pith. sign in

arxiv: 2606.04549 · v1 · pith:5L35PBAOnew · submitted 2026-06-03 · 💻 cs.CR

PS-UIE: Privilege-Separated Integrity Enforcement for User-Space Executable Objects in Confidential VMs

Pith reviewed 2026-06-28 06:11 UTC · model grok-4.3

classification 💻 cs.CR
keywords confidential VMsintegrity enforcementuser-space executablesprivilege separationruntime attestationAMD SEV-SNPdynamic loadingcloud security
0
0 comments X

The pith

Privilege-separated architecture enforces integrity of user-space executables in confidential virtual machines.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Confidential VMs let tenants run sensitive workloads but require trust that all code, including dynamically loaded user-space objects like interpreters and shared libraries, remains unaltered from launch onward. Prior methods establish initial trust and protect some runtime elements yet leave gaps for file-backed executables that load or map during execution. PS-UIE fills the gap by moving integrity measurement and enforcement authority into a higher-privileged protected domain isolated from the targets themselves. The design adds policy lifecycle management, execution-time checks on execute-permission grant paths, and export of verifiable runtime evidence. If the approach holds, tenants obtain continuous assurance that only policy-approved code executes throughout the workload lifetime.

Core claim

PS-UIE introduces a privilege-separated architecture for AMD SEV-SNP-based confidential VMs that separates the authority for integrity measurement and enforcement from the measured user-space executable objects by placing it in a higher-privileged protected domain. Built on this separation, the system supplies policy lifecycle management, execution-time integrity enforcement on covered execute-permission grant paths, and evidence export and verification mechanisms that together enable policy-controlled integrity measurement and enforcement while generating verifiable runtime evidence.

What carries the argument

The privilege-separated architecture, which isolates integrity authority in a higher-privileged protected domain to perform measurement and enforcement on user-space executable objects without relying on the targets themselves.

If this is right

  • Tenants obtain continuous integrity assurance from CVM launch through all subsequent dynamic loading of executables.
  • Verifiable runtime evidence can be exported for external parties to check the current state of user-space objects.
  • Enforcement applies specifically to the execute-permission grant paths that bring file-backed objects into memory.
  • The mechanisms operate with acceptable performance overhead on current AMD SEV-SNP hardware.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same separation pattern may extend to other confidential-computing platforms that already provide isolated execution domains.
  • If the protected domain gains additional interfaces, it could eventually cover kernel-space objects in addition to user-space ones.
  • The design points toward a reusable template for runtime attestation whenever a platform supplies a higher-privilege boundary that can be kept out of reach of ordinary workloads.

Load-bearing premise

The higher-privileged protected domain remains secure and can be trusted to perform integrity measurement and enforcement without itself being compromised or bypassed.

What would settle it

An attack that successfully loads an unapproved user-space executable object into a running CVM, bypassing enforcement and evidence generation, while the protected domain is still active.

Figures

Figures reproduced from arXiv: 2606.04549 by Jingkai Mao, Xiaolin Chang.

Figure 1
Figure 1. Figure 1: PS-UIE consists of a privilege-separated architecture [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Architecture and workflow of PS-UIE. The left side shows the two in-CVM components, UIE-Guest in Linux/VMPL1 [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Overhead of the execve and mprotect(NX→X) paths. Bars show mean latency and lines show slowdown over Native. 6.1.1 Trust Anchor and Policy Integrity – SR1, SR4 PS-UIE addresses SR1 by separating the integrity author￾ity from Linux/VMPL1 and placing it in UIE-Monitor, which runs in SVSM/VMPL0. UIE-Monitor maintains pol￾icy state, performs measurement, and produces final deci￾sions. Linux/VMPL1 only intercep… view at source ↗
Figure 4
Figure 4. Figure 4: Overhead of the mmap(PROT_EXEC) path with file-backed DSOs under different DSO counts. Bars show mean latency and lines show slowdown over Native. Under our threat model, using another covered grant path or replacing the file is insufficient to authorize execution, because the decision depends on monitor-side measurement and decision. PS-UIE also prevents anonymous executable memory from being accepted as … view at source ↗
read the original abstract

