PS-UIE: Privilege-Separated Integrity Enforcement for User-Space Executable Objects in Confidential VMs
Pith reviewed 2026-06-28 06:11 UTC · model grok-4.3
The pith
Privilege-separated architecture enforces integrity of user-space executables in confidential virtual machines.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
PS-UIE introduces a privilege-separated architecture for AMD SEV-SNP-based confidential VMs that separates the authority for integrity measurement and enforcement from the measured user-space executable objects by placing it in a higher-privileged protected domain. Built on this separation, the system supplies policy lifecycle management, execution-time integrity enforcement on covered execute-permission grant paths, and evidence export and verification mechanisms that together enable policy-controlled integrity measurement and enforcement while generating verifiable runtime evidence.
What carries the argument
The privilege-separated architecture, which isolates integrity authority in a higher-privileged protected domain to perform measurement and enforcement on user-space executable objects without relying on the targets themselves.
If this is right
- Tenants obtain continuous integrity assurance from CVM launch through all subsequent dynamic loading of executables.
- Verifiable runtime evidence can be exported for external parties to check the current state of user-space objects.
- Enforcement applies specifically to the execute-permission grant paths that bring file-backed objects into memory.
- The mechanisms operate with acceptable performance overhead on current AMD SEV-SNP hardware.
Where Pith is reading between the lines
- The same separation pattern may extend to other confidential-computing platforms that already provide isolated execution domains.
- If the protected domain gains additional interfaces, it could eventually cover kernel-space objects in addition to user-space ones.
- The design points toward a reusable template for runtime attestation whenever a platform supplies a higher-privilege boundary that can be kept out of reach of ordinary workloads.
Load-bearing premise
The higher-privileged protected domain remains secure and can be trusted to perform integrity measurement and enforcement without itself being compromised or bypassed.
What would settle it
An attack that successfully loads an unapproved user-space executable object into a running CVM, bypassing enforcement and evidence generation, while the protected domain is still active.
Figures
read the original abstract
Confidential Virtual Machines (CVMs), such as AMD SEV-SNP, enable cloud tenants to run security-sensitive workloads, but tenants can rely on the execution of these workloads only when they can trust the CVM. This trust requires continuous integrity assurance from CVM launch to the current runtime state, including initial trust establishment at launch and subsequent runtime integrity assurance. Existing works help establish launch-time trust and protect parts of runtime integrity, but they do not fully address the integrity of file-backed user-space executable objects, such as main executables, program interpreters, and dynamically loaded shared objects, that may be loaded or mapped dynamically during execution inside CVMs. In this paper, we propose Privilege-Separated User-space Integrity Enforcement (PS-UIE), an approach for enforcing the integrity of user-space executable objects inside AMD SEV-SNP-based CVMs. PS-UIE consists of a privilege-separated architecture and three mechanisms. The architecture separates the authority for integrity measurement and enforcement from the measured targets by placing it in a higher-privileged protected domain. Built on this architecture, PS-UIE provides policy lifecycle management, execution-time integrity enforcement, and evidence export and verification mechanisms. It enables policy-controlled integrity measurement and enforcement for user-space executable objects and generates verifiable runtime evidence. We implement PS-UIE on an AMD SEV-SNP platform. The security analysis and performance evaluation show that PS-UIE enforces the integrity of user-space executable objects on the covered execute-permission grant paths and provides verifiable runtime evidence while incurring acceptable overhead.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes PS-UIE, a privilege-separated architecture for enforcing the integrity of user-space executable objects in AMD SEV-SNP confidential VMs. It separates the authority for integrity measurement and enforcement into a higher-privileged protected domain and provides mechanisms for policy lifecycle management, execution-time integrity enforcement, and evidence export and verification. The authors implement the system and claim, based on security analysis and performance evaluation, that it enforces integrity on covered execute-permission grant paths, provides verifiable runtime evidence, and incurs acceptable overhead.
Significance. If the result holds, this work is significant as it addresses the gap in runtime integrity assurance for dynamically loaded user-space objects in CVMs, which is essential for continuous trust in confidential computing. The privilege-separated design and the provision of verifiable evidence are notable strengths. The assumption that the higher-privileged domain remains secure is standard but critical; if validated, this could influence designs in confidential VM security.
major comments (1)
- [Abstract] The abstract states that security analysis and performance evaluation support the claims, but provides no data, derivations, or details to assess whether the evidence actually backs the central claim of enforcement on covered paths and acceptable overhead.
