Periodic Reporting for period 1 - ELASTIC (Efficient, portabLe And Secure orchesTration for reliable servICes)
Periodo di rendicontazione: 2024-03-01 al 2025-08-31
ELASTIC aims to enhance the efficiency and security of service orchestration within the highly distributed and heterogeneous context of cloud-fog-edge continuum technologies. ELASTIC focuses on combining impactful key technologies from modern cloud-native ecosystems to enhance service orchestration and security over 6G networks. The project objectives are:
1. Analyse the landscape of executable isolation techniques and enhance efficiency, portability, and security, focusing on host-neutral infrastructure for secure in-network cloud and edge computing across the full lifecycle.
2. Research and design secure serverless FaaS orchestration with architecture-agnostic in-network execution, enabling broader artifact/workload deployment with trusted interactions in time-sensitive and low-power scenarios.
3. Implement privacy-preserving execution environments using confidential computing and privacy-enhancing technologies, ensuring trustworthy services on host-neutral infrastructure involving multiple providers and stakeholders.
4. Design and implement efficient, portable, and secure orchestration of edge and IoT workloads with reliability and resilience for critical infrastructures like 6G, leveraging network–IT convergence.
5. Facilitate 6G standardisation, exploitation, and dissemination of the developed technologies, providing a clear EU-aligned strategy for secure, privacy-preserving service deployment.
1. Analyse the landscape of executable isolation techniques and enhance efficiency, portability, and security, focusing on host-neutral infrastructure for secure in-network cloud and edge computing across the full lifecycle.
2. Research and design secure serverless FaaS orchestration with architecture-agnostic in-network execution, enabling broader artifact/workload deployment with trusted interactions in time-sensitive and low-power scenarios.
3. Implement privacy-preserving execution environments using confidential computing and privacy-enhancing technologies, ensuring trustworthy services on host-neutral infrastructure involving multiple providers and stakeholders.
4. Design and implement efficient, portable, and secure orchestration of edge and IoT workloads with reliability and resilience for critical infrastructures like 6G, leveraging network–IT convergence.
5. Facilitate 6G standardisation, exploitation, and dissemination of the developed technologies, providing a clear EU-aligned strategy for secure, privacy-preserving service deployment.
WP1 advanced the ELASTIC architecture and analysed the state of the art in Wasm and eBPF sandboxing. Key results include improvements to Wasm compilers and security (side-channel analysis, access control shim, new migration protocol), new eBPF vulnerability and performance analysis tools, FPGA-based intrusion detection, and initial WASI interfaces for SPI bus and Wasm application measurement.
WP2 developed the Propeller orchestrator for seamless Cloud–Edge–IoT workload orchestration, and the wasm-operator for Kubernetes-based serverless orchestration. Contributions also include new W3C WASI standards (USB, I2C), the CoCoS confidential AI platform, and security studies on serverless repositories and confidential WebAssembly applications, with concrete recommendations.
WP3 investigated WASM runtimes in Trusted Execution Environments, including the development of a hardware abstraction layer (HAL) to support portability across processors and clouds. Research also focused on Remote Attestation and Key Broker Services to ensure trustworthiness of WebAssembly applications in distributed multi-cloud environments, leveraging hardware-based cryptographic evidence from TPMs and TEEs.
WP4 deployed quantized AI models in Wasm environments and designed a WASI GPIO extension to interface with sensors and actuators. The eBPF framework was integrated with an AI-IDS on the Pynq-Z1, showing efficient AI-enhanced security on low-resource devices. An IoT gateway platform (“S0”) was developed around ESP32-C6 with Zephyr RTOS and WAMR, while additional studies covered federated learning, eBPF, TEEs, and attestation.
WP5 finalised the specifications and scenarios for the ELASTIC demonstrators, identified the required components, and established the initial testbeds for Demonstrators 1 and 2. Work has started on component integration and adaptation, ensuring the demonstrators can effectively showcase the project solutions.
WP6 delivered the ELASTIC communication plan, website, and social media channels, supported by promotional materials. The ecosystem was bootstrapped through collaboration with EU projects and innovation communities. Scientific dissemination included publications and presentations, while standardisation contributions were made to bodies such as W3C, ETSI, and 3GPP. An initial exploitation plan and business model were defined, leading to the identification of five candidate Key Exploitable Results.
WP7 established ELASTIC’s management and quality assurance framework, including the Project Handbook, Data Management Plan, KPI and Risk Registries. The Advisory Board was set up with four members, and initial feedback was received.
WP2 developed the Propeller orchestrator for seamless Cloud–Edge–IoT workload orchestration, and the wasm-operator for Kubernetes-based serverless orchestration. Contributions also include new W3C WASI standards (USB, I2C), the CoCoS confidential AI platform, and security studies on serverless repositories and confidential WebAssembly applications, with concrete recommendations.
WP3 investigated WASM runtimes in Trusted Execution Environments, including the development of a hardware abstraction layer (HAL) to support portability across processors and clouds. Research also focused on Remote Attestation and Key Broker Services to ensure trustworthiness of WebAssembly applications in distributed multi-cloud environments, leveraging hardware-based cryptographic evidence from TPMs and TEEs.
WP4 deployed quantized AI models in Wasm environments and designed a WASI GPIO extension to interface with sensors and actuators. The eBPF framework was integrated with an AI-IDS on the Pynq-Z1, showing efficient AI-enhanced security on low-resource devices. An IoT gateway platform (“S0”) was developed around ESP32-C6 with Zephyr RTOS and WAMR, while additional studies covered federated learning, eBPF, TEEs, and attestation.
