Towards a Formally Verified Security Monitor for VM-based Confidential Computing

Confidential computing is a key technology for isolating high-assurance applications from the large amounts of untrusted code typical in modern systems. Existing confidential computing systems cannot be certified for use in critical applications, like systems controlling critical infrastructure, hardware security modules, or aircraft, because they lack formal verification. This paper presents an approach to formally modeling and proving a security monitor for confidential computing. It introduces a canonical architecture for virtual machine (VM)-based confidential computing systems. It abstracts processor-specific components and identifies a minimal set of hardware primitives required by a trusted security monitor to enforce security guarantees. This paper focuses on verifying the software assuming a correct hardware implementation. We demonstrate our methodology and proposed approach with an example from our open-source Rust implementation of the security monitor for RISC-V.