pith. sign in

arxiv: 2508.20962 · v2 · submitted 2025-08-28 · 💻 cs.CR · cs.SE

Characterizing Trust Boundary Vulnerabilities in TEE Containers: An Empirical Study

Weijie Liu , Hongbo Chen , Shuo Huai , Zhen Xu , Wenhao Wang , Xiaofeng Wang , Danfeng Zhang , Zhi Li
show 2 more authors
Haixu Tang Zheli Liu
This is my paper

Pith reviewed 2026-05-18 20:37 UTC · model grok-4.3

classification 💻 cs.CR cs.SE
keywords TEEcontainersvulnerabilitiesisolationtrusted execution environmentsconfidential computingattack vectorsbugs
0
0 comments X

The pith

TEE containers have exploitable flaws in their trust boundaries that allow attacks such as code execution and information leakage.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper aims to show that TEE containers, used to protect applications in confidential computing, suffer from vulnerabilities at their isolation boundaries. Researchers built TBouncer to automatically test these boundaries across OS interfaces, encrypted I/O, and orchestration layers. If true, this means the security guarantees of Tcons are weaker than assumed, exposing sensitive data and computations to malicious hosts. A reader cares because Tcons are promoted for secure cloud deployments, yet this study finds real-world bugs that could be exploited.

Core claim

By designing TBouncer to exercise Tcon isolation boundaries, the study identifies six attack vectors leading to code execution, denial-of-service, and information leakage. This results in the discovery of twelve new bugs and three CVEs in existing Tcons.

What carries the argument

TBouncer, an automated analyzer that precisely exercises and benchmarks Tcon isolation boundaries at three critical layers.

If this is right

  • Existing Tcons must be redesigned to close gaps in OS interface handling.
  • Encrypted I/O mechanisms in Tcons require stronger protections against leakage.
  • Orchestration mechanisms need additional safeguards to prevent attacks.
  • Developers should incorporate systematic boundary testing like TBouncer in future Tcon designs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • These vulnerabilities suggest that confidential computing platforms may need new isolation primitives beyond current TEEs.
  • Similar analysis could be applied to other container technologies in non-TEE environments to uncover hidden risks.
  • Cloud providers might need to update their threat models for TEE-based deployments based on these findings.

Load-bearing premise

That the TBouncer analyzer exercises all relevant Tcon isolation boundaries comprehensively without missing significant attack surfaces.

What would settle it

Running TBouncer on the studied Tcons and finding no exploitable vulnerabilities or that the identified bugs do not lead to the claimed attacks.

Figures

Figures reproduced from arXiv: 2508.20962 by Danfeng Zhang, Haixu Tang, Hongbo Chen, Shuo Huai, Weijie Liu, Wenhao Wang, Xiaofeng Wang, Zheli Liu, Zhen Xu, Zhi Li.

Figure 1
Figure 1. Figure 1: Timeline of TEE Middleware in three Categories [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Interface Design of Tcons (AEX). Tcons differ in their support for raw syscall assem￾bly instructions. Gramine routes raw syscalls and exceptions through its platform abstraction layer to the kernel. Occlum processes these exceptions internally as custom syscalls before forwarding them to the kernel. B. OS Interfaces The trust boundary between the host and the TEE can be placed at various levels, exposing … view at source ↗
Figure 3
Figure 3. Figure 3: Workflow of TBouncer compromised thread could interfere with others, potentially escalating into a broader security breach. Some techniques have been proposed to build a reusable enclave while ensuring non-interference between user threads [112]. Approaches to address this have relied on binary instrumentation through modified compilation toolchains [190] or hardware modifications [143, 163]. Therefore, cu… view at source ↗
Figure 4
Figure 4. Figure 4: Layers of Tcon Implemented VirtIO parameters from the device side. We introduce the con￾cept of nested structuring, which is strategically employed to populate syscall arguments and virtqueue descriptors. Further￾more, we simulate the interactions occurring at the boundaries of these structures by adapting and leveraging kAFL [168]. To mutate the values from the LibOS/VM to the host OS at specific layers, … view at source ↗
read the original abstract

