Cloud application marketplaces of modern cloud infrastructures offer a new software deployment model, integrated with the cloud environment in its configuration and policies. However, similar to traditional software distribution which has been suffering from software piracy and reverse engineering, cloud marketplaces face the same challenges that can deter the success of the evolving ecosystem of cloud software. We present a novel system named CAFE for cloud infrastructures where sensitive software logic can be executed with high secrecy protected from any piracy or reverse engineering attempts in a virtual machine even when its operating system kernel is compromised. The key mechanism is the end-to-end framework for the execution of applications, which consists of the secure encryption and distribution of confidential application binary files, and the runtime techniques to load, decrypt, and protect the program logic by isolating them from tenant virtual machines based on hypervisor-level techniques. We evaluate applications in several software categories which are commonly offered in cloud marketplaces showing that strong confidential execution can be provided with only marginal changes (around 100-220 lines of code) and minimal performance overhead. The results demonstrate the effectiveness and practicality of CAFE in cloud marketplaces.

中文翻译：

---

CAFE：一种基于虚拟化的保护敏感云应用逻辑机密性的方法

现代云基础设施的云应用市场提供了一种新的软件部署模型，在其配置和策略中与云环境集成。然而，与遭受软件盗版和逆向工程之苦的传统软件分发类似，云市场面临着同样的挑战，这些挑战可能会阻碍不断发展的云软件生态系统的成功。我们为云基础设施提供了一个名为 CAFE 的新系统，其中敏感的软件逻辑可以在高度保密的情况下执行，即使其操作系统内核受到损害，虚拟机中的任何盗版或逆向工程尝试也不会受到保护。关键机制是应用程序执行的端到端框架，它由机密应用程序二进制文件的安全加密和分发组成，以及通过基于管理程序级技术将程序逻辑与租户虚拟机隔离来加载、解密和保护程序逻辑的运行时技术。我们评估了云市场中常见的几种软件类别中的应用程序，表明只需少量更改（大约 100-220 行代码）和最小的性能开销即可提供强大的机密执行。结果证明了 CAFE 在云市场中的有效性和实用性。我们评估了云市场中常见的几种软件类别中的应用程序，表明只需少量更改（大约 100-220 行代码）和最小的性能开销即可提供强大的机密执行。结果证明了 CAFE 在云市场中的有效性和实用性。我们评估了云市场中常见的几种软件类别中的应用程序，表明只需少量更改（大约 100-220 行代码）和最小的性能开销即可提供强大的机密执行。结果证明了 CAFE 在云市场中的有效性和实用性。