pith. sign in

arxiv: 1907.09906 · v1 · pith:2U455JJTnew · submitted 2019-07-23 · 💻 cs.CR

Scanclave: Verifying Application Runtime Integrity in Untrusted Environments

Mathias Morbitzer This is my paper

Pith reviewed 2026-05-24 17:29 UTC · model grok-4.3

classification 💻 cs.CR
keywords trusted execution environmentsruntime integrity verificationcloud securityenclave designapplication attestationuntrusted environmentsTEE memory access
0
0 comments X

The pith

Scanclave places a verifier inside a TEE to check an application's memory at runtime even against a malicious operating system or hypervisor.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Scanclave as a lightweight design that puts the integrity verifier inside a trusted execution environment. It meets three goals: the verifier itself stays trustworthy, the trusted software stack stays minimal, and the enclave can safely reach into an untrusted application's memory. A reader would care because current TEEs only attest code at load time while existing runtime checkers can themselves be attacked by high-privileged software. The work shows the design steps, a security analysis of each step, and how different enclave implementations could support it. The result is a way for a remote party to confirm that an application has not been altered during execution.

Core claim

Scanclave achieves trustworthiness of the verifier, a minimal trusted software stack, and the possibility to access an application's memory from a TEE, enabling verification of application runtime integrity even in the presence of a high privileged adversary.

What carries the argument

Scanclave design that runs the verifier inside a TEE while allowing controlled read access to the target application's memory.

If this is right

  • A remote verifier can determine the runtime integrity of an application protected by Scanclave.
  • The same design works with multiple existing enclave technologies.
  • Security analysis covers each step from enclave setup through memory inspection.
  • No trust is required in the operating system or hypervisor for the verification result.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could support continuous rather than one-shot checks if the TEE can poll memory repeatedly.
  • Performance cost of the memory access path would determine whether the method scales to large applications.
  • Similar minimal-stack patterns might apply to verifying other system components such as device drivers.

Load-bearing premise

A minimal trusted software stack can be built inside a TEE that safely accesses untrusted application memory without creating new attack surfaces or breaking the TEE's isolation.

What would settle it

Demonstration of an attack in which a high-privileged adversary tampers with the TEE verifier or the memory-access path without detection.

Figures

Figures reproduced from arXiv: 1907.09906 by Mathias Morbitzer.

Figure 1
Figure 1. Figure 1: The HA is used to launch the TA. This causes Scanclave and the [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: A remote verifier can now request Scanclave to verify the runtime [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
read the original abstract

Data hosted in a cloud environment can be subject to attacks from a higher privileged adversary, such as a malicious or compromised cloud provider. To provide confidentiality and integrity even in the presence of such an adversary, a number of Trusted Execution Environments (TEEs) have been developed. A TEE aims to protect data and code within its environment against high privileged adversaries, such as a malicious operating system or hypervisor. While mechanisms exist to attest a TEE's integrity at load time, there are no mechanisms to attest its integrity at runtime. Additionally, work also exists that discusses mechanisms to verify the runtime integrity of programs and system components. However, those verification mechanisms are themselves not protected against attacks from a high privileged adversary. It is therefore desirable to combine the protection mechanisms of TEEs with the ability of application runtime integrity verification. In this paper, we present Scanclave, a lightweight design which achieves three design goals: Trustworthiness of the verifier, a minimal trusted software stack and the possibility to access an application's memory from a TEE. Having achieved our goals, we are able to verify the runtime integrity of applications even in the presence of a high privileged adversary. We refrain from discussing which properties define the runtime integrity of an application, as different applications will require different verification methods. Instead, we show how Scanclave enables a remote verifier to determine the runtime integrity of an application. Afterwards, we perform a security analysis for the different steps of our design. Additionally, we discuss different enclave implementations that might be used for the implementation of Scanclave.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes Scanclave, a lightweight design for verifying application runtime integrity in untrusted cloud environments using Trusted Execution Environments (TEEs). It claims to achieve three design goals: trustworthiness of the verifier, a minimal trusted software stack, and the possibility to access an application's memory from a TEE. This enables a remote verifier to determine runtime integrity even against high-privileged adversaries. The manuscript describes the design steps, performs a security analysis of those steps, and discusses possible enclave implementations.

