Four core technologies are introduced to make the application load of running users more efficient

More than 150 Linux-compatible system calls have been implemented in Occlum v1.0 to allow native Linux applications to migrate seamlessly into Enclaves without modification or compilation. Support for most major programming languages including C/C++, Java, Python, Golang, Rust, shell scripting, and more. Meanwhile, the Occlum open-source repository provides many Linux applications such as a Demo demonstration of SQLite TensorFlow, OpenVino, PyTorch, Redis, MySQL, Spark, Flink, etc. running on Occlum, And a reference implementation scheme for deploying extensible security reasoning instances based on Occlum on K8S.

First, in terms of ease of use, Occlum is used in a manner similar to the container usage experience. Users can deploy the application to TEE with a few simple commands.

The second characteristic -- efficiency. Occlum is a high-performance multi-task system that supports multiple processes. It uses a single-address space architecture, so multiple processes share the same Enclave. Therefore, Occlum in TEE can quickly complete process startup and interprocess communication.

The third characteristic -- practical. Occlum supports a variety of file systems, such as encrypted file systems and memory file systems, which can meet various file I/O requirements of applications and transparently encrypt data stored on disks when applications are running.

The fourth feature -- memory security. Occlum is the industry's first LibOS written in the memory safety language Rust, a programming language that strives for memory safety without additional performance costs. Occlum written in Rust prevents low-level memory safety errors, thereby improving the security of Occlum's overall kernel code and making it more reliable when hosting safety-critical applications.