KingsGuard: Enclave Data Protection Under Real-World TEE Vulnerabilities
Saltanat Firdous Allaqband, Deepanjali S, Rohit Srinivas R G, Devashish Gosain, Chester Rebeiro
TLDR
KingsGuard is a novel TEE design that uses hardware-enforced data flow tracking to protect sensitive enclave data from real-world vulnerabilities.
Key contributions
- Systematically monitors and controls sensitive data propagation within TEE enclaves.
- Enforces fine-grained hardware data flow tracking to prevent unauthorized data leakage.
- Introduces controlled declassification mechanisms for intentional data release.
- Implemented on RISC-V with 10.8% hardware area and 5.69% performance overheads.
Why it matters
This paper addresses critical vulnerabilities in Trusted Execution Environments, which often undermine their security guarantees. KingsGuard provides a practical solution by ensuring sensitive data remains protected, bridging the gap between ideal TEE models and real-world deployments. This enhances the reliability of secure computations.
Original Abstract
Trusted Execution Environments (TEEs) have emerged as a cornerstone for securing sensitive computations by providing isolated enclaves protected from untrusted software. However, their security guarantees are undermined by vulnerabilities in both the enclave code and the underlying hardware design, which can allow sensitive data to leak despite strong isolation guarantees. This paper presents KINGSGUARD, a novel TEE design that systematically monitors and controls the propagation of sensitive data within an enclave. By enforcing fine-grained data flow tracking and checks in hardware, our approach ensures that sensitive data does not leave the enclave boundary, thus bridging the gap between the idealized threat models of TEEs and their practical realizations. Additionally, to balance security with practical functionality, we introduce controlled declassification at enclave boundaries, allowing intentional release of data to the outside world. Our implementation of KINGSGUARD on a RISC-V processor has a 10.8% hardware area overhead when synthesized on FPGA and a 5.69% performance overhead.
📬 Weekly AI Paper Digest
Get the top 10 AI/ML arXiv papers from the week — summarized, scored, and delivered to your inbox every Monday.