Prova de Doutoramento do aluno Daniel Correia Andrade
Área: Engenharia Informática e de Computadores
Título da Tese: Trusted Execution Environment Migration
Local da Prova: Anfiteatro PA-3 (Piso -1 do Pavilhão de Matemática) do IST
Data: 29/10/2025
Hora: 14h00
Abstract: Trusted execution environments ensure the authenticity and confidentiality of trusted applications' code and data during runtime and at rest. A trusted application is placed in a container isolating it from other trusted applications, from their classic counterparts running in traditional execution environments, and even from privileged software such as operating systems and hypervisors. The authenticity of a trusted application and its hosting trusted execution environment may be verified using attestation. Trusted applications lose their state when closed. A trusted application's data may be preserved by storing it, encrypted, outside the secure container in untrusted persistent storage. The secret key that encrypts the data is typically bound to the trusted application and processor where the encryption occurs in which case it is called sealing key, and this encryption mechanism is known as sealing. Sealing prevents an instantiation of the same trusted application on a different processor from decrypting, that is unsealing, the sealed data – which we call sealtext – because processors, other than the sealing processor, are unable to derive the same sealing key. This characteristic of sealing is useful because it prevents another party from accessing the sealed trusted application data in a different ma- chine. The downside is that a trusted application user is unable to create data backups retrievable in different platforms in case the platform that sealed the data is not available, for example, due to damage, theft, or decommission. This thesis proposes new solutions for making data accessible across trusted applications running on different platforms, without exposing the keying material outside trusted execution environments, and devises new approaches to tackle this limitation in sealing data. The first solution, SRX (SGX Recovery Extension), targets local Intel SGX platforms. SRX creates a group of platforms per sealtext. Each group member uses a key-agreement protocol with an abstract entity representing the sealtext itself to obtain the SRX sealing key. The private keys of group members are derived deterministically on each trusted application instantiation to avoid having to store them outside the trusted application. The second solution, IPAS (Inter-Processor Attestation and Sealing), targets Intel SGX platforms in the cloud. IPAS relies on a service, controlled by the Cloud Provider, for key management operations supporting inter-processor sealing. This service is notably untrusted. The trusted application image, that creates the trusted application instances of the Cloud Customer, is sent to the untrusted service which uses it to create a new trusted application instance that is exactly the same as the original in- stances of the Cloud Customer. The untrusted service handles key management for a particular trusted application inside the respective instance through an IPAS interface that all trusted applications imple- ment. This solution does not require an initial setup step on an adversary-free clean system, and does not require trusting third parties, namely third-party services. The third solution, XTEES (Cross-TEE Sealing), targets Intel SGX and Arm TrustZone platforms. XTEES relies on two services, both running in TEEs and controlled by the Cloud Customer, for key management. The first service is physically located with the Cloud Customer and generates and deploys keying material to the second service located in the cloud. The second service provides keying material to trusted application instances to seal trusted application data and unseal sealtexts. A key ingredient to XTEES, and other inter-processor and cross-TEE solutions, is verifying the authenticity of each trusted application instance. For this reason we create a mutual attestation scheme meant to work across TEEs. This solution does not require an initial setup step on an adversary-free clean system, does not require trusting third parties since the Cloud Customer controls both support services, and mitigates customer lock-in. These three solutions improve the state of the art of data migration across platforms. Our solutions do not extend the TEE with additional instructions, do not enlarge the typical trusted computing base, do not expose the sealing keys outside the TEEs, and work even when the sealing platform is offline.