1 views collected around this technical thread.
The 2025 NDSS conference in San Diego featured five Ant Group papers covering secure forensics for compromised TrustZone, privacy‑preserving inference for large Transformers, LLM‑driven shell command explanation, a scalable randomness beacon protocol, and enclave construction within confidential virtual machines.
On October 22, the open‑source Asterinas system software stack, featuring the Rust‑based Asterinas OS and confidential computing components, was announced by leading Chinese research labs and enterprises to provide a high‑performance, memory‑safe operating system and trusted execution environment for cloud, AI, and data‑centric workloads.
The Asterinas open‑source confidential computing stack, released by leading Chinese research institutions and Ant Group, combines HyperEnclave, Occlum, and TrustFlow to provide a secure, nationally‑trusted TEE foundation for cloud, AI, and data‑intensive workloads, addressing the shortcomings of existing commercial TEEs and enabling trustworthy data flow across diverse industries.
The second Confidential Computing Forum at CNCC2024, held on October 26 in Hangzhou, gathers leading experts to discuss TEE‑based secure computing, present cutting‑edge research on confidentiality, side‑channel attacks, collaborative trust, and cryptographic applications, and outlines future directions for data security in the digital economy.
The IEEE 2952-2023 standard, jointly released by Ant Group and multiple partners, defines a comprehensive technical framework for secure computing using Trusted Execution Environments, covering isolation, confidentiality, compatibility, performance, availability, and security, and outlines reference implementations, cluster management, and remote attestation mechanisms.
Occlum v1.0, the open‑source trusted execution environment operating system released by Ant Group, delivers up to five‑fold performance improvements, supports over 150 Linux syscalls, introduces async I/O, dynamic memory management, and a Spark‑BigDL big‑data analysis solution, while outlining future GPU and TDX extensions.
This article explains how privacy computing technologies such as federated learning, multi‑party computation, and trusted execution environments, combined with blockchain, address data sharing challenges in the digital economy by protecting privacy, ensuring compliance, and enabling secure, trusted collaboration across enterprises and government agencies.
The article interviews Ant Group’s Trusted Native team, detailing their cloud‑native infrastructure roadmap—including middleware mesh, SOFAStack, secure container runtimes like Kata and MOSN, confidential‑computing platforms such as Occlum, HyperEnclave and KubeTEE—while highlighting open‑source strategy, security considerations, and productization efforts.
This article reviews the Ice Lake‑based next‑generation Intel SGX, compares its security and performance improvements over previous generations, presents detailed benchmark results on memory access, dynamic memory management and enclave switching, and describes software optimizations implemented in the Occlum runtime to mitigate remaining overheads.
The article explains how confidential computing, built on trusted execution environments like Intel SGX, addresses data‑in‑use security, outlines the technical hurdles developers face, and showcases Ant Group's open‑source SOFAEnclave components—Occlum, HyperEnclave, and KubeTEE—highlighting Rust’s pivotal contribution.
This article introduces the SOFAEnclave confidential computing solution, detailing its three components—Occlum, HyperEnclave, and KubeTEE—explaining how they address practical challenges of enclave development, integration with cloud‑native environments, and secure large‑scale Kubernetes deployments.
The article examines how open‑source projects can achieve robust security through organized vulnerability management teams, active collaboration with security researchers, and community‑driven initiatives, using Kata Containers and the broader cloud‑native ecosystem as illustrative examples.
KubeTEE is an open‑source cloud‑native framework that integrates Trusted Execution Environment (TEE) technology with Kubernetes to provide a complete solution for developing, deploying, and operating large‑scale confidential computing applications, simplifying the entire lifecycle from code signing to runtime management.
This article introduces confidential computing with Intel SGX, explains why SGX development is difficult, and demonstrates how Ant Group's open‑source TEE OS Occlum dramatically lowers the barrier by using three simple commands to build, package, and run a Hello World program inside an enclave.
The article chronicles Tian Hongliang’s evolution from a Rust‑loving coder who excelled in Ant Group’s internal coding competition to a leading researcher in confidential computing, detailing his work on Intel SGX, the open‑source Occlum project, and the team’s recruitment drive for security engineers.
Ant Group announced that two of its research papers—one on the Occlum secure enclave LibOS and another on the Catalyzer serverless cold‑start optimizer—were selected for presentation at the prestigious ASPLOS'20 conference, highlighting the company's contributions to confidential computing and serverless performance.
In a 2019 OS2ATC talk, Ant Financial’s system department head explained how the company tackles massive data pressure, ultra‑high availability, secure containers, confidential computing, and open‑source initiatives such as OceanBase, Occlum, SOFAMesh, and Kata Containers to drive financial‑grade system software innovation.
The article outlines Ant Group's end‑to‑end cloud‑native security architecture for the financial sector, detailing the SOFAMesh service‑mesh solution, Kata Containers secure‑container technology, and the SOFAEnclave confidential‑computing platform, together with performance results and open‑source links.
The article explains how Ant Financial leverages confidential computing technologies such as Intel SGX, the Occlum LibOS, and the KubeTEE cloud‑native cluster to build the SOFAEnclave middleware, addressing security, usability, and scalability challenges for financial‑grade data protection and multi‑party AI workloads.