Accless is a serverless access control system for confidential serverless applications. Accless takes a serverless application specified by a workflow graph, and derives an access control policy. It then uses attribute-based encryption to encrypt the code and data for each function such that it can be decrypted if-and-only-if the function execution context, including its own roles and its upstream call-stack, pass the access control policy.
Accless is integrated on top of two existing confidential serverless runtimes:
- Faasm + SGX: we extend (and upstream) Faasm to support executing Faaslets inside SGX enclaves.
- Knative + SNP: we use a port of Knative that can deploy services inside confidential VMs (as pods in k8s) based on SC2.
To execute any code snippet in this repository, we will assume that you have installed rust, and activated your virtual environment:
source ./scripts/workon.shonly then you will have access to accli, Accless CLI tool:
# Print help message
accli --help
# All sub-commands accept the `help` command
accli azure --help- Baselines - baselines where we integrate Accless.
- Experiments - reproduce the results in the Accless paper.
- Workflows - different workflow applications we run.