

Significance. If the claimed mutual isolation and manifest immutability hold under the composition, 2cVM would provide a practical, attestable foundation for collaborative confidential computing that avoids the prohibitive costs of FHE or MPC while allowing participants to retain control over their code and data. The non-linear overhead result, if reproducible, is a useful engineering observation for TEE+Wasm stacks.

major comments (3)
  1. [architecture description (abstract + §3)] Abstract and architecture description: the central claim that the Wasm Component Model layer, when placed inside an SEV-SNP VM, enforces the Commitment Manifest's participant list, permitted channels, and output restrictions (preventing co-resident distrustful workloads from violating isolation) is stated without any analysis of capability restrictions, memory isolation boundaries, or potential bypass paths introduced by the composition. This is load-bearing for the 'two-way' guarantee.
  2. [PoC realization (abstract + §4)] Abstract and §4 (PoC realization): the mechanism by which the Commitment Manifest hash is injected into the SEV-SNP measurement and remains immutable for the VM lifetime is asserted but not specified (e.g., no description of measurement registration, runtime protection against manifest modification, or attestation evidence structure). Without this, independent verifiability cannot be assessed.
  3. [evaluation (abstract + §5)] Evaluation section: the reported benchmark results (overhead not accumulating linearly, workload-dependent 1-2x range) rest on an unevaluated PoC; the manuscript supplies no description of the evaluation methodology, data exclusion rules, statistical support, or adversarial test cases that would confirm manifest enforcement under attempted policy violations.
minor comments (2)
  1. [abstract] The abstract states 'once a workload executes inside the WebAssembly sandbox, the marginal cost of enabling hardware memory protection is small' but does not define the precise baseline configurations being compared (e.g., SEV-SNP alone vs. SEV-SNP+Wasm).
  2. [introduction] Terminology: 'two-way' is used to mean mutual isolation, but the paper should explicitly contrast this with one-way protection in standard CVMs in the introduction.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the thoughtful and detailed review. The comments highlight areas where additional technical depth will strengthen the manuscript. We address each major comment below and will incorporate revisions to provide the requested analysis, specifications, and methodological details.

read point-by-point responses

  1. Referee: [architecture description (abstract + §3)] Abstract and architecture description: the central claim that the Wasm Component Model layer, when placed inside an SEV-SNP VM, enforces the Commitment Manifest's participant list, permitted channels, and output restrictions (preventing co-resident distrustful workloads from violating isolation) is stated without any analysis of capability restrictions, memory isolation boundaries, or potential bypass paths introduced by the composition. This is load-bearing for the 'two-way' guarantee.

    Authors: We agree that the two-way isolation claim requires explicit supporting analysis. In the revised manuscript we will expand §3 with a new subsection that (1) enumerates the capability restrictions imposed by the WebAssembly Component Model on imported/exported functions and resources, (2) maps the memory isolation boundaries between the SEV-SNP hardware TEE and the Wasm sandbox (including linear memory and table protections), and (3) discusses potential composition bypass paths (e.g., manifest tampering via host calls, side-channel leakage across layers) together with the mitigations provided by the immutable manifest binding and SEV-SNP attestation. This addition will directly substantiate the mutual-isolation guarantee. revision: yes

  2. Referee: [PoC realization (abstract + §4)] Abstract and §4 (PoC realization): the mechanism by which the Commitment Manifest hash is injected into the SEV-SNP measurement and remains immutable for the VM lifetime is asserted but not specified (e.g., no description of measurement registration, runtime protection against manifest modification, or attestation evidence structure). Without this, independent verifiability cannot be assessed.

    Authors: The current §4 describes the high-level binding but lacks the low-level registration steps. We will revise this section to specify: (a) how the manifest hash is supplied to the SEV-SNP launch measurement via the guest policy and measurement registers, (b) the runtime protections (read-only mapping of the manifest page and cryptographic binding into the attestation report), and (c) the exact structure of the attestation evidence that includes the manifest hash. These details will enable independent verification and will be added in the next version. revision: yes

  3. Referee: [evaluation (abstract + §5)] Evaluation section: the reported benchmark results (overhead not accumulating linearly, workload-dependent 1-2x range) rest on an unevaluated PoC; the manuscript supplies no description of the evaluation methodology, data exclusion rules, statistical support, or adversarial test cases that would confirm manifest enforcement under attempted policy violations.

