Cerisier: A Program Logic for Attestation in a Capability Machine

TL;DR

Cerisier is a novel program logic designed for modular reasoning about attestation in capability machines, enabling formal verification of trusted computing systems involving enclaves and untrusted code.

Contribution

It introduces the first formal, mechanized logic for reasoning about trusted, untrusted, and attested code, extending capability machines with enclave primitives and a universal contract.

Findings

Proved end-to-end properties for secure outsourced computation.

Validated mutual attestation and trusted sensor components.

Formalized CHERI-TrEE extension for capability machines.

Abstract

A key feature in trusted computing is attestation, which allows encapsulated components (enclaves) to prove their identity to (local or remote) distrusting components. Reasoning about software that uses the technique requires tracking how trust evolves after successful attestation. This process is security-critical and non-trivial, but no existing formal verification technique supports modular reasoning about attestation of enclaves and their clients, or proving end-to-end properties for systems combining trusted, untrusted and attested code. We contribute Cerisier, the first program logic for modular reasoning about trusted, untrusted and attested code, fully mechanized in the Iris separation logic and the Rocq Prover. We formalize a recent proposal, CHERI-TrEE, to extend capability machines with enclave primitives, as an extension to the Cerise capability machine and program logic. Our program logic comes with a universal contract for untrusted code, which captures both capability safety and local enclave attestation. Like Cerise, this universal contract is phrased in terms of a logical relation defining capabilities' authority. We demonstrate Cerisier by proving end-to-end properties for three representative applications of trusted computing: secure outsourced computation, mutual attestation and a modeled trusted sensor component.