Confidential Virtual Machines (CVMs), such as AMD SEV-SNP, enable cloud tenants to run security-sensitive workloads, but tenants can rely on the execution of these workloads only when they can trust the CVM. This trust requires continuous integrity assurance from CVM launch to the current runtime state, including initial trust establishment at launch and subsequent runtime integrity assurance. Existing works help establish launch-time trust and protect parts of runtime integrity, but they do not fully address the integrity of file-backed user-space executable objects, such as main executables, program interpreters, and dynamically loaded shared objects, that may be loaded or mapped dynamically during execution inside CVMs. In this paper, we propose Privilege-Separated User-space Integrity Enforcement (PS-UIE), an approach for enforcing the integrity of user-space executable objects inside AMD SEV-SNP-based CVMs. PS-UIE consists of a privilege-separated architecture and three mechanisms. The architecture separates the authority for integrity measurement and enforcement from the measured targets by placing it in a higher-privileged protected domain. Built on this architecture, PS-UIE provides policy lifecycle management, execution-time integrity enforcement, and evidence export and verification mechanisms. It enables policy-controlled integrity measurement and enforcement for user-space executable objects and generates verifiable runtime evidence. We implement PS-UIE on an AMD SEV-SNP platform. The security analysis and performance evaluation show that PS-UIE enforces the integrity of user-space executable objects on the covered execute-permission grant paths and provides verifiable runtime evidence while incurring acceptable overhead.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper proposes PS-UIE, a privilege-separated architecture for enforcing the integrity of user-space executable objects in AMD SEV-SNP confidential VMs. It separates the authority for integrity measurement and enforcement into a higher-privileged protected domain and provides mechanisms for policy lifecycle management, execution-time integrity enforcement, and evidence export and verification. The authors implement the system and claim, based on security analysis and performance evaluation, that it enforces integrity on covered execute-permission grant paths, provides verifiable runtime evidence, and incurs acceptable overhead.

Significance. If the result holds, this work is significant as it addresses the gap in runtime integrity assurance for dynamically loaded user-space objects in CVMs, which is essential for continuous trust in confidential computing. The privilege-separated design and the provision of verifiable evidence are notable strengths. The assumption that the higher-privileged domain remains secure is standard but critical; if validated, this could influence designs in confidential VM security.

major comments (1)
  1. [Abstract] The abstract states that security analysis and performance evaluation support the claims, but provides no data, derivations, or details to assess whether the evidence actually backs the central claim of enforcement on covered paths and acceptable overhead.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review and constructive comment. We address the point on the abstract below and will incorporate revisions to strengthen the manuscript.

read point-by-point responses
  1. Referee: [Abstract] The abstract states that security analysis and performance evaluation support the claims, but provides no data, derivations, or details to assess whether the evidence actually backs the central claim of enforcement on covered paths and acceptable overhead.

    Authors: We agree that the abstract, as currently written, summarizes the outcomes of the security analysis (Section 6) and performance evaluation (Section 7) without including quantitative details or explicit references to specific results. This is a fair observation. The full manuscript provides the supporting evidence: Section 6 details the security properties verified through formal and informal analysis (including enforcement on covered execute-permission grant paths), while Section 7 reports concrete performance measurements (e.g., overhead figures for the measured workloads). To address the concern directly, we will revise the abstract to include a concise summary of key quantitative results from the evaluation (such as the range of observed overhead) and a brief pointer to the sections containing the analysis, while preserving the abstract's length and focus. This change will make the evidential basis more transparent to readers without altering the manuscript's technical content. revision: yes

Circularity Check

0 steps flagged

No significant circularity; architecture and mechanisms are independently described

full rationale

The paper proposes a privilege-separated architecture for integrity enforcement in CVMs, with mechanisms for policy lifecycle, execution-time enforcement, and evidence export. No equations, fitted parameters, or self-citations are invoked in a way that reduces any central claim to its own inputs by construction. The security analysis is presented as supporting the design, but the claims rest on the described separation of privileges and implementation on AMD SEV-SNP rather than tautological redefinition or renaming of prior results. This is a standard systems contribution with external evaluation, making the derivation self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Based solely on the abstract; the central claim rests on the trustworthiness of the separated privileged domain and the coverage of execute-permission grant paths.