    Authors: We acknowledge that §5 would benefit from expanded methodological rigor. In revision we will add: (1) a complete description of the evaluation platform, benchmark harness, and data-collection procedure; (2) any data-exclusion rules and statistical support (e.g., number of runs, confidence intervals); and (3) a new set of adversarial test cases that attempt to violate manifest-enforced channels or outputs, together with the observed enforcement outcomes. These additions will improve reproducibility and directly address the request for validation of policy enforcement. revision: yes

Circularity Check

0 steps flagged

No circularity: concrete architecture + empirical measurements

full rationale

The paper presents a system architecture (two-layer 2cVM with SEV-SNP + Wasm Component Model, Commitment Manifest locked into attestation) and reports direct benchmark overheads on commodity hardware. No equations, fitted parameters, predictions derived from inputs, or self-citation chains appear in the derivation; the central claims rest on the described implementation and measured results rather than reducing to their own definitions or prior author work by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an engineering systems paper proposing a new architecture; it introduces no mathematical free parameters, domain axioms, or invented physical entities.

pith-pipeline@v0.9.1-grok · 5818 in / 1200 out tokens · 25275 ms · 2026-06-27T12:38:03.327099+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 11 canonical work pages

  1. [1]

    AMD: AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More. Tech. rep., AMD (Jan 2020), https://www.amd. com/content/dam/amd/en/documents/epyc-business-docs/white-papers/ SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more. pdf

    2020

  2. [2]

    AMDESE/AMDSEV contributers: AMDESE/AMDSEV at snp-latest, https://github.com/AMDESE/AMDSEV/tree/snp-latest

  3. [3]

    Ananth, P., Jain, A., Jin, Z., Malavolta, G.: Multi-key fully-homomorphic encryption in the plain model, https://eprint.iacr.org/2020/180, publication info: A major revision of an IACR publication in TCC 2020

    2020

  4. [4]

    Anati, I., Gueron, S., Johnson, S., Scarlata, V .: In- novative Technology for CPU Based Attestation and Sealing (2013), https://www.semanticscholar.org/paper/ Innovative-Technology-for-CPU-Based-Attestation-and-Anati-Gueron/ 708a3c03556b5bc20b5bd8e58ef2f47f6a9fc7d2

    2013

  5. [5]

    Bursell, A.M.: Closing Profian, https://aliceevebob.com/2023/02/10/ closing-profian/

    2023

  6. [6]

    Bytecode Alliance: Wasi-virt (2023), https://github.com/bytecodealliance/ W ASI-Virt, accessed 2026-03-09

    2023

  7. [7]

    Bytecode Alliance: wasm-tools (2023), https://github.com/ bytecodealliance/W ASI-Virt, accessed 2026-03-09

    2023

  8. [8]

    com/bytecodealliance/wac

    Bytecodealliance/Wac contributers: Bytecodealliance/wac, https://github. com/bytecodealliance/wac

  9. [9]

    Bytecodealliance/Wasmtime contributers: Bytecodealliance/wasmtime, https://github.com/bytecodealliance/wasmtime

  10. [10]

    In: Fehr, S

    Chongchitmate, W., Ostrovsky, R.: Circuit-private multi-key FHE. In: Fehr, S. (ed.) Public-Key Cryptography – PKC 2017. pp. 241–270. Springer (2017)

    2017

  11. [11]

    In: 47th IEEE Symposium on Security and Privacy (IEEE S&P ’26)

    Chuang, J., Seto, A., Berrios, N., van Schaik, S., Garman, C., Genkin, D.: Tee.fail: Breaking trusted execution environments via ddr5 memory bus interposition. In: 47th IEEE Symposium on Security and Privacy (IEEE S&P ’26). IEEE Computer Society (2026), https://tee.fail

    2026

  12. [12]

    In: 47th IEEE Symposium on Security and Privacy (S&P) (May 2026)

    De Meulemeester, J., Oswald, D., Verbauwhede, I., Van Bulck, J.: Bat- tering RAM: Low-cost interposer attacks on confidential computing via dynamic memory aliasing. In: 47th IEEE Symposium on Security and Privacy (S&P) (May 2026)

    2026

  13. [13]

    Enarx/Enarx contributers: Enarx/enarx, https://github.com/enarx/enarx

  14. [14]

    https://github.com/emilk/ram_bench

    Ernerfeldt, E.: ram_bench. https://github.com/emilk/ram_bench

  15. [16]

    IET Communications18(9), 535–556 (2024)

