Guardado en:
Detalles Bibliográficos
Autores principales: Krahn, Robert, Paul, Nikson Kanti, Gregor, Franz, Quoc, Do Le, Brito, Andrey, Martin, André, Fetzer, Christof
Formato: Preprint
Publicado: 2025
Materias:
Acceso en línea:https://arxiv.org/abs/2511.17070
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866908670660444160
author Krahn, Robert
Paul, Nikson Kanti
Gregor, Franz
Quoc, Do Le
Brito, Andrey
Martin, André
Fetzer, Christof
author_facet Krahn, Robert
Paul, Nikson Kanti
Gregor, Franz
Quoc, Do Le
Brito, Andrey
Martin, André
Fetzer, Christof
contents During the past few years, we have witnessed various efforts to provide confidentiality and integrity for applications running in untrusted environments such as public clouds. In most of these approaches, hardware extensions such as Intel SGX, TDX, AMD SEV, etc., are leveraged to provide encryption and integrity protection on process or VM level. Although all of these approaches increase the trust in the application at runtime, an often overlooked aspect is the integrity and confidentiality protection at build time, which is equally important as maliciously injected code during compilation can compromise the entire application and system. In this paper, we present Tical, a practical framework for trusted compilation that provides integrity protection and confidentiality in build pipelines from source code to the final executable. Our approach harnesses TEEs as runtime protection but enriches TEEs with file system shielding and an immutable audit log with version history to provide accountability. This way, we can ensure that the compiler chain can only access trusted files and intermediate output, such as object files produced by trusted processes. Our evaluation using micro- and macro-benchmarks shows that Tical can protect the confidentiality and integrity of whole CI/CD pipelines with an acceptable performance overhead.
format Preprint
id arxiv_https___arxiv_org_abs_2511_17070
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle TICAL: Trusted and Integrity-protected Compilation of AppLications
Krahn, Robert
Paul, Nikson Kanti
Gregor, Franz
Quoc, Do Le
Brito, Andrey
Martin, André
Fetzer, Christof
Cryptography and Security
During the past few years, we have witnessed various efforts to provide confidentiality and integrity for applications running in untrusted environments such as public clouds. In most of these approaches, hardware extensions such as Intel SGX, TDX, AMD SEV, etc., are leveraged to provide encryption and integrity protection on process or VM level. Although all of these approaches increase the trust in the application at runtime, an often overlooked aspect is the integrity and confidentiality protection at build time, which is equally important as maliciously injected code during compilation can compromise the entire application and system. In this paper, we present Tical, a practical framework for trusted compilation that provides integrity protection and confidentiality in build pipelines from source code to the final executable. Our approach harnesses TEEs as runtime protection but enriches TEEs with file system shielding and an immutable audit log with version history to provide accountability. This way, we can ensure that the compiler chain can only access trusted files and intermediate output, such as object files produced by trusted processes. Our evaluation using micro- and macro-benchmarks shows that Tical can protect the confidentiality and integrity of whole CI/CD pipelines with an acceptable performance overhead.
title TICAL: Trusted and Integrity-protected Compilation of AppLications
topic Cryptography and Security
url https://arxiv.org/abs/2511.17070