GuaranTEE: Introducing Control-Flow Attestation for Trusted Execution Environments
Many cloud providers offer Trusted Execution Environments (TEEs) to protect critical data and processes from high privileged adversaries. Unfortunately, TEEs can only be attested at launch. To also enable attestation during run-time, we present GuaranTEE. GuaranTEE uses control-flow attestation to ensure the integrity of a service running within a TEE. To protect the attesting code from a potentially compromised service, we place it in a separate TEE. Additionally, the TEEs guard both the service and the attestation from malicious cloud providers. To reduce the overhead resulting from the use of two TEEs, we securely cache collected information and perform the attestation in parallel to executing the service. The detailed performance evaluation of our prototype based on Intel SGX in Microsoft Azure demonstrates that GuaranTEE provides a practical solution for cloud users focused on protecting the integrity of their data and processes at run-time.
GuaranTEE: Introducing Control-Flow Attestation for Trusted Execution Environments
2023 IEEE 16th International Conference on Cloud Computing (CLOUD)
| Authors: | Mathias Morbitzer, Benedikt Kopf, and Philipp Zieris |
| Year/month: | 2023/ |
| Booktitle: | 2023 IEEE 16th International Conference on Cloud Computing (CLOUD) |
| Pages: | 547-553 |
| Fulltext: | click here |
Abstract |
|
| Many cloud providers offer Trusted Execution Environments (TEEs) to protect critical data and processes from high privileged adversaries. Unfortunately, TEEs can only be attested at launch. To also enable attestation during run-time, we present GuaranTEE. GuaranTEE uses control-flow attestation to ensure the integrity of a service running within a TEE. To protect the attesting code from a potentially compromised service, we place it in a separate TEE. Additionally, the TEEs guard both the service and the attestation from malicious cloud providers. To reduce the overhead resulting from the use of two TEEs, we securely cache collected information and perform the attestation in parallel to executing the service. The detailed performance evaluation of our prototype based on Intel SGX in Microsoft Azure demonstrates that GuaranTEE provides a practical solution for cloud users focused on protecting the integrity of their data and processes at run-time. | |
Bibtex:
@inproceedings {author = { Mathias Morbitzer and Benedikt Kopf and Philipp Zieris},
title = { GuaranTEE: Introducing Control-Flow Attestation for Trusted Execution Environments },
year = { 2023 },
booktitle = { 2023 IEEE 16th International Conference on Cloud Computing (CLOUD) },
pages = { 547-553 },
url = { https://doi.ieeecomputersociety.org/10.1109/CLOUD60044.2023.00073 },
}