    Feng, D., Qin, Y ., Feng, W., Li, W., Shang, K., Ma, H.: Survey of research on confidential computing. IET Communications18(9), 535–556 (2024). , https://ietresearch.onlinelibrary.wiley.com/doi/abs/10.1049/cmu2.12759

    work page doi:10.1049/cmu2.12759 2024

  16. [17]

    Technical Position Paper v1.0, French Cybersecu- rity Agency (ANSSI) (Oct 2025), https://cyber.gouv.fr/sites/default/files/ document/anssi-technical-position-paper-coco-v1.0.pdf

    French Cybersecurity Agency (ANSSI): Technical position paper on con- fidential computing. Technical Position Paper v1.0, French Cybersecu- rity Agency (ANSSI) (Oct 2025), https://cyber.gouv.fr/sites/default/files/ document/anssi-technical-position-paper-coco-v1.0.pdf

    2025

  17. [18]

    Gentry, C.: A fully homomorphic encryption scheme

  18. [19]

    In: Proceedings of the 20th International Middleware Conference

    Goltzsche, D., Nieke, M., Knauth, T., Kapitza, R.: AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Account- ing. In: Proceedings of the 20th International Middleware Conference. pp. 123–135. ACM (2019). , https://dl.acm.org/doi/10.1145/3361525.3361541

    work page doi:10.1145/3361525.3361541 2019

  19. [20]

    Cybersecurity7(1), 5 (Mar 2024)

    Gong, Y ., Chang, X., Miši ´c, J., Miši´c, V .B., Wang, J., Zhu, H.: Practical solutions in fully homomorphic encryption: a survey analyzing existing acceleration methods. Cybersecurity7(1), 5 (Mar 2024). , https://doi.org/ 10.1186/s42400-023-00187-4

    work page doi:10.1186/s42400-023-00187-4 2024

  20. [21]

    Google: Native client, https://developer.chrome.com/docs/native-client/

  21. [22]

    Gu, G., Shacham, H.: Constant-time wasmtime, for real this time: End- to-end verified zero-overhead constant-time programming for the web and beyond (2023), https://arxiv.org/abs/2311.14246

    arXiv 2023

  22. [23]

    ACM Transactions on Computer Systems35(4), 1–32 (2017)

    Hunt, T., Zhu, Z., Xu, Y ., Peter, S., Witchel, E.: Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. ACM Transactions on Computer Systems35(4), 1–32 (2017). , https://dl.acm.org/doi/10.1145/ 3231594

    2017

  23. [24]

    Intel Corporation: Intel® Trust Domain Extensions (Intel® TDX). Tech. rep., Intel Corporation (Feb 2023), https://cdrdv2.intel.com/v1/dl/ getContent/690419

    2023

  24. [25]

    , https://zenodo.org/doi/ 10.5281/zenodo.18984088

    Jordi Thijsman, X.D., Sebrechts, M.: Idlab-discover/2cVM-attestation- agent: 2cVM Attestation Agent - IEEE Access. , https://zenodo.org/doi/ 10.5281/zenodo.18984088

    work page doi:10.5281/zenodo.18984088

  25. [26]

    Data & Knowledge Engineering150, 102280 (Mar 2024)

    Jussen, I., Möller, F., Schweihoff, J., Gieß, A., Giussani, G., Otto, B.: Issues in inter-organizational data sharing: Findings from prac- tice and research challenges. Data & Knowledge Engineering150, 102280 (Mar 2024). , https://www.sciencedirect.com/science/article/pii/ S0169023X24000041

    2024

  26. [27]

    Journal of Grid Computing21(3), 34 (Jun 2023)

    Kjorveziroski, V ., Filiposka, S.: WebAssembly as an Enabler for Next Generation Serverless Computing. Journal of Grid Computing21(3), 34 (Jun 2023). , https://doi.org/10.1007/s10723-023-09669-8

    work page doi:10.1007/s10723-023-09669-8 2023

  27. [28]

    , http://arxiv.org/abs/1801.05863, arXiv:1801.05863 [cs]

    Knauth, T., Steiner, M., Chakrabarti, S., Lei, L., Xing, C., Vij, M.: Integrating Remote Attestation with Transport Layer Security (Jul 2019). , http://arxiv.org/abs/1801.05863, arXiv:1801.05863 [cs]

    Pith/arXiv arXiv 2019

  28. [29]