Trusted Execution Environments (TEEs) have become a cornerstone of confidential computing, attracting significant attention from academia and industry. To support secure and scalable application deployment on confidential clouds, TEE containers (Tcons) have been introduced as middleware to shield applications from malicious operating systems and orchestration layers while preserving usability. In this paper, we present the first comprehensive analysis of Tcons, focusing on three critical layers: OS interfaces, encrypted I/O, and orchestration mechanisms. To enable systematic evaluation, we design TBouncer, an automated analyzer that precisely exercises and benchmarks Tcon isolation boundaries. Our study uncovers fundamental flaws in existing Tcons, leading to exploitable vulnerabilities such as code execution, denial-of-service, and information leakage. In total, we identify six attack vectors, twelve new bugs, and three CVEs. These findings provide new insights into the underestimated attack surface of Tcons and highlight key directions for building more secure and trustworthy container solutions.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces TBouncer, an automated analyzer for systematically exercising isolation boundaries in TEE containers (Tcons) across OS interfaces, encrypted I/O, and orchestration layers. It reports discovering six attack vectors, twelve new bugs, and three CVEs, claiming these expose fundamental flaws leading to code execution, denial-of-service, and information leakage.

Significance. If TBouncer's coverage is shown to be comprehensive with low false negatives and the vulnerabilities are reproducible, the work would offer significant value as the first empirical characterization of Tcon trust boundaries in confidential computing. Concrete outcomes such as assigned CVEs provide practical impact and could guide improvements in TEE middleware security.

major comments (3)
  1. [§4] §4 (TBouncer Design and Implementation): The paper does not include explicit validation of TBouncer's boundary models or coverage metrics (e.g., against known enclave exit paths, I/O encryption edge cases, or orchestration policy points). This is load-bearing for the central claim of six attack vectors and systemic flaws, as incomplete exercise of isolation boundaries could mean the reported issues are only a partial sample rather than evidence of fundamental problems.
  2. [§5] §5 (Evaluation and Results): While twelve bugs and three CVEs are listed, there is no detailed mapping of specific TBouncer test cases or boundary exercises to each finding. Without this, it is hard to verify that the analyzer systematically covered all three layers without significant omissions, undermining the claim of comprehensive analysis.
  3. [§3.1] §3.1 (Threat Model): The model focuses on malicious OS and orchestration but does not address potential missed interactions (e.g., subtle enclave state transitions or encrypted I/O under concurrent access). This raises a correctness risk for the attack vector enumeration if the automated analyzer's test suite omits such cases.
minor comments (2)
  1. [Abstract] Abstract: The phrasing 'first comprehensive analysis' should be tempered with a short note on how it differs from prior partial TEE studies to avoid overstatement.
  2. [Introduction] Notation: Define acronyms like Tcon and TBouncer on first use in the main text for clarity, even if introduced in the abstract.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We have addressed each major comment below and revised the paper accordingly to improve clarity, verifiability, and completeness of the analysis.

read point-by-point responses

  1. Referee: [§4] §4 (TBouncer Design and Implementation): The paper does not include explicit validation of TBouncer's boundary models or coverage metrics (e.g., against known enclave exit paths, I/O encryption edge cases, or orchestration policy points). This is load-bearing for the central claim of six attack vectors and systemic flaws, as incomplete exercise of isolation boundaries could mean the reported issues are only a partial sample rather than evidence of fundamental problems.

    Authors: We acknowledge the value of making boundary model validation more explicit. In the revised manuscript, we have added a new subsection to §4 that details the boundary models employed by TBouncer, including direct comparisons against documented enclave exit paths, I/O encryption edge cases, and orchestration policy enforcement points. We also report quantitative coverage metrics (e.g., exercised interface counts and false-negative estimates derived from known vulnerability databases), which support that the six attack vectors reflect systemic issues rather than incomplete sampling. revision: yes

  2. Referee: [§5] §5 (Evaluation and Results): While twelve bugs and three CVEs are listed, there is no detailed mapping of specific TBouncer test cases or boundary exercises to each finding. Without this, it is hard to verify that the analyzer systematically covered all three layers without significant omissions, undermining the claim of comprehensive analysis.