Simulated Author's Rebuttal
We thank the referee for the detailed review and constructive comment. We address the point on the abstract below and will incorporate revisions to strengthen the manuscript.
read point-by-point responses
-
Referee: [Abstract] The abstract states that security analysis and performance evaluation support the claims, but provides no data, derivations, or details to assess whether the evidence actually backs the central claim of enforcement on covered paths and acceptable overhead.
Authors: We agree that the abstract, as currently written, summarizes the outcomes of the security analysis (Section 6) and performance evaluation (Section 7) without including quantitative details or explicit references to specific results. This is a fair observation. The full manuscript provides the supporting evidence: Section 6 details the security properties verified through formal and informal analysis (including enforcement on covered execute-permission grant paths), while Section 7 reports concrete performance measurements (e.g., overhead figures for the measured workloads). To address the concern directly, we will revise the abstract to include a concise summary of key quantitative results from the evaluation (such as the range of observed overhead) and a brief pointer to the sections containing the analysis, while preserving the abstract's length and focus. This change will make the evidential basis more transparent to readers without altering the manuscript's technical content. revision: yes
Circularity Check
No significant circularity; architecture and mechanisms are independently described
full rationale
The paper proposes a privilege-separated architecture for integrity enforcement in CVMs, with mechanisms for policy lifecycle, execution-time enforcement, and evidence export. No equations, fitted parameters, or self-citations are invoked in a way that reduces any central claim to its own inputs by construction. The security analysis is presented as supporting the design, but the claims rest on the described separation of privileges and implementation on AMD SEV-SNP rather than tautological redefinition or renaming of prior results. This is a standard systems contribution with external evaluation, making the derivation self-contained.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption The higher-privileged protected domain remains secure and can reliably perform integrity measurement and enforcement.
invented entities (1)
-
PS-UIE privilege-separated architecture
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Survey of research on confidential computing,
D. Feng, Y. Qin, W. Feng, W. Li, K. Shang, and H. Ma, “Survey of research on confidential computing,”IET communications, vol. 18, no. 9, pp. 535–556, 2024
2024
-
[2]
Machine learning with confidential computing: A systematization of knowledge,
F. Mo, Z. Tarkhani, and H. Haddadi, “Machine learning with confidential computing: A systematization of knowledge,”ACM computing surveys, vol. 56, no. 11, pp. 1–40, 2024
2024
-
[3]
Sok: Integrity, attestation, and auditing of program execution,
M. Ammar, A. Caulfield, and I. D. O. Nunes, “Sok: Integrity, attestation, and auditing of program execution,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3255– 3272
2025
-
[4]
Snpguard: Remote attestation of sev- snp vms using open source tools,
L. Wilke and G. Scopelliti, “Snpguard: Remote attestation of sev- snp vms using open source tools,” in2024 IEEE European Sympo- sium on Security and Privacy Workshops (EuroS&PW). IEEE, 2024, pp. 193–198
2024
-
[5]
The road to trust: Building enclaves within confidential vms,
W. Wang, L. Song, B. Mei, S. Liu, S. Zhao, S. Yan, X. Wang, D. Meng, and R. Hou, “The road to trust: Building enclaves within confidential vms,” in32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025, 2025
2025
-
[6]
Remote attestation of confidential vms using ephemeral vtpms,
V . Narayanan, C. Carvalho, A. Ruocco, G. Almasi, J. Bottomley, M. Ye, T. Feldman-Fitzthum, D. Buono, H. Franke, and A. Burtsev, “Remote attestation of confidential vms using ephemeral vtpms,” inProceedings of the 39th Annual Computer Security Applications Conference, 2023, pp. 732–743
2023
-