    , https://ieeexplore.ieee.org/document/ 9910347

    Marcolla, C., Sucasas, V ., Manzano, M., Bassoli, R., Fitzek, F.H.P., Aaraj, N.: Survey on fully homomorphic encryption, theory, and applica- tions110(10), 1572–1609 (2022). , https://ieeexplore.ieee.org/document/ 9910347

    2022

  29. [30]

    IEEE Computer Society Technical Committee on Computer Architecture (TCCA) Newsletter pp

    McCalpin, J.D.: Memory bandwidth and machine balance in current high performance computers. IEEE Computer Society Technical Committee on Computer Architecture (TCCA) Newsletter pp. 19–25 (Dec 1995)

    1995

  30. [31]

    Microsoft: Perform Protected Multiparty Data Collaboration on Azure, https://learn.microsoft.com/en-us/azure/confidential-computing/ confidential-clean-rooms

  31. [32]

    Misono, M., Stavrakakis, D., Santos, N., Bhatotia, P.: Confidential vms explained: An empirical analysis of amd sev-snp and intel tdx. Proc. ACM Meas. Anal. Comput. Syst.8(3) (Dec 2024). , https://doi.org/10.1145/ 3700418

    2024

  32. [33]

    MOZAIK-SBO/Winter-School-2025 contributers: MOZAIK-SBO/winter- school-2025, https://github.com/MOZAIK-SBO/winter-school-2025

    2025

  33. [34]

    In: Proceedings of the 2nd Workshop on Flexible Resource and Application Management on the Edge

    Ménétrey, J., Pasin, M., Felber, P., Schiavoni, V .: WebAssembly as a Common Layer for the Cloud-edge Continuum. In: Proceedings of the 2nd Workshop on Flexible Resource and Application Management on the Edge. pp. 3–8. FRAME ’22, Association for Computing Machinery, New York, NY , USA (Jun 2022). , https://dl.acm.org/doi/10.1145/3526059. 3533618

    work page doi:10.1145/3526059 2022

  34. [35]

    In: Proceedings of the 39th Annual Computer Security Applications Conference

    Narayanan, V ., Carvalho, C., Ruocco, A., Almasi, G., Bottomley, J., Ye, M., Feldman-Fitzthum, T., Buono, D., Franke, H., Burtsev, A.: Remote attestation of confidential VMs using ephemeral vTPMs. In: Proceedings of the 39th Annual Computer Security Applications Conference. pp. 732–

  35. [36]

    , https: //dl.acm.org/doi/10.1145/3627106.3627112

    ACSAC ’23, Association for Computing Machinery (2023). , https: //dl.acm.org/doi/10.1145/3627106.3627112

    work page doi:10.1145/3627106.3627112 2023

  36. [37]

    OpenFHE contributers: Openfheorg/openfhe-python, https://github.com/ openfheorg/openfhe-python

  37. [38]

    In: Proceedings of the 38th Annual Computer Security Applications Conference

    Pecholt, J., Wessel, S.: CoCoTPM: Trusted Platform Modules for Virtual Machines in Confidential Computing Environments. In: Proceedings of the 38th Annual Computer Security Applications Conference. pp. 989– VOLUME 0, 2025 19 Thijsmanet al.: 2cVM: Confidential Collaboration Among Distrustful Parties

    2025

  38. [39]

    , https: //dl.acm.org/doi/10.1145/3564625.3564648

    ACSAC ’22, Association for Computing Machinery (2022). , https: //dl.acm.org/doi/10.1145/3564625.3564648

    work page doi:10.1145/3564625.3564648 2022

  39. [40]

    Com- puter Science Review56, 100728 (2025)

    Perrone, G., Romano, S.P.: Webassembly and security: A review. Com- puter Science Review56, 100728 (2025). , https://www.sciencedirect.com/ science/article/pii/S157401372500005X

    2025

  40. [41]

    Peter, D.: hyperfine (Mar 2023), https://github.com/sharkdp/hyperfine

    2023

  41. [42]

    In: Proceedings of the 20th International Workshop on Data Management on New Hardware

    Qiu, L., Taft, R., Shraer, A., Kollios, G.: The Price of Privacy: A Per- formance Study of Confidential Virtual Machines for Database Systems. In: Proceedings of the 20th International Workshop on Data Management on New Hardware. pp. 1–8. DaMoN ’24, Association for Computing Machinery (2024). , https://dl.acm.org/doi/10.1145/3662010.3663440

    work page doi:10.1145/3662010.3663440 2024

  42. [43]

