Poster Sessions

Privacy for Proprietary Code in Confidential Compute Systems

Abdulla Alwabel

Software Engineer
Google

Proving privacy when business logic uses proprietary code is a core challenge in confidential computing. How can users trust a “black box” enclave without auditing its contents?

We present a novel solution: decoupling privacy policy enforcement from business logic. This open-source framework is a practical variation of Information Flow Control (IFC). Instead of slow instruction-level tainting, it tracks data via coarse “Data Scopes.” It cryptographically guarantees sensitive information only egresses per verifiable policies, avoiding traditional IFC “label creep” and overhead.

This separation ensures privacy rules are fully auditable while intellectual property remains hidden.

We demonstrate an open-source implementation where developers write flexible “policy as code” in standard languages. We show how this enables secure multi-party collaboration—like privacy-preserving ad auctions or federated learning—and safely terminating E2EE communication.

This design provides a reusable framework for IFC policy evaluation, fostering an ecosystem where proprietary innovation and verifiable privacy coexist.

How to Test a Confidential Agent Before Production

Sachin Gupta

Member Of Technical Staff – 2
eBay

Download Poster

Most efforts to secure AI agents focus on infrastructure: encrypted memory, execution environments, attestation. But even inside a confidential runtime the agent can behave unsafely, selecting wrong tools, fabricating parameters, accessing data outside its scope, or following tool sequences that violate policy. These are application layer trust failures that need application layer testing.

This session presents a three layer evaluation framework built in Java with LangChain4j. Layer one is policy compliance: mock the LLM and verify the agent selects only approved tools with valid parameters. Layer two is judge based answer safety: a second model scores whether responses are grounded in results and free of filtered data. Layer three is trajectory validation: assert the exact tool sequence, because in regulated environments the path matters as much as the destination.

We build all three live in a JUnit suite, define golden datasets encoding expected sequences and forbidden tools, and wire it into CI that fails the build when behavior drifts outside policy. Attendees leave with a JUnit template for agent trust evaluation and a CI pattern making agent safety a build time gate.

Phala Cloud: TEE-Native Cloud & Private Inference Platform

Hang Yin

Cofounder & CTO
Phala Cloud

Download Poster

Phala Cloud is one of the first TEE‑native cloud providers: every workload runs in hardware‑isolated environments backed by Intel TDX confidential VMs and NVIDIA CC GPUs. It’s currently the largest private LLM provider on OpenRouter, serving ~3B tokens per day entirely through TEEs.

This session explains how we turn TEE into a usable Confidential AI platform, and focuses on reusable patterns for trustworthy AI services.

I’ll walk through how we schedule arbitrary containers into CVMs, attach TEE GPUs, measure images, and wire attestation and key management so tenants can see and trust the full stack their AI agents run on. Then I’ll drill into our private LLM inference as a concrete use case: API and attestation flows between clients, Phala Cloud and OpenRouter, plus the trade‑offs we hit around cost, performance, and developer experience.

From Enclaves to Intents: Making Confidential Computing Usable

Cameron Dennis

Director of AI
NEAR

Download Poster

As confidential computing matures, Trusted Execution Environments (TEEs) are becoming a foundational layer for protecting data in use. However, the harder question is how to make them practical at scale. This session examines how TEE infrastructure can be applied to real-world problems in cross-chain finance and autonomous AI execution.

Confidential Intents combine intent-based transaction architecture with hardware-backed TEEs to close a critical infrastructure gap and ensure that users and enterprises can move value across blockchains without exposing sensitive trade data to solvers, validators, or cloud providers. Users define an outcome; cryptographically isolated enclaves handle routing and execution without exposing transaction data to any party, including the infrastructure provider itself. This session covers what it looks like when privacy is enforced at the protocol level rather than retrofitted on afterwards, and why this architecture is increasingly becoming relevant as autonomous agents begin transacting on behalf of users and institutions, and how confidential computing can be made usable.

Multi-Party Confidential RAG: Provable Safety Controls

Ryota Hashimoto

Senior Manager
Software Innovation Center, NTT

Download Poster

Enterprise Confidential AI deployments involve multiple independent parties—data owners, model operators, and users whose inputs must remain protected from one another. Connecting these assets across organizational boundaries without any party observing another’s data, models, or application logic is the core design challenge.

We present an architecture in which each party’s assets run in isolated TEEs—coordinating CPU and GPU TEEs for model inference—with cryptographic trust established between them before any data exchange. Safety controls—prompt filters and output guardrails—are not merely deployed but made verifiable: any relying party can confirm after the fact that the right controls were enforced, not just present.

We share where current tooling falls short: no native facility exists for including application-layer code in CC attestation evidence. Cross-TEE trust establishment between independently operated TEEs owned by different parties also lacks production-ready tooling, creating practical barriers to deployment.

Mutual Trust in the Cloud: Protecting Model IP and Customer Data with Confidential Containers

Ivan Font

Principal Software Engineer
Red Hat

Download Poster

The “memory-in-use” problem creates a stalemate in AI adoption: private model providers must protect their intellectual property (IP), while customers must protect their sensitive data. Standard encryption secures data at rest, but once an AI model is loaded for inference, weights and prompts are exposed in cleartext within system memory.