[7]
Svsm-kms: Safeguarding keys for cloud services with encrypted virtualization,
B. Mei, W. Wang, and D. Lin, “Svsm-kms: Safeguarding keys for cloud services with encrypted virtualization,” inInternational Conference on Science of Cyber Security. Springer, 2024, pp. 217–235
2024
-
[8]
{VeriSMo}: A verified security module for confidential{VMs},
Z. Zhou, W. Chen, S. Gong, C. Hawblitzel, W. Cuiet al., “{VeriSMo}: A verified security module for confidential{VMs},” in18th USENIX Symposium on Operating Systems Design and Imple- mentation (OSDI 24), 2024, pp. 599–614
2024
-
[9]
Veil: A pro- tected services framework for confidential virtual machines,
A. Ahmad, B. Ou, C. Liu, X. Zhang, and P . Fonseca, “Veil: A pro- tected services framework for confidential virtual machines,” in Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 4, 2023, pp. 378–393
2023
-
[10]
Cabin: Confining untrusted programs within confidential vms,
B. Mei, S. Xia, W. Wang, and D. Lin, “Cabin: Confining untrusted programs within confidential vms,” inInternational Conference on Information and Communications Security. Springer, 2024, pp. 165– 184
2024
-
[11]
{00SEVen}–re-enabling virtual ma- chine forensics: Introspecting confidential{VMs}using privileged {in-VM}agents,
F. Schwarz and C. Rossow, “{00SEVen}–re-enabling virtual ma- chine forensics: Introspecting confidential{VMs}using privileged {in-VM}agents,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 1651–1668
2024
-
[12]
Confidential serverless computing,
P . Sabanic, M. Misono, T. Bodea, J. Pritzi, M. Hackl, D. Stavrakakis, and P . Bhatotia, “Confidential serverless computing,”arXiv preprint arXiv:2504.21518, 2025
-
[13]
Complementing confidential computing environment for applications on arm cca,
Y. Zhang, Y. Hu, Z. Ning, F. Zhang, X. Luo, H. Huang, S. Yan, and Z. He, “Complementing confidential computing environment for applications on arm cca,”IEEE Trans. on Dependable Secur. Comput., 2025
2025
-
[14]
{TETD}: Trusted execution in trust domains,
Z. Wang, J. Zhan, X. Ding, F. Zhang, and N. Hu, “{TETD}: Trusted execution in trust domains,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 1187–1206
2025
-
[15]
Design and im- plementation of a tcg-based integrity measurement architecture
R. Sailer, X. Zhang, T. Jaeger, and L. Van Doorn, “Design and im- plementation of a tcg-based integrity measurement architecture.” inUSENIX Security symposium, vol. 13, 2004, pp. 223–238
2004
-
[16]
Ima appraisal and evm in the linux integrity subsystem,
M. Zoharet al., “Ima appraisal and evm in the linux integrity subsystem,” 2012, lWN.net article. [Online]. Available: https://lwn.net/Articles/488906/
2012
-
[17]
{Container-IMA}: A privacy- preserving integrity measurement architecture for containers,
W. Luo, Q. Shen, Y. Xia, and Z. Wu, “{Container-IMA}: A privacy- preserving integrity measurement architecture for containers,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 2019, pp. 487–500
2019
-
[18]
Userspace software integrity mea- surement,
M. Eckel and T. Riemann, “Userspace software integrity mea- surement,” inProceedings of the 16th International Conference on Availability, Reliability and Security, 2021, pp. 1–11
2021
-
[19]
Secure containers in android: the samsung knox case study,
U. Kanonov and A. Wool, “Secure containers in android: the samsung knox case study,” inProceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, 2016, pp. 3–12
2016
-
[20]
Kims: kernel integrity measuring system based on trustzone,
S. Dong, Y. Xiong, W. Huang, and L. Ma, “Kims: kernel integrity measuring system based on trustzone,” in2020 6th International Conference on Big Data Computing and Communications (BIGCOM), 2020, pp. 103–107
2020
-
[21]
Tz-ima: Support- ing integrity measurement for applications with arm trustzone,
L. Song, Y. Ding, P . Dong, Y. Guo, and C. Wang, “Tz-ima: Support- ing integrity measurement for applications with arm trustzone,” in International Conference on Information and Communications Security, 2022, pp. 342–358
2022
-
[22]
Dimac: Dynamic integrity measurement architecture for containers with arm trust- zone,