WP5 finalised the specifications and scenarios for the ELASTIC demonstrators, identified the required components, and established the initial testbeds for Demonstrators 1 and 2. Work has started on component integration and adaptation, ensuring the demonstrators can effectively showcase the project solutions.
WP6 delivered the ELASTIC communication plan, website, and social media channels, supported by promotional materials. The ecosystem was bootstrapped through collaboration with EU projects and innovation communities. Scientific dissemination included publications and presentations, while standardisation contributions were made to bodies such as W3C, ETSI, and 3GPP. An initial exploitation plan and business model were defined, leading to the identification of five candidate Key Exploitable Results.
WP7 established ELASTIC’s management and quality assurance framework, including the Project Handbook, Data Management Plan, KPI and Risk Registries. The Advisory Board was set up with four members, and initial feedback was received.
During RP1, ELASTIC has delivered a range of innovations that extend the state of the art in secure orchestration across the cloud–edge–IoT continuum. In WP1, advances were achieved in Wasm and eBPF security, including stack smashing protection for LLVM, an eBPF static analyser, and a novel traffic capture tool capable of intercepting encrypted service mesh traffic. A hardware-accelerated intrusion detection system was integrated with this capability, while a reliable migration protocol based on fair exchange was designed. In addition, wacky, a new tool for inserting shims over Wasm interfaces, was introduced.
In WP2, two open-source frameworks for WebAssembly orchestration were released: Propeller, which has already gathered 8 forks and 24 stars, and the wasm-operator, with 5 forks and 54 stars, showing strong early community uptake. ELASTIC partners also contributed new WASI proposals (USB, I2C) that were voted into effect by the W3C with strong support from the ByteCode Alliance and industrial stakeholders such as Siemens, Collins Aerospace, and Sony. Complementary research produced recommendations on serverless repository security and initial methods for fingerprinting confidential WebAssembly applications.
In WP3, a TEE hardware abstraction layer (HAL) was developed to provide platform-agnostic support for WebAssembly workloads. Multi-platform attestation and verification were implemented for Wasm components, complemented by cross-TEE attestation mechanisms that enable secure trust establishment for serverless applications deployed across heterogeneous cloud environments.
In WP4, ELASTIC introduced a new WASI proposal for GPIO, enabling secure communication between WebAssembly applications and sensors or actuators. eBPF was integrated with AI-IDS on the Pynq-Z1, demonstrating an AI-enhanced, hardware-accelerated intrusion detection system capable of achieving low latency and resource efficiency on constrained edge devices. Furthermore, the open-source IoT gateway platform “S0” was developed on ESP32-C6 with Zephyr RTOS and WAMR, combining Wi-Fi, BLE, and hardware-backed TEE support to provide a flexible platform for prototyping secure edge workloads.
Beyond the results of individual work packages, ELASTIC introduces a set of cross-cutting innovations that position the project beyond the state of the art. These include seamless access to TEE functionalities through a Wasm HAL, lightweight orchestration frameworks optimised for constrained edge devices, and new mechanisms for remote attestation, secure workload migration, and adaptive access control across heterogeneous environments. The project also advances low-latency serverless Wasm orchestration agents, a Wasm-based Federated Learning Toolbox for secure and traceable AI at the edge, early eBPF vulnerability detection methods, and microservices acceleration combining eBPF and RDMA.
In WP2, two open-source frameworks for WebAssembly orchestration were released: Propeller, which has already gathered 8 forks and 24 stars, and the wasm-operator, with 5 forks and 54 stars, showing strong early community uptake. ELASTIC partners also contributed new WASI proposals (USB, I2C) that were voted into effect by the W3C with strong support from the ByteCode Alliance and industrial stakeholders such as Siemens, Collins Aerospace, and Sony. Complementary research produced recommendations on serverless repository security and initial methods for fingerprinting confidential WebAssembly applications.
In WP3, a TEE hardware abstraction layer (HAL) was developed to provide platform-agnostic support for WebAssembly workloads. Multi-platform attestation and verification were implemented for Wasm components, complemented by cross-TEE attestation mechanisms that enable secure trust establishment for serverless applications deployed across heterogeneous cloud environments.
In WP4, ELASTIC introduced a new WASI proposal for GPIO, enabling secure communication between WebAssembly applications and sensors or actuators. eBPF was integrated with AI-IDS on the Pynq-Z1, demonstrating an AI-enhanced, hardware-accelerated intrusion detection system capable of achieving low latency and resource efficiency on constrained edge devices. Furthermore, the open-source IoT gateway platform “S0” was developed on ESP32-C6 with Zephyr RTOS and WAMR, combining Wi-Fi, BLE, and hardware-backed TEE support to provide a flexible platform for prototyping secure edge workloads.
Beyond the results of individual work packages, ELASTIC introduces a set of cross-cutting innovations that position the project beyond the state of the art. These include seamless access to TEE functionalities through a Wasm HAL, lightweight orchestration frameworks optimised for constrained edge devices, and new mechanisms for remote attestation, secure workload migration, and adaptive access control across heterogeneous environments. The project also advances low-latency serverless Wasm orchestration agents, a Wasm-based Federated Learning Toolbox for secure and traceable AI at the edge, early eBPF vulnerability detection methods, and microservices acceleration combining eBPF and RDMA.