Significance. If the design and security analysis hold, the work would be significant for trusted computing by bridging load-time TEE attestation with runtime verification mechanisms that are themselves protected against privileged adversaries. The focus on a minimal trusted stack aligns with efforts to reduce TCB size in TEE deployments and could enable practical integrity checks for cloud applications.

major comments (2)
  1. [Abstract] Abstract: The central claim that the three design goals are achieved (and thus that runtime integrity verification is possible against high-privileged adversaries) rests on the unshown feasibility of combining a minimal trusted software stack with TEE-based memory access; no derivations, proofs, implementation details, or empirical evidence are supplied to support this.
  2. [Design goals section] Design goals section: The assumption that a minimal trusted software stack can be implemented inside a TEE while still permitting safe access to untrusted application memory without introducing new attack surfaces or violating isolation is stated as achieved but is not demonstrated with any concrete mechanism, threat model, or analysis.
minor comments (1)
  1. The decision to refrain from defining runtime integrity properties is reasonable given application-specific needs, but the manuscript could usefully include at least one illustrative verification method that Scanclave would enable.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the opportunity to respond to the referee's report. We address the major comments point by point below. We agree that additional clarification on the feasibility can strengthen the manuscript and will revise accordingly.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that the three design goals are achieved (and thus that runtime integrity verification is possible against high-privileged adversaries) rests on the unshown feasibility of combining a minimal trusted software stack with TEE-based memory access; no derivations, proofs, implementation details, or empirical evidence are supplied to support this.

    Authors: The manuscript presents Scanclave as a design, with the body describing the design steps that achieve the three goals and a security analysis of those steps. The feasibility is argued via the proposed architecture that places the verifier in the TEE with minimal stack and controlled memory access. We will revise the abstract to more explicitly point to these sections and elaborate on the combination mechanism in the design description to provide clearer support for the claims. revision: yes

  2. Referee: [Design goals section] Design goals section: The assumption that a minimal trusted software stack can be implemented inside a TEE while still permitting safe access to untrusted application memory without introducing new attack surfaces or violating isolation is stated as achieved but is not demonstrated with any concrete mechanism, threat model, or analysis.

    Authors: The design goals section introduces the goals, while subsequent sections detail the design steps and include a security analysis that considers the threat model of high-privileged adversaries. This analysis evaluates potential violations of isolation and new attack surfaces. We will enhance the design goals section to include a brief overview of the concrete mechanisms and reference the security analysis more prominently. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper describes a new design called Scanclave that combines TEE protections with runtime integrity verification mechanisms. It states three design goals and claims to achieve them via the architecture, followed by a security analysis and discussion of enclave implementations. No equations, fitted parameters, predictions, or self-citations appear in the provided text. The central claim is an architectural proposal whose validity rests on the security analysis rather than any reduction to prior inputs or self-referential definitions. No load-bearing step reduces by construction to its own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The design rests on standard TEE isolation assumptions and the paper-specific claim that a minimal trusted stack with memory access is achievable; no free parameters or invented physical entities are described.

axioms (2)
  • domain assumption Trusted Execution Environments protect against high-privileged adversaries such as malicious OS or hypervisor
    Invoked in the abstract as the foundation for TEE usage.
  • ad hoc to paper A minimal trusted software stack can be combined with TEE-based memory access without compromising verifier trustworthiness
    This is presented as one of the three achieved design goals in the abstract.
invented entities (1)
  • Scanclave no independent evidence
    purpose: Lightweight design for runtime integrity verification in untrusted environments
    New system name and architecture introduced to meet the three design goals.

pith-pipeline@v0.9.0 · 5805 in / 1463 out tokens · 29418 ms · 2026-05-24T17:29:05.482441+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages · 2 internal anchors

  1. [1]

    ACM Transactions on Information and System Security (TISSEC) 13(1), 4 (2009)

    Abadi, M., Budiu, M., Erlingsson, ´U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC) 13(1), 4 (2009)

    work page 2009

  2. [2]

    Advanced Micro Devices: Secure Virtual Machine Architecture Refer- ence Manual (2005), [Online, accessed 01-03-2019]

    work page 2005

  3. [3]

    In: Proceedings of the 2nd interna- tional workshop on hardware and architectural support for security and privacy

    Anati, I., Gueron, S., Johnson, S., Scarlata, V .: Innovative technology for cpu based attestation and sealing. In: Proceedings of the 2nd interna- tional workshop on hardware and architectural support for security and privacy. vol. 13. ACM New York, NY , USA (2013)

    work page 2013

  4. [4]

