Confidential Serverless Computing

Although serverless computing offers compelling cost and deployment simplicity advantages, a significant challenge remains in securely managing sensitive data as it flows through the network of ephemeral function executions in serverless computing environments within untrusted clouds. While Confidential Virtual Machines (CVMs) offer a promising secure execution environment, their integration with serverless architectures currently faces fundamental limitations in key areas: security, performance, and resource efficiency. We present Hacher, a confidential computing system for secure serverless deployments to overcome these limitations. By employing nested confidential execution and a decoupled guest OS within CVMs, Hacher runs each function in a minimal "trustlet", significantly improving security through a reduced Trusted Computing Base (TCB). Furthermore, by leveraging a data-centric I/O architecture built upon a lightweight LibOS, Hacher optimizes network communication to address performance and resource efficiency challenges. Our evaluation shows that compared to CVM-based deployments, Hacher has 4.3x smaller TCB, improves end-to-end latency (15-93%), achieves higher function density (up to 907x), and reduces inter-function communication (up to 27x) and function chaining latency (16.7-30.2x); thus, Hacher offers a practical system for confidential serverless computing.

@article{sabanic2025_2504.21518,
  title={ Confidential Serverless Computing },
  author={ Patrick Sabanic and Masanori Misono and Teofil Bodea and Julian Pritzi and Michael Hackl and Dimitrios Stavrakakis and Pramod Bhatotia },
  journal={arXiv preprint arXiv:2504.21518},
  year={ 2025 }
}