| dc.description.abstract | Trusted Execution Environments (TEEs) [1–5] promised to enable secure computation even in the presence of privileged adversaries by providing hardware-enforced isolation. However, the discovery of microarchitectural side-channel and transient execution attacks [6–10] has severely undermined these security guarantees. These attacks exploit shared hardware resources and speculative execution to leak sensitive information across security boundaries, effectively bypassing the architectural isolation enforced by TEEs. The widespread impact of these vulnerabilities is evidenced by more than 43 published attacks [11] targeting commercial TEE platforms including Intel SGX, AMD-SEV, and ARM TrustZone. Existing approaches to defend against these attacks face significant limitations. Hardware-based solutions [12–14] often require complex processor modifications with significant hardware overhead. Replacing trusted hardware with cryptographic approaches incurs prohibitive performance overheads [15]. Meanwhile, formal verification methods struggle to scale to realistic code base sizes and often fail to capture subtle microarchitectural behaviors [16–18]. This thesis proposes a constructive approach to TEE security and demonstrates that practical defenses against microarchitectural attacks are achievable through careful system design. Rather than relying only on models and simulations, we focus on constructing systems that are secure by design. Our work is concretely realized through the design, implementation, and evaluation of two novel platforms: First, we present Citadel, a TEE platform that enables secure shared memory while providing precise guarantees against microarchitectural side-channel attacks. Citadel introduces relaxed microarchitectural isolation (RMI), a novel security property that allows programs to share memory while restricting information leakage to that of a non-speculative execution. To achieve RMI, Citadel combines hardware-enforced microarchitectural isolation with two simple mechanisms for controlled speculation: SpecSafe, which prevents speculative shared-memory accesses entirely, and Burst mode, which enables better performance through constrained speculation on small code snippets. Through a fully functional FPGA prototype, we demonstrate that Citadel can run real-world applications including cryptographic libraries and private ML inference with less than 5% overhead while maintaining strong security guarantees. Second, we develop Argos, an “integrity-only” TEE specifically designed for verifiable fully homomorphic encryption, that enables the deployment of FHE schemes in real-world settings where malicious security is required. We show that by carefully constraining the attack surface and employing simple hardware mechanisms, we can achieve complete security against microarchitectural attacks. Argos introduces a simplified transcript-based attestation scheme that only requires one signature per FHE computation, amortizing the cost of relying on a physical TPM to microarchitecturally isolate secrets. Argos can be used to not only enforce circuit-level integrity of FHE schemes but can also be extended to support more complex FHE-based applications that take (potentially poisoned) input from the (malicious) circuit evaluator. Argos is compatible with commodity hardware and only incurs minimal performance overhead with an average of 3% overhead for FHE evaluation and 8% overhead for complex protocols. Through these systems, we show that effective defenses can be built against microarchitectural side channel and transient execution attacks. Our constructive approach yields practical systems that are secure by design while maintaining efficiency and usability. This thesis opens new possibilities for the deployment of trusted hardware by demonstrating concrete paths toward robust microarchitectural security. | |