    Arbaugh, W.A., Farber, D.J., Smith, J.M.: A secure and reliable bootstrap architecture (1996)

    work page 1996

  5. [5]

    https://developer .arm.com/ technologies/trustzone (2019), [Online, accessed 01-03-2019]

    arm: Introducing Arm TrustZone. https://developer .arm.com/ technologies/trustzone (2019), [Online, accessed 01-03-2019]

    work page 2019

  6. [6]

    ACM SIGARCH Computer Architecture News 45(2), 107–119 (2017)

    Awad, A., Wang, Y ., Shands, D., Solihin, Y .: Obfusmem: A low- overhead access obfuscation for trusted memories. ACM SIGARCH Computer Architecture News 45(2), 107–119 (2017)

    work page 2017

  7. [7]

    In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

    Azab, A.M., Ning, P., Shah, J., Chen, Q., Bhutkar, R., Ganesh, G., Ma, J., Shen, W.: Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. pp. 90–102. ACM (2014)

    work page 2014

  8. [8]

    In: Proceedings of the 11th USENIX Conference on Offensive Technologies

    Brasser, F., M ¨uller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: Sgx cache attacks are prac- tical. In: Proceedings of the 11th USENIX Conference on Offensive Technologies. pp. 11–11. USENIX Association (2017)

    work page 2017

  9. [9]

    Costan, V ., Devadas, S.: Intel SGX Explained (2016)

    work page 2016

  10. [10]

    In: USENIX Security Sympo- sium

    Costan, V ., Lebedev, I.A., Devadas, S.: Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In: USENIX Security Sympo- sium. pp. 857–874. USENIX (2016)

    work page 2016

  11. [11]

    In: Proceedings of the 2009 ACM workshop on Scalable trusted computing

    Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM workshop on Scalable trusted computing. pp. 49–54. ACM (2009)

    work page 2009

  12. [12]

    In: 27th USENIX Security Symposium (USENIX Security 18)

    Dong, X., Shen, Z., Criswell, J., Cox, A.L., Dwarkadas, S.: Shielding software from privileged side-channel attacks. In: 27th USENIX Security Symposium (USENIX Security 18). pp. 1441–1458 (2018)

    work page 2018

  13. [13]

    In: Proceedings of the Mobile Security Technologies 2014 Workshop (2014)

    Ge, X., Jaeger, T.: Sprobes: Enforcing kernel code integrity on the Trust- Zone architecture. In: Proceedings of the Mobile Security Technologies 2014 Workshop (2014)

    work page 2014

  14. [14]

    Greene, J.: Intel Trusted Execution Technology (2012)

    work page 2012

  15. [15]

    In: EUROSEC

    Gtzfried, J., Eckert, M., Schinzel, S., Mller, T.: Cache Attacks on Intel SGX. In: EUROSEC. pp. 2–1 (2017)

    work page 2017

  16. [16]

    Haardt, M., Coleman, M., Vlasenko, D., Kerrisk, M.: Linux Program- mer’s Manual PTRACE(2) (1993), [Online, accessed 01-03-2019]

    work page 1993

  17. [17]

    In: USENIX Virtual Machine Research and Technology Symposium

    Haldar, V ., Chandra, D., Franz, M.: Semantic remote attestation: a virtual machine directed approach to trusted computing. In: USENIX Virtual Machine Research and Technology Symposium. vol. 2004 (2004)

    work page 2004

  18. [18]

    Intel: Mechanisms to protect data in the open cloud (2013)

    work page 2013

  19. [19]

    Intel: Intel transactional synchronization extensions (intel tsx) overview (2015)

    work page 2015

  20. [20]

    Intel: Properly Detecting Intel Software Guard Extensions (Intel SGX) in Your Applications (2017), [Online, accessed 01-03-2019]

    work page 2017

  21. [21]

    https://www.ibm.com/blogs/bluemix/2017/12/data-use-protection-ibm- cloud-ibm-intel-fortanix-partner-keep-enterprises-secure-core/ (2017), [Online, accessed 01-03-2019]

    Karnati, P., Bojjireddy, K.: Data-in-use Protection on IBM Cloud IBM, Intel, and Fortanix partner to keep enterprises secure to the core. https://www.ibm.com/blogs/bluemix/2017/12/data-use-protection-ibm- cloud-ibm-intel-fortanix-partner-keep-enterprises-secure-core/ (2017), [Online, accessed 01-03-2019]

    work page 2017

  22. [22]