    Authors: We agree that an explicit mapping strengthens verifiability. The revised §5 now includes a new table that maps each TBouncer test case and boundary exercise to the specific bugs and CVEs discovered. This table shows coverage across all three layers (OS interfaces, encrypted I/O, and orchestration) and confirms that the reported findings correspond to systematic exercises rather than ad-hoc testing. revision: yes

  3. Referee: [§3.1] §3.1 (Threat Model): The model focuses on malicious OS and orchestration but does not address potential missed interactions (e.g., subtle enclave state transitions or encrypted I/O under concurrent access). This raises a correctness risk for the attack vector enumeration if the automated analyzer's test suite omits such cases.

    Authors: The threat model in §3.1 is deliberately scoped to the primary adversaries assumed by TEE container designs. To address the concern about missed interactions, we have expanded the discussion in the revised §3.1 to explicitly consider subtle enclave state transitions and concurrent encrypted I/O access. We have also augmented TBouncer with additional test cases targeting these scenarios; the results did not reveal further vulnerabilities, thereby reducing the correctness risk for the enumerated attack vectors. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical testing with no self-referential derivation

full rationale

This is an empirical security analysis paper that designs and applies the TBouncer analyzer to exercise Tcon isolation boundaries across OS interfaces, encrypted I/O, and orchestration, then reports discovered vulnerabilities, bugs, and CVEs from direct testing. No mathematical derivation chain, equations, fitted parameters renamed as predictions, or load-bearing self-citations exist; the central claims rest on observable test outcomes rather than any reduction to the analyzer's own inputs by construction. The work is self-contained against external benchmarks of real Tcons and does not invoke uniqueness theorems or ansatzes from prior author work.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The work rests on standard domain assumptions about TEE isolation properties and introduces a new testing tool; no free parameters or invented entities are evident from the abstract.

axioms (1)
  • domain assumption TEE containers shield applications from malicious operating systems and orchestration layers while preserving usability.
    This premise underpins the motivation and evaluation of Tcons as described in the abstract.

pith-pipeline@v0.9.0 · 5720 in / 1177 out tokens · 42987 ms · 2026-05-18T20:37:54.869980+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. EBCC: Enclave-Backed Confidential Containers via OCI-Compatible Runtime Integration

    cs.CR 2026-05 unverdicted novelty 7.0

    EBCC provides an OCI-compatible runtime architecture that unifies REE and TEE stages for confidential containers while preserving standard lifecycle operations behind a backend adapter.

Reference graph

Works this paper leans on

191 extracted references · 191 canonical work pages · cited by 1 Pith paper · 2 internal anchors

  1. [1]

    https://learn .microsoft.com/en-us/azure- sphere/app-development/continuous-integration?view= azure-sphere-integrated

    Add Continuous Integration to your container builds - Azure Sphere. https://learn .microsoft.com/en-us/azure- sphere/app-development/continuous-integration?view= azure-sphere-integrated. Accessed Jan. 22, 2025

    work page 2025

  2. [2]

    https://lwn .net/ Articles/1000603/

    Add Secure TSC support for SNP guests. https://lwn .net/ Articles/1000603/. Accessed Jan. 22, 2025

    work page arXiv 2025

  3. [3]

    https://www .alibabacloud.com/blog/ alibaba-cloud-released-industrys-first-trusted-and-virtualized- instance-with-support-for-sgx-2-0-and-tpm 596821

    Alibaba Cloud Released Industry’s First Trusted and Virtual- ized Instance with Support for SGX 2.0 and TPM - Alibaba Cloud Community. https://www .alibabacloud.com/blog/ alibaba-cloud-released-industrys-first-trusted-and-virtualized- instance-with-support-for-sgx-2-0-and-tpm 596821. Accessed Jan. 22, 2025

    work page 2025

  4. [4]

    https://www .amd.com/en/products/ processors/server/epyc.html

    AMD EPYC Processors. https://www .amd.com/en/products/ processors/server/epyc.html. Accessed Jan. 22, 2025

    work page 2025

  5. [5]

    https://www .amd.com/ en/developer/sev.html

    AMD Secure Encrypted Virtualization. https://www .amd.com/ en/developer/sev.html. Accessed Jan. 22, 2025

    work page 2025

  6. [6]

    https://www .amd.com/content/dam/amd/en/documents/ developer/sev-tio-whitepaper.pdf