axioms (1)
  • domain assumption The higher-privileged protected domain remains secure and can reliably perform integrity measurement and enforcement.
    The architecture description places authority for measurement and enforcement in this domain.
invented entities (1)
  • PS-UIE privilege-separated architecture no independent evidence
    purpose: Separate authority for integrity measurement from the measured user-space executable objects.
    Introduced as the foundational design in the paper.

pith-pipeline@v0.9.1-grok · 5817 in / 1190 out tokens · 43538 ms · 2026-06-28T06:11:57.292651+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 3 canonical work pages

  1. [1]

    Survey of research on confidential computing,

    D. Feng, Y. Qin, W. Feng, W. Li, K. Shang, and H. Ma, “Survey of research on confidential computing,”IET communications, vol. 18, no. 9, pp. 535–556, 2024

  2. [2]

    Machine learning with confidential computing: A systematization of knowledge,

    F. Mo, Z. Tarkhani, and H. Haddadi, “Machine learning with confidential computing: A systematization of knowledge,”ACM computing surveys, vol. 56, no. 11, pp. 1–40, 2024

  3. [3]

    Sok: Integrity, attestation, and auditing of program execution,

    M. Ammar, A. Caulfield, and I. D. O. Nunes, “Sok: Integrity, attestation, and auditing of program execution,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3255– 3272

  4. [4]

    Snpguard: Remote attestation of sev- snp vms using open source tools,

    L. Wilke and G. Scopelliti, “Snpguard: Remote attestation of sev- snp vms using open source tools,” in2024 IEEE European Sympo- sium on Security and Privacy Workshops (EuroS&PW). IEEE, 2024, pp. 193–198

  5. [5]

    The road to trust: Building enclaves within confidential vms,

    W. Wang, L. Song, B. Mei, S. Liu, S. Zhao, S. Yan, X. Wang, D. Meng, and R. Hou, “The road to trust: Building enclaves within confidential vms,” in32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025, 2025

  6. [6]

    Remote attestation of confidential vms using ephemeral vtpms,

    V . Narayanan, C. Carvalho, A. Ruocco, G. Almasi, J. Bottomley, M. Ye, T. Feldman-Fitzthum, D. Buono, H. Franke, and A. Burtsev, “Remote attestation of confidential vms using ephemeral vtpms,” inProceedings of the 39th Annual Computer Security Applications Conference, 2023, pp. 732–743

  7. [7]

    Svsm-kms: Safeguarding keys for cloud services with encrypted virtualization,

    B. Mei, W. Wang, and D. Lin, “Svsm-kms: Safeguarding keys for cloud services with encrypted virtualization,” inInternational Conference on Science of Cyber Security. Springer, 2024, pp. 217–235

  8. [8]

    {VeriSMo}: A verified security module for confidential{VMs},

    Z. Zhou, W. Chen, S. Gong, C. Hawblitzel, W. Cuiet al., “{VeriSMo}: A verified security module for confidential{VMs},” in18th USENIX Symposium on Operating Systems Design and Imple- mentation (OSDI 24), 2024, pp. 599–614

  9. [9]

    Veil: A pro- tected services framework for confidential virtual machines,

    A. Ahmad, B. Ou, C. Liu, X. Zhang, and P . Fonseca, “Veil: A pro- tected services framework for confidential virtual machines,” in Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 4, 2023, pp. 378–393

  10. [10]

    Cabin: Confining untrusted programs within confidential vms,

    B. Mei, S. Xia, W. Wang, and D. Lin, “Cabin: Confining untrusted programs within confidential vms,” inInternational Conference on Information and Communications Security. Springer, 2024, pp. 165– 184

  11. [11]

    {00SEVen}–re-enabling virtual ma- chine forensics: Introspecting confidential{VMs}using privileged {in-VM}agents,

