I. Introduction

The protection of sensitive data while it is transmitted and stored can be achieved by means of well established techniques. Conversely, these techniques - which are invariably based on traditional cryptography - fail to provide protection of data in-use, since deciphering is needed before processing. This creates a vulnerability window, during which attackers can gain access to system memory and thus to data in plaintext. Different techniques are available to achieve the protection of data-in-use, examples are: i) Homomorphic Encryption; ii) Secure multi-party computation (MPC), iii) Differential privacy. The adoption of such innovative cryptographic schemes is limited to a minor fraction of application domains in real-world settings, due to factors such as performance penalty, reduced scalability, and high complexity. A totally different approach is offered by Confidential Computing. According to the Confidential Computing Consortium, the protection of data in use is made by performing computations in a hardware-based Trusted Execution Environment (TEE). That is, protection is achieved by preventing access to data (as opposed to transforming/dispersing it). TEEs create secure areas of a computing device where sensitive data is isolated from the rest of the device software and hardware. This makes unauthorized access to sensitive data virtually impossible, even if the rest of the device gets compromised. Unlike cryptography based approaches, the performance penalty of TEE technology is acceptable for a large fraction of practical cases, where it provides the possibility of securing the processing of data types that cannot be processed while encrypted, such as video and audio streams. TEEs are commonly used in applications such as mobile payments, digital rights management, and secure communication. Moreover with the rapid growth of cloud computing, TEEs offer a perfect solution for creating a secure and trustworthy environment for the storage and processing of sensitive data on remote servers.