    AMD SEV-TIO: Trusted I/O for Secure Encrypted Virtualiza- tion. https://www .amd.com/content/dam/amd/en/documents/ developer/sev-tio-whitepaper.pdf. Accessed Jan. 22, 2025

    work page 2025

  7. [7]

    https://teaclave .apache.org/

    Apache Teaclave (Incubating). https://teaclave .apache.org/. Accessed Jan. 22, 2025

    work page 2025

  8. [8]

    https://github .com/apache/ incubator-teaclave-sgx-sdk

    apache/incubator-teaclave-sgx-sdk. https://github .com/apache/ incubator-teaclave-sgx-sdk. Accessed Jan. 22, 2025

    work page 2025

  9. [9]

    Supporting Passkeys

    ApplePasskeys. Supporting Passkeys. https: //developer.apple.com/documentation/authenticationservices/ supporting-passkeys. Accessed Jan. 22, 2025

    work page 2025

  10. [10]

    https://developer .arm.com/ documentation/DEN0096/latest

    Arm CCA Security Model 1.0. https://developer .arm.com/ documentation/DEN0096/latest. Accessed Jan. 22, 2025

    work page 2025

  11. [11]

    https://www .arm.com/en/technologies/ trustzone-for-cortex-a

    ARM TrustZone. https://www .arm.com/en/technologies/ trustzone-for-cortex-a. Accessed Jan. 22, 2025

    work page 2025

  12. [12]

    https://asterinas .github.io/

    Asterinas. https://asterinas .github.io/. Accessed Jan. 22, 2025

    work page 2025

  13. [13]

    https://www .asylo.dev/

    Asylo. https://www .asylo.dev/. Accessed Jan. 22, 2025

    work page 2025

  14. [14]

    https://learn .microsoft.com/en-us/ sql/relational-databases/security/encryption/always-encrypted- enclaves?view=sql-server-ver16

    Azure SQL documentation. https://learn .microsoft.com/en-us/ sql/relational-databases/security/encryption/always-encrypted- enclaves?view=sql-server-ver16. Accessed Jan. 22, 2025

    work page 2025

  15. [15]

    https://man7 .org/linux/ man-pages/man7/capabilities.7.html

    capabilities(7) — Linux manual page. https://man7 .org/linux/ man-pages/man7/capabilities.7.html. Accessed Jan. 22, 2025

    work page 2025

  16. [16]

    https://github .com/ confidential-containers

    CoCo (confidential-containers). https://github .com/ confidential-containers. Accessed Jan. 22, 2025

    work page 2025

  17. [17]

    https://kubernetes .io/docs/ reference/kubectl/

    Command line tool (kubectl). https://kubernetes .io/docs/ reference/kubectl/. Accessed Jan. 22, 2025

    work page 2025

  18. [18]

    https://github .com/cc-api

    Confidential Computing API. https://github .com/cc-api. Ac- cessed Jan. 22, 2025

    work page 2025

  19. [19]

    https://docs .microsoft.com/ en-us/azure/confidential-computing/confidential-nodes-aks- overview

    Confidential computing nodes on Azure Kubernetes Service (AKS) — Microsoft Docs. https://docs .microsoft.com/ en-us/azure/confidential-computing/confidential-nodes-aks- overview. Accessed Jan. 22, 2025

    work page 2025

  20. [20]

    https://learn.microsoft.com/en-us/azure/container-instances/ container-instances-confidential-overview

    Confidential containers on Azure Container Instances. https://learn.microsoft.com/en-us/azure/container-instances/ container-instances-confidential-overview. Accessed Jan. 22, 2025

    work page 2025

  21. [22]

    https://github .com/ confidential-containers/enclave-cc

    confidential-containers/enclave-cc. https://github .com/ confidential-containers/enclave-cc. Accessed Jan. 22, 2025

    work page 2025

  22. [23]

    https:// kubernetes.io/blog/2023/07/06/confidential-kubernetes/

    Confidential Kubernetes: Use Confidential Virtual Machines and Enclaves to improve your cluster security. https:// kubernetes.io/blog/2023/07/06/confidential-kubernetes/. Ac- cessed Jan. 22, 2025

    work page 2023

  23. [24]