    F. Schwarz and C. Rossow, “{00SEVen}–re-enabling virtual ma- chine forensics: Introspecting confidential{VMs}using privileged {in-VM}agents,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 1651–1668

  12. [12]

    Confidential serverless computing,

    P . Sabanic, M. Misono, T. Bodea, J. Pritzi, M. Hackl, D. Stavrakakis, and P . Bhatotia, “Confidential serverless computing,”arXiv preprint arXiv:2504.21518, 2025

  13. [13]

    Complementing confidential computing environment for applications on arm cca,

    Y. Zhang, Y. Hu, Z. Ning, F. Zhang, X. Luo, H. Huang, S. Yan, and Z. He, “Complementing confidential computing environment for applications on arm cca,”IEEE Trans. on Dependable Secur. Comput., 2025

  14. [14]

    {TETD}: Trusted execution in trust domains,

    Z. Wang, J. Zhan, X. Ding, F. Zhang, and N. Hu, “{TETD}: Trusted execution in trust domains,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 1187–1206

  15. [15]

    Design and im- plementation of a tcg-based integrity measurement architecture

    R. Sailer, X. Zhang, T. Jaeger, and L. Van Doorn, “Design and im- plementation of a tcg-based integrity measurement architecture.” inUSENIX Security symposium, vol. 13, 2004, pp. 223–238

  16. [16]

    Ima appraisal and evm in the linux integrity subsystem,

    M. Zoharet al., “Ima appraisal and evm in the linux integrity subsystem,” 2012, lWN.net article. [Online]. Available: https://lwn.net/Articles/488906/

  17. [17]

    {Container-IMA}: A privacy- preserving integrity measurement architecture for containers,

    W. Luo, Q. Shen, Y. Xia, and Z. Wu, “{Container-IMA}: A privacy- preserving integrity measurement architecture for containers,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 2019, pp. 487–500

  18. [18]

    Userspace software integrity mea- surement,

    M. Eckel and T. Riemann, “Userspace software integrity mea- surement,” inProceedings of the 16th International Conference on Availability, Reliability and Security, 2021, pp. 1–11

  19. [19]

    Secure containers in android: the samsung knox case study,

    U. Kanonov and A. Wool, “Secure containers in android: the samsung knox case study,” inProceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, 2016, pp. 3–12

  20. [20]

    Kims: kernel integrity measuring system based on trustzone,

    S. Dong, Y. Xiong, W. Huang, and L. Ma, “Kims: kernel integrity measuring system based on trustzone,” in2020 6th International Conference on Big Data Computing and Communications (BIGCOM), 2020, pp. 103–107

  21. [21]

    Tz-ima: Support- ing integrity measurement for applications with arm trustzone,

    L. Song, Y. Ding, P . Dong, Y. Guo, and C. Wang, “Tz-ima: Support- ing integrity measurement for applications with arm trustzone,” in International Conference on Information and Communications Security, 2022, pp. 342–358

  22. [22]

    Dimac: Dynamic integrity measurement architecture for containers with arm trust- zone,

    L. Song, Y. Ding, Y. Guo, B. Li, and B. Zhou, “Dimac: Dynamic integrity measurement architecture for containers with arm trust- zone,” in2024 IEEE International Conference on Web Services (ICWS), 2024, pp. 844–852

  23. [23]

    Trusted ex- ecution environments in embedded and iot systems: A cactilab perspective,

    Z. Zhao, M. Armanuzzaman, X. Tan, and Z. Ma, “Trusted ex- ecution environments in embedded and iot systems: A cactilab perspective,” in2024 International Symposium on Secure and Private Execution Environment Design (SEED), 2024, pp. 96–106

  24. [24]

    Tzeamm: An efficient and secure active measurement method based on trustzone,

    X. Liu, Y. Lai, J. Liu, and S. Luo, “Tzeamm: An efficient and secure active measurement method based on trustzone,”Secur. Commun. Networks, vol. 2023, no. 1, p. 6921960, 2023

  25. [25]

    Tpm2. 0-supported runtime customizable tee on fpga-soc with user-controllable vtpm,

