Compartmentalized, Confidential, and Certified AI Inference
c3infer explores how to build practical confidential systems where confidentiality does not rely only on minimizing TCB size, but on restricting and attesting communication structure between components.
The project studies secure multi-component pipelines for TEEs and confidential VMs, including mechanisms for protected inter-CVM memory sharing, policy-controlled communication channels, and deployable implementations on Arm CCA software stacks.
Publications
Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA (CAEC). Sina Abdollahi, Amir Al Sadi, Marios Kogias, David Kotz, Hamed Haddadi. arXiv: 2512.01594v2.
Sharing is caring: Attestable and Trusted Workflows out of Distrustful Components (Mica). Amir Al Sadi, Sina Abdollahi, Adrien Ghosn, Hamed Haddadi, Marios Kogias. arXiv: 2603.03403v1.
Why I Stopped Caring About the TCB. Adrien Ghosn, Marios Kogias. SysTEX 2025 vision paper.
Code Artifacts
C3Infer builds on ARM CCA. It requires minimum changes to the RMM. It also, requires changes to QEMU and the Linux kernel to add support. All code artifacts are available on GitHub. Start from c3Infer repository to explore all the available artifacts.
Team
Sponsor
