Attestable Builds: Compiling Verifiable Binaries on Untrusted Systems using Trusted Execution Environments

TL;DR

This paper introduces attestable builds, a method using trusted execution environments to ensure the integrity of software binaries by linking them securely to their source code, with minimal modifications and quick verification.

Contribution

It presents a novel approach leveraging TEEs and sandboxed containers for verifiable builds, improving trust and efficiency over existing reproducible build methods.

Findings

Achieves near-instant verification of binary-source correspondence

Builds complex projects like LLVM Clang without source modifications

Overhead is minimal, with 42 seconds startup latency and 14% build time increase

Abstract

In this paper we present attestable builds, a new paradigm to provide strong source-to-binary correspondence in software artifacts. We tackle the challenge of opaque build pipelines that disconnect the trust between source code, which can be understood and audited, and the final binary artifact which is difficult to inspect. Our system uses modern trusted execution environments (TEEs) and sandboxed build containers to provide strong guarantees that a given artifact was correctly built from a specific source code snapshot. As such it complements existing approaches like reproducible builds which typically require time-intensive modifications to existing build configurations and dependencies, and require independent parties to continuously build and verify artifacts. In comparison, an attestable build requires only minimal changes to an existing project, and offers nearly instantaneous verification of the correspondence between a given binary and the source code and build pipeline used to construct it. We evaluate it by building open-source software libraries - focusing on projects which are important to the trust chain and have proven difficult to be built deterministically. The overhead (42 seconds start-up latency and 14% increase in build duration) is small in comparison to the overall build time. Importantly, our prototype can build complex projects such as LLVM Clang without requiring any modifications to their source code and build scripts. Finally, we formally model and verify the attestable build design to demonstrate its security against well-resourced adversaries.