    J. Mao and X. Chang, “Tpm2. 0-supported runtime customizable tee on fpga-soc with user-controllable vtpm,”arXiv preprint arXiv:2505.12256, 2025

  26. [26]

    Towards secure runtime customizable trusted execution environment on fpga-soc,

    Y. Wang, X. Chang, H. Zhu, J. Wang, Y. Gong, and L. Li, “Towards secure runtime customizable trusted execution environment on fpga-soc,”IEEE Trans. on Comput., vol. 73, pp. 1138–1151, 2024. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 10

  27. [27]

    Smile: Secure memory intro- spection for live enclave,

    L. Zhou, X. Ding, and F. Zhang, “Smile: Secure memory intro- spection for live enclave,” in2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 386–401

  28. [28]

    Triglav: Remote attestation of the virtual machine’s runtime integrity in public clouds,

    W. Ozga, C. Fetzeret al., “Triglav: Remote attestation of the virtual machine’s runtime integrity in public clouds,” in2021 IEEE 14th International Conference on Cloud Computing (CLOUD). IEEE, 2021, pp. 1–12

  29. [29]

    Vmpl-kmi: Protecting kernel module integrity within confidential vms,

    B. Mei, W. Wang, and D. Lin, “Vmpl-kmi: Protecting kernel module integrity within confidential vms,” in2025 IEEE 24th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2025, pp. 3032–3037

  30. [30]

    Strengthening vm isolation with integrity protection and more,

    A. Sev-Snp, “Strengthening vm isolation with integrity protection and more,” pp. 1450–1465, 2020

  31. [31]

    Secure vm service module for sev-snp guests,

    AMD, “Secure vm service module for sev-snp guests,” 2026, revision 1.01

  32. [32]

    Pro- tect the system call, protect (most of) the world with bastion,

    C. Jelesnianski, M. Ismail, Y. Jang, D. Williams, and C. Min, “Pro- tect the system call, protect (most of) the world with bastion,” in Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, 2023, pp. 528–541

  33. [33]

    {CPC}: Flexible, secure, and efficient{CVM}maintenance with confidential proce- dure calls,

    J. Chen, Z. Mi, Y. Xia, H. Guan, and H. Chen, “{CPC}: Flexible, secure, and efficient{CVM}maintenance with confidential proce- dure calls,” in2024 USENIX Annual Technical Conference (USENIX ATC 24), 2024, pp. 1065–1082

  34. [34]

    Arm trustzone OP-TEE with VERAISON verifier,

    K. Suzaki, “Arm trustzone OP-TEE with VERAISON verifier,” inOpenSSF Community Day Japan 2025, Jun

  35. [35]

    Available: https://events.linuxfoundation.org/ openssf-community-day-japan/program/schedule/

    [Online]. Available: https://events.linuxfoundation.org/ openssf-community-day-japan/program/schedule/

  36. [36]

    Pdrima: A policy-driven runtime integrity measurement and attestation approach for arm trustzone-based tee,

    J. Mao and X. Chang, “Pdrima: A policy-driven runtime integrity measurement and attestation approach for arm trustzone-based tee,”arXiv preprint arXiv:2512.06500, 2025

  37. [37]

    Towards verifiable trust proof for trusted confidential virtual machines,

    J. Mao, X. Chang, L. Li, H. Zhu, and J. Fan, “Towards verifiable trust proof for trusted confidential virtual machines,”IEEE Trans. on Netw. Sci. Eng., vol. 13, pp. 552–567, 2026

  38. [38]

    AMDSEV: AMD Secure Encrypted Vir- tualization,

    AMD SEV Engineering, “AMDSEV: AMD Secure Encrypted Vir- tualization,” https://github.com/AMDESE/AMDSEV, 2026, ac- cessed: 2026-04-28

  39. [39]

    COCONUT Secure VM Service Mod- ule,

    COCONUT-SVSM Project, “COCONUT Secure VM Service Mod- ule,” https://github.com/coconut-svsm/svsm, 2026, accessed: 2026-04-28