Reducing the Price of Protection: Identifying and Migrating Non-Sensitive Code in TEE

Abstract

As the trusted computing base (TCB) unnecessarily increases its size, the performance and security of Trusted Execution Environments (TEE) can deteriorate rapidly. Existing solutions focus on placing only the necessary program parts in TEE, but neglect the numerous cases of legacy software with misplaced TEE-based non-sensitive code. In this paper, we introduce a new type of software refactoring—TEE Insourcing—that identifies and migrates non-sensitive code out of TEE. We present TEE-DRUP, the first semi-automated TEE Insourcing framework whose process comprises two phases: (1) a variable sensitivity analysis designates each variable as sensitive or non-sensitive; (2) a compiler-assisted program transformation automatically moves the functions that never operate on the sensitive variables out of TEE. Developers can participate to verify and confirm sensitive variables, and specify additional non-sensitive functions to migrate. The evaluation results of TEE-DRUP on real-world programs are encouraging. TEE-DRUP distinguishes between sensitive and non-sensitive variables with satisfactory accuracy, precision, and recall — all of their actual values are greater than 80% in the majority of evaluation scenarios. Further, moving non-sensitive code out of TEE improves system performance, with the speedup ranging between 1.35 and 10K. Finally, TEE-DRUP's automated program transformation requires only a small programming effort.