This session introduces a strategic blueprint for Confidential AI that solves this deadlock using Confidential Containers (CoCo) and Trusted Execution Environments (TEEs). We explore how hardware-based isolation creates a “mutual trust” environment where private models remain encrypted even during execution. By ensuring that decryption keys are only released to verified enclaves, we protect the provider’s IP from host-level exposure and the customer’s data from unauthorized snooping.

We will also showcase how the integration of CoCo with KServe simplifies this complex security stack. This “CoCo-native” approach allows developers to deploy trusted inference services without deep expertise in attestation, accelerating the path to secure, production-ready AI in the open hybrid cloud.

From Firmware to AI Agents: Achieve Full-Chain Trust with dstack

Hang Yin

Cofounder & CTO
Phala Cloud

Download Poster

Today’s confidential computing stacks often stop trust at the CVM boundary. For AI workloads and agents, that’s not enough: you really want to know exactly which firmware, OS, container, and model you’re talking to, end to end.

In this talk I’ll introduce the “full chain of trust” principle behind dstack, an open source framework for confidential computing. We’ll walk through how dstack measures and attests everything from platform firmware, TDX guest OS images, and GPU TEEs to user workloads, and how those measurements are exposed to applications and policy engines.

I’ll then show how we use this to run agent sandboxes inside Intel TDX and NVIDIA GPU TEEs: isolating untrusted code, binding model access to attested identities, and enforcing data-handling policies. While examples use dstack, the focus is on reusable patterns and open techniques that others can adopt with their own tooling.

Audit, Enforce, Repeat! Seamless Confidentiality with CoCo and Kyverno

Jim Bugwadia

Co-founder and CEO
Nirmata

Chris Butler

Chief Architect
Red Hat

Confidential Containers (CoCo) are rapidly becoming required infrastructure for mission-critical systems, such as core banking applications. However, deploying this technology currently remains complex and often requires direct support from the maintainers.

Based on production deployments, this talk will examine the operational and technical challenges end users face when deploying confidential containers in both cloud and bare-metal environments.

We will then detail an ArgoCD-based reference pattern built to accelerate confidential container adoption. This pattern uses Kyverno in three ways:

1. Posture enforcement: Ensuring confidential containers are used where mandated.
2. Auditing: Providing platform owners visibility into confidential container configuration.
3. Abstraction: Removing the need for developers to manage the specific changes required for confidential containers.

We will conclude by discussing the security tradeoffs of using validated patterns and Kyverno versus ‘out of band’ policy configuration.

Beyond Identity: Attestation as the New TLS Trust Model

Jens Albers

CTO
Fr0ntierX

Your cloud provider pinky-swears it’s secure. We have math.

Standard TLS trusts certificate authorities to vouch for domain ownership. In confidential computing, and especially in agentic AI, that’s not enough. What you actually need to know is: “Is this code running inside genuine TEE hardware, does this TLS key exist only inside that enclave?”

This talk introduces an open-source RA-TLS implementation that replaces CA-based trust with hardware attestation. The approach uses a post-handshake model with eat_nonce binding: the TLS public key hash is embedded inside a hardware-signed attestation token, making relay attacks cryptographically impossible.

It works across AMD SEV-SNP (including SVSM with non-exportable vTPM keys at VMPL0), Intel TDX, and NVIDIA GPU confidential computing, with composite attestation binding CPU and GPU roots of trust to a single TLS session.
I’ll also cover why this matters for AI: as agents call other agents, mutual RA-TLS lets both sides prove TEE residency before exchanging data, turning attestation into the trust fabric for A2A communication. Code is open source. No vendor pitches, just protocol design and live architecture.

HaitiAidShield: Scaling Humanitarian Transparency with Confidential Computing

Vladimir Vilne

Lead Architect / Cybersecurity Researcher
Trusted Haitian Cyber

Download Poster

As decentralized aid protocols gain traction, the “Transparency Paradox” emerges: how do we provide public proof of aid delivery without exposing the sensitive personal data of vulnerable recipients? This session introduces HaitiAidShield, an architectural framework that utilizes Confidential Computing to bridge this gap.

We will explore the deployment of Trusted Execution Environments (TEEs) to process encrypted recipient metadata and multi-signature verification off-chain, ensuring that while the audit trail is public and immutable on the blockchain, the individual’s identity remains protected in use. Attendees will learn about the challenges of integrating TEEs with decentralized governance models and how AI-augmented auditing can detect anomalies in aid distribution within a secure enclave. The talk concludes with a roadmap for building resilient, privacy-preserving infrastructure for civic oversight in high-risk environments.