    In: 2024 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW)

    Scopelliti, G., Baumann, C., Mühlberg, J.T.: Understanding Trust Rela- tionships in Cloud-Based Confidential Computing. In: 2024 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW). pp. 169–176 (2024). , https://ieeexplore.ieee.org/abstract/document/10628910

    arXiv 2024

  43. [44]

    Sidorov, V ., Wei, E.Y .F., Ng, W.K.: Comprehensive performance anal- ysis of homomorphic cryptosystems for practical data processing. vol. abs/2202.02960 (2022), https://arxiv.org/abs/2202.02960

    arXiv 2022

  44. [45]

    , https://zenodo.org/doi/10.5281/zenodo.19063760

    Thijsman, J.: Idlab-discover/2cVM-benchmarks: 2cVM-bechmarks - IEEE Access. , https://zenodo.org/doi/10.5281/zenodo.19063760

    work page doi:10.5281/zenodo.19063760

  45. [46]

    In: 2021 IEEE Secure Development Conference (SecDev)

    Tsoupidi, R.M., Balliu, M., Baudry, B.: Vivienne: Relational verification of cryptographic implementations in webassembly. In: 2021 IEEE Secure Development Conference (SecDev). pp. 94–102 (2021)

    2021

  46. [47]

    Ultraviolet/Cocos contributers: Ultravioletrs/cocos, https://github.com/ ultravioletrs/cocos

  47. [48]

    In: 2021 IEEE Symposium on Security and Privacy (SP)

    Viand, A., Jattke, P., Hithnawi, A.: SoK: Fully homomorphic encryption compilers. In: 2021 IEEE Symposium on Security and Privacy (SP). pp. 1092–1108 (2021). , https://ieeexplore.ieee.org/document/9519484, ISSN: 2375-1207

    arXiv 2021

  48. [49]

    Virtuee/Snpguest contributers: Virtee/snpguest, https://github.com/virtee/ snpguest

  49. [50]

    In: Proceedings 2025 Network and Distributed System Security Symposium

    Wang, W., Ji, H., He, P., Zhang, Y ., Wu, Y ., Zhang, Y .: W A VEN: WebAssembly Memory Virtualization for Enclaves. In: Proceedings 2025 Network and Distributed System Security Symposium. Internet Society (2025). , https://www.ndss-symposium.org/wp-content/uploads/ 2025-746-paper.pdf

    2025

  50. [51]

    https://github.com/wasmCloud/wasmcloud.com/ blob/1a842e69c5cdf38995607d19f1689efc6a08ae51/docs/wash/ developer-guide/language-support/index.mdx (2025), accessed: 2026-03- 25

    wasmCloud Contributors: Language support — wasmCloud developer documentation. https://github.com/wasmCloud/wasmcloud.com/ blob/1a842e69c5cdf38995607d19f1689efc6a08ae51/docs/wash/ developer-guide/language-support/index.mdx (2025), accessed: 2026-03- 25

    2025

  51. [52]

    WebAssembly/Component-Model contributers: WebAssembly/component-model, https://github.com/WebAssembly/ component-model

  52. [53]

    com/WebAssembly/W ASI

    WebAssembly/W ASI contributers: WebAssembly/W ASI, https://github. com/WebAssembly/W ASI

  53. [54]

    In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

    Wilke, L., Scopelliti, G.: SNPGuard: Remote Attestation of SEV-SNP VMs Using Open Source Tools. In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 193–198 (Jul 2024). , https://ieeexplore.ieee.org/document/10628964/, iSSN: 2768-0657

    arXiv 2024

  54. [55]

    In: 2023 31st International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS)

    Yan, M., Gopalan, K.: Performance Overheads of Confidential Virtual Ma- chines. In: 2023 31st International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). pp. 1–8 (2023). , https://ieeexplore.ieee.org/abstract/document/10387607

    arXiv 2023

  55. [56]

    ACM Comput

    Zhang, J., Cheng, X., Yang, L., Hu, J., Liu, X., Chen, K.: SoK: Fully ho- momorphic encryption accelerators. ACM Comput. Surv.56(12), 316:1– 316:32 (2024). , https://doi.org/10.1145/3676955 ING. JORDI THIJSMANreceived their B.S. and M.S. in Information Engineering Technology from Ghent University in 2023. After his M.S., he joined the IDLab research group...

    work page doi:10.1145/3676955 2024