TICAL: Trusted and Integrity-protected Compilation of AppLications

Publikation: Beitrag zu KonferenzenPaperBeigetragenBegutachtung

Beitragende

Abstract

During the past few years, we have witnessed various efforts to provide confidentiality and integrity for applications running in untrusted environments such as public clouds. In most of these approaches, hardware extensions such as Intel SGX, TDX, AMD SEV, etc., are leveraged to provide encryption and integrity protection on process or VM level. Although all of these approaches increase the trust in the application at runtime, an often overlooked aspect is the integrity and confidentiality protection at build time, which is equally important as maliciously injected code during compilation can compromise the entire application and system.In this paper, we present Tical, a practical framework for trusted compilation that provides integrity protection and confidentiality in build pipelines from source code to the final executable. Our approach harnesses TEEs as runtime protection but enriches TEEs with file system shielding and an immutable audit log with version history to provide accountability. This way, we can ensure that the compiler chain can only access trusted files and intermediate output, such as object files produced by trusted processes. Our evaluation using micro- and macro-benchmarks shows that Tical can protect the confidentiality and integrity of whole CI/CD pipelines with an acceptable performance overhead.

Details

OriginalspracheEnglisch
Seiten25-32
Seitenumfang8
PublikationsstatusVeröffentlicht - 2024
Peer-Review-StatusJa

Konferenz

Titel2024 19th European Dependable Computing Conference
KurztitelEDCC 2014
Veranstaltungsnummer19
Dauer8 - 11 April 2024
Webseite
BekanntheitsgradInternationale Veranstaltung
OrtKU Leuven
StadtLeuven
LandBelgien

Externe IDs

Scopus 85194821055
dblp conf/edcc/KrahnPGQBMF24
Mendeley 6b0df034-24cc-3199-ac42-e3ea843cf23c
ORCID /0000-0003-0768-6351/work/162345706

Schlagworte

Forschungsprofillinien der TU Dresden

Schlagwörter

  • Runtime, Codes, Files systems, Source coding, Pipelines, Europe, Hardware, Trusted Compilation, SGX, TEE, CI/CD, Confidential Computing