Structural Privacy for Cross-Boundary AI Training for Compliant LLMs

Hina Dixit

CEO & Founder
Decompute

Confidential AI is not only about protecting data at rest or in use. In many real deployments, organizations also need guarantees that model parameters, activations, and optimizer state never cross administrative or jurisdictional boundaries. This talk presents Echelon, a systems framework for cross-boundary LLM training built around a structural-privacy invariant: only securely aggregated statistics may leave a boundary. Using results from our implementation, I will share how this approach achieves competitive utility while improving robustness and time-to-target under realistic distributed conditions. The goal of the talk is to give attendees a concrete systems blueprint for training AI across immutable privacy boundaries while preserving auditability and operational performance.

Achieving Hardware Root of Trust in the Real World

Yawang Wang

Software Engineer
Google

Download Poster

Can you fully remove the cloud service provider from its Trusted Computing Base (TCB) in a cloud-based Trusted Execution Environment (TEE)? It starts with providing a comprehensive, verifiable measurement chain that spans from firmware up to the userspace. Using Intel TDX technology as an example, in addition to measuring the Trust Domain (TD) build process and runtime, you can utilize a reserved runtime measurement register (RTMR) to measure the entire userspace.

Then comes attestation verification that can leverage Intel TDX Reference Integrity Measurements (RIMs) to conduct comprehensive checks to ensure the authenticity and integrity of the TDX attestation evidence.

Is this sufficient though? What about questions of the attestation verifier service ownership? What about ownership of a key management system, etc.? In this talk we will discuss what can and cannot be achieved in today’s cloud based environments and the path forward, including support for confidential GPUs.

Proof, Not Promises: Securing AI Inference

Hugo Huang

Public Cloud Alliance Director
Canonical

Download Poster

My Harvard Business Review research, “Conventional Cybersecurity Won’t Protect Your AI,” argues that today’s security models—built for predictable software and application-layer defenses—are ill-equipped for the dynamic, multi-party nature of AI infrastructure.

The AI inference pipeline creates a fundamentally new threat surface: sensitive inputs and proprietary model weights must be decrypted to be useful, yet they traverse infrastructure operated by parties that none of the stakeholders fully trust. Perimeter controls, DLP tools, and legal agreements don’t change this structural exposure.

This session (including demo) argues that confidential AI inference—specifically attested execution—provides the first architecture capable of closing this gap. We’ll connect recent enterprise AI security failures to a production-ready, verifiable privacy stack, with real deployment examples (Inference Snap on Ubuntu Confidential VMs)

Privacy-preserving Medical AI Evaluation

Mic Bowman

Working group at MLCommons
MLCommons

Download Poster

Medical AI has a tremendous potential to advance healthcare by supporting the evidence-based practice of medicine, personalizing patient treatment, and reducing costs. However, to unlock this potential we need an effective way of evaluating the efficacy of medical AI models on large-scale heterogeneous data, while preserving privacy of patient data and protecting IP of models to ensure that they will be effective on a diverse patient population when deployed in real world clinical settings.

In this session we will be presenting technical and clinical efforts in confidential compute decentralized AI space that aim to deliver medical AI evaluation at scale while protecting sensitive patient data and proprietary medical AI models. Consortia such as the Federated Tumor Segmentation (FeTS) consortium (https://fets-ai.github.io/Front-End/) are living proofs of impactful medical AI development and evaluation use cases (e.g. https://fets-ai.github.io/FL-PoST/). The talk will dive into privacy-preserving challenges and opportunities in this space.

Standardization of Attested TLS Protocols for Confidential Computing

Muhammad Usama Sardar

TU Dresden and GA4GH

We have defended our position (cf. [expat BoF][1]) to standardize the attested TLS protocol in the [IETF][2], and a new Working Group named [Secure Evidence and Attestation Transport (SEAT)][3] has been formed to exclusively tackle this specific problem. We would like to present the work (candidate [draft][4] for standardization) and gather feedback from the community on the desired security goals, so that feedback can be accommodated in the standardization.

Technical Background:
Transport Layer Security (TLS) is a widely used protocol for secure channel establishment. However, it lacks an inherent mechanism for validating the security state of the workload and its platform. To address this, remote attestation can be integrated into TLS, which is named attested TLS protocol.

In this talk, we present an overview of the three approaches for this integration, namely pre-handshake attestation, intra-handshake attestation, and post-handshake attestation.

Trusted Execution, Broken Assumptions: Real-World Failures in TEE Attestation Systems

Rahul Saxena

Founder & Security Researcher
Bluethroat Labs

Download Poster

Confidential computing systems promise strong security guarantees through remote attestation, but real-world implementations frequently fail in subtle and dangerous ways.

This talk presents a field-driven analysis of multiple vulnerabilities discovered across production TEE infrastructure, including attestation bypasses, verification failures, and trust boundary violations. Drawing from real audit findings across systems such as Phala dStack and Oasis ROFL, we show how systems that appear cryptographically sound can still be fundamentally insecure.

Key failure modes include missing or incorrect verification of attestation collateral, trust decisions based on unvalidated inputs, replay windows caused by missing freshness checks, inverted TCB validation logic, and absence of cryptographic guarantees for critical resources such as GPUs.

Rather than focusing on individual bugs, this talk extracts systemic patterns that explain why confidential computing systems fail in practice.