Zhen Huang (Shanghai Jiao Tong University), Yidi Kao (Auburn University), Sanchuan Chen (Auburn University), Guoxing Chen (Shanghai Jiao Tong University), Yan Meng (Shanghai Jiao Tong University), Haojin Zhu (Shanghai Jiao Tong University)
Trusted Execution Environment (TEE) has been adopted to secure computation outsourced to untrusted clouds, and the associated remote attestation mechanism enables the user to verify the integrity of the outsourced computation at launch time. However, memory corruption attacks break TEE’s security guarantees without being detected after launch-time attestation. While control-flow attestation (CFA) schemes aim to detect runtime compromises, most existing CFA schemes lack concrete verification methods and can be bypassed by data-only attacks. In this paper, we propose the concept of External-Input Attestation to attest all writes to TEE-protected applications, based on the observation that memory corruption attacks typically start with unintended writes. This approach ensures a trusted enclave state by verifying all writes match expectations, transforming security issues, such as control-flow hijacking, into reliability issues, such as a software crash due to unexpected input. For efficient reference measurement derivation and verification, the current version of External-Input Attestation is limited to enclaved applications whose inputs are known to the verifier. This design is validated by implementing and evaluating prototypes on AMD SEV-SNP and Penglai, where security and performance evaluations show a minimal performance overhead in case studies, including secure model training, model inference, database workloads, and key management.