L. Song, Y. Ding, Y. Guo, B. Li, and B. Zhou, “Dimac: Dynamic integrity measurement architecture for containers with arm trust- zone,” in2024 IEEE International Conference on Web Services (ICWS), 2024, pp. 844–852
2024
-
[23]
Trusted ex- ecution environments in embedded and iot systems: A cactilab perspective,
Z. Zhao, M. Armanuzzaman, X. Tan, and Z. Ma, “Trusted ex- ecution environments in embedded and iot systems: A cactilab perspective,” in2024 International Symposium on Secure and Private Execution Environment Design (SEED), 2024, pp. 96–106
2024
-
[24]
Tzeamm: An efficient and secure active measurement method based on trustzone,
X. Liu, Y. Lai, J. Liu, and S. Luo, “Tzeamm: An efficient and secure active measurement method based on trustzone,”Secur. Commun. Networks, vol. 2023, no. 1, p. 6921960, 2023
2023
-
[25]
Tpm2. 0-supported runtime customizable tee on fpga-soc with user-controllable vtpm,
J. Mao and X. Chang, “Tpm2. 0-supported runtime customizable tee on fpga-soc with user-controllable vtpm,”arXiv preprint arXiv:2505.12256, 2025
-
[26]
Towards secure runtime customizable trusted execution environment on fpga-soc,
Y. Wang, X. Chang, H. Zhu, J. Wang, Y. Gong, and L. Li, “Towards secure runtime customizable trusted execution environment on fpga-soc,”IEEE Trans. on Comput., vol. 73, pp. 1138–1151, 2024. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 10
2024
-
[27]
Smile: Secure memory intro- spection for live enclave,
L. Zhou, X. Ding, and F. Zhang, “Smile: Secure memory intro- spection for live enclave,” in2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 386–401
2022
-
[28]
Triglav: Remote attestation of the virtual machine’s runtime integrity in public clouds,
W. Ozga, C. Fetzeret al., “Triglav: Remote attestation of the virtual machine’s runtime integrity in public clouds,” in2021 IEEE 14th International Conference on Cloud Computing (CLOUD). IEEE, 2021, pp. 1–12
2021
-
[29]
Vmpl-kmi: Protecting kernel module integrity within confidential vms,
B. Mei, W. Wang, and D. Lin, “Vmpl-kmi: Protecting kernel module integrity within confidential vms,” in2025 IEEE 24th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2025, pp. 3032–3037
2025
-
[30]
Strengthening vm isolation with integrity protection and more,
A. Sev-Snp, “Strengthening vm isolation with integrity protection and more,” pp. 1450–1465, 2020
2020
-
[31]
Secure vm service module for sev-snp guests,
AMD, “Secure vm service module for sev-snp guests,” 2026, revision 1.01
2026
-
[32]
Pro- tect the system call, protect (most of) the world with bastion,
C. Jelesnianski, M. Ismail, Y. Jang, D. Williams, and C. Min, “Pro- tect the system call, protect (most of) the world with bastion,” in Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, 2023, pp. 528–541
2023
-
[33]
{CPC}: Flexible, secure, and efficient{CVM}maintenance with confidential proce- dure calls,
J. Chen, Z. Mi, Y. Xia, H. Guan, and H. Chen, “{CPC}: Flexible, secure, and efficient{CVM}maintenance with confidential proce- dure calls,” in2024 USENIX Annual Technical Conference (USENIX ATC 24), 2024, pp. 1065–1082
2024
-
[34]
Arm trustzone OP-TEE with VERAISON verifier,
K. Suzaki, “Arm trustzone OP-TEE with VERAISON verifier,” inOpenSSF Community Day Japan 2025, Jun
2025
-
[35]
Available: https://events.linuxfoundation.org/ openssf-community-day-japan/program/schedule/
[Online]. Available: https://events.linuxfoundation.org/ openssf-community-day-japan/program/schedule/
-
[36]
J. Mao and X. Chang, “Pdrima: A policy-driven runtime integrity measurement and attestation approach for arm trustzone-based tee,”arXiv preprint arXiv:2512.06500, 2025
-
[37]
Towards verifiable trust proof for trusted confidential virtual machines,
J. Mao, X. Chang, L. Li, H. Zhu, and J. Fan, “Towards verifiable trust proof for trusted confidential virtual machines,”IEEE Trans. on Netw. Sci. Eng., vol. 13, pp. 552–567, 2026
2026
-
[38]
AMDSEV: AMD Secure Encrypted Vir- tualization,
AMD SEV Engineering, “AMDSEV: AMD Secure Encrypted Vir- tualization,” https://github.com/AMDESE/AMDSEV, 2026, ac- cessed: 2026-04-28
2026
-
[39]
COCONUT Secure VM Service Mod- ule,
COCONUT-SVSM Project, “COCONUT Secure VM Service Mod- ule,” https://github.com/coconut-svsm/svsm, 2026, accessed: 2026-04-28
2026
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.