GuaranTEE: Introducing Control-Flow Attestation for Trusted Execution Environments

TL;DR

GuaranTEE introduces control-flow attestation for TEEs, enabling run-time integrity verification and protection against malicious administrators in cloud environments, demonstrated with Intel SGX in Azure.

Contribution

The paper presents GuaranTEE, a novel control-flow attestation framework that enhances TEE security at run-time and protects against administrator attacks.

Findings

GuaranTEE effectively detects compromised TEEs.

Overhead is manageable with caching and parallel analysis.

Practical for cloud environments like Azure.

Abstract

The majority of cloud providers offers users the possibility to deploy Trusted Execution Environments (TEEs) to protect their data and processes from high privileged adversaries. This offer is intended to address concerns of users when moving critical tasks into the cloud. However, TEEs only allow to attest the integrity of the environment at launch-time. To also enable the attestation of a TEE's integrity at run-time, we present GuaranTEE. GuaranTEE uses control-flow attestation to ensure the integrity of a service running within a TEE. By additionally placing all components of GuaranTEE in TEEs, we are able to not only detect a compromised target, but are also able to protect ourselves from malicious administrators. We show the practicability of GuaranTEE by providing a detailed performance and security evaluation of our prototype based on Intel SGX in Microsoft Azure. Our evaluation shows that the need to transfer information between TEEs and the additional verification process add considerable overhead under high CPU load. Yet, we are able to reduce this overhead by securely caching collected information and by performing the analysis in parallel to executing the application. In summary, our results show that GuaranTEE provides a practical solution for cloud users focused on protecting the integrity of their data and processes at run-time.