Trusted And Confidential Program Analysis

TL;DR

This paper introduces Trusted and Confidential Program Analysis (TCPA), a protocol enabling secure program certification without revealing source code, utilizing trusted computing and trusted execution environments.

Contribution

The paper presents a novel TCPA protocol and its implementation in TCWasm, allowing secure, efficient program analysis and certification without source code disclosure.

Findings

TCPA enables trust in program certification without source code exposure

TCWasm achieves efficient analysis with minimal overheads

Evaluation on 33 benchmarks demonstrates practical viability

Abstract

We develop the concept of Trusted and Confidential Program Analysis (TCPA) which enables program certification to be used where previously there was insufficient trust. Imagine a scenario where a producer may not be trusted to certify its own software (perhaps by a foreign regulator), and the producer is unwilling to release its sources and detailed design to any external body. We present a protocol that can, using trusted computing based on encrypted sources, create certification via which all can trust the delivered object code without revealing the unencrypted sources to any party. Furthermore, we describe a realization of TCPA with trusted execution environments (TEE) that enables general and efficient computation. We have implemented the TCPA protocol in a system called TCWasm for web assembly architectures. In our evaluation with 33 benchmark cases, TCWasm managed to finish the analysis with relatively slight overheads.