    In: Dependable Systems & Networks, 2009

    Kil, C., Sezer, E.C., Azab, A.M., Ning, P., Zhang, X.: Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In: Dependable Systems & Networks, 2009. DSN’09. IEEE/IFIP International Conference on. pp. 115–124. IEEE (2009)

    work page 2009

  23. [23]

    Integrating Remote Attestation with Transport Layer Security

    Knauth, T., Steiner, M., Chakrabarti, S., Lei, L., Xing, C., Vij, M.: Integrating remote attestation with transport layer security. arXiv preprint arXiv:1801.05863 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  24. [24]

    In: Proceedings of the ACM European Conference in Computer Systems (EUROSYS) (2007)

    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: An execution infrastructure for tcb minimization. In: Proceedings of the ACM European Conference in Computer Systems (EUROSYS) (2007)

    work page 2007

  25. [25]

    Microsoft: Secured Boot and Measured Boot: Hardening Early Boot Components against Malware (2012), [Online, accessed 11-02-2019]

    work page 2012

  26. [26]

    Microsoft: ReadProcessMemory function (2019), [Online, accessed 01- 03-2019]

    work page 2019

  27. [27]

    In: USENIX Se- curity Symposium

    Petroni Jr, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX Se- curity Symposium. pp. 179–194. San Diego, USA (2004)

    work page 2004

  28. [28]

    https://azure.microsoft.com/en-us/blog/introducing-azure-confidential- computing/ (2017), [Online, accessed 01-03-2019]

    Russinovich, M.: Introducing Azure confidential computing. https://azure.microsoft.com/en-us/blog/introducing-azure-confidential- computing/ (2017), [Online, accessed 01-03-2019]

    work page 2017

  29. [29]

    In: USENIX Security symposium

    Sailer, R., Zhang, X., Jaeger, T., Van Doorn, L.: Design and Implemen- tation of a TCG-based Integrity Measurement Architecture. In: USENIX Security symposium. vol. 13, pp. 223–238 (2004)

    work page 2004

  30. [30]

    Scarlata, V ., Johnson, S., Beaney, J., Zmijewsk, P.: Supporting Third Party Attestation for Intel SGX with Intel Data Center Attestation Primitive (2018)

    work page 2018

  31. [31]

    Schwarz, M., Weiser, S., Gruss, D.: Practical Enclave Malware with Intel SGX (Feb 2019), https://arxiv .org/abs/1902.03256

    work page internal anchor Pith review Pith/arXiv arXiv 2019

  32. [32]

    In: NDSS (2017)

    Seo, J., Lee, B., Kim, S.M., Shih, M.W., Shin, I., Han, D., Kim, T.: SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs. In: NDSS (2017)

    work page 2017

  33. [33]

    In: Proceedings of the 14th ACM conference on Computer and communications security

    Shacham, H.: The geometry of innocent flesh on the bone: Return-into- libc without function calls (on the x86). In: Proceedings of the 14th ACM conference on Computer and communications security. pp. 552–

    work page

  34. [34]

    In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)

    Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)

    work page 2017

  35. [35]

    In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

    Stefanov, E., Van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: an extremely simple oblivious RAM protocol. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. pp. 299–310. ACM (2013)

    work page 2013

  36. [36]

    Trusted Computing Group: TPM Main Specification Level 2 Version 1.2 (2011)

    work page 2011

  37. [37]

    In: 27th USENIX Security Symposium (USENIX) Security 18)

    Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T.F., Yarom, Y ., Strackx, R.: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out- of-Order Execution. In: 27th USENIX Security Symposium (USENIX) Security 18). pp. 991–1008 (2018)

    work page 2018

  38. [38]

    In: Proceedings of the 26th USENIX Security Symposium

    Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., Strackx, R.: Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution. In: Proceedings of the 26th USENIX Security Symposium. pp. 1041–1056. USENIX (2017)

    work page 2017

  39. [39]

    In: Security and Privacy (SP), 2015 IEEE Symposium on

    Xu, Y ., Cui, W., Peinado, M.: Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In: Security and Privacy (SP), 2015 IEEE Symposium on. pp. 640–656. IEEE (2015)

    work page 2015

  40. [40]

    In: Proceedings of the 10th work- shop on ACM SIGOPS European workshop

    Zhang, X., Van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the 10th work- shop on ACM SIGOPS European workshop. pp. 239–242. ACM (2002)

    work page 2002