    https://github .com/ deislabs/mystikos/issues/40

    Consider formalizing tcall interface. https://github .com/ deislabs/mystikos/issues/40. Accessed Jan. 22, 2025

    work page 2025

  24. [25]

    https://gitlab .com/cryptsetup/ cryptsetup/

    cryptsetup/cryptsetup. https://gitlab .com/cryptsetup/ cryptsetup/. Accessed Jan. 22, 2025

    work page 2025

  25. [26]

    https://github .com/StanPlatinum/Deflection

    Deflection. https://github .com/StanPlatinum/Deflection

    work page

  26. [27]

    https://github .com/deislabs/mystikos

    deislabs/mystikos. https://github .com/deislabs/mystikos. Ac- cessed Jan. 22, 2025

    work page 2025

  27. [28]

    https://github .com/ deislabs/mystikos/tree/main/ext2

    deislabs/mystikos at main · mystikos/ext2. https://github .com/ deislabs/mystikos/tree/main/ext2. Accessed Jan. 22, 2025

    work page 2025

  28. [29]

    https:// github.com/deislabs/mystikos/tree/main/hostfs

    deislabs/mystikos at main · mystikos/hostfs. https:// github.com/deislabs/mystikos/tree/main/hostfs. Accessed Jan. 22, 2025

    work page 2025

  29. [30]

    https: //github.com/deislabs/mystikos/blob/main/kernel/ramfs.c

    deislabs/mystikos at main · mystikos/kernel/ramfs.c. https: //github.com/deislabs/mystikos/blob/main/kernel/ramfs.c. Ac- cessed Jan. 22, 2025

    work page 2025

  30. [31]

    https:// gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt

    dm-crypt: Linux kernel device-mapper crypto target. https:// gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt. Accessed Jan. 22, 2025

    work page 2025

  31. [32]

    https://ebpf .io/what-is-ebpf/

    eBPF document. https://ebpf .io/what-is-ebpf/. Accessed Jan. 22, 2025

    work page 2025

  32. [33]

    https://github .com/edgelesssys/contrast

    edgelesssys/contrast. https://github .com/edgelesssys/contrast. Accessed Jan. 22, 2025

    work page 2025

  33. [34]

    https://github .com/edgelesssys/ edgelessrt

    edgelesssys/edgelessrt. https://github .com/edgelesssys/ edgelessrt. Accessed Jan. 22, 2025

    work page 2025

  34. [35]

    https://www .edgeless.systems/products/ego/

    EGo. https://www .edgeless.systems/products/ego/. Accessed Jan. 22, 2025

    work page 2025

  35. [36]

    https://www .enarx.dev/

    Enarx. https://www .enarx.dev/. Accessed Jan. 22, 2025

    work page 2025

  36. [37]

    https://enarx .dev/docs/start/introduction

    Enarx Wiki. https://enarx .dev/docs/start/introduction. Ac- cessed Jan. 22, 2025

    work page 2025

  37. [38]

    https://cloud.google.com/kubernetes-engine/docs/how- 13 to/confidential-gke-nodes

    Encrypt workload data in-use with Confidential GKE Nodes. https://cloud.google.com/kubernetes-engine/docs/how- 13 to/confidential-gke-nodes. Accessed Jan. 22, 2025

    work page 2025

  38. [39]

    https://sites .google.com/view/tee- container/home

    Findings and Code Release. https://sites .google.com/view/tee- container/home. Accessed Jan. 22, 2025

    work page 2025

  39. [40]

    https://gramine .readthedocs.io/en/ stable/

    Gramine documentation. https://gramine .readthedocs.io/en/ stable/. Accessed Jan. 22, 2025

    work page 2025

  40. [41]

    https://gramine.readthedocs.io/en/latest/devel/ features.html#semaphores

    Gramine features — Gramine documentation. https://gramine.readthedocs.io/en/latest/devel/ features.html#semaphores. Accessed Jan. 22, 2025

    work page 2025

  41. [42]

    https://gramine .readthedocs.io/ en/stable/manifest-syntax.html?highlight=shared#untrusted- shared-memory

    Gramine Shared V olume. https://gramine .readthedocs.io/ en/stable/manifest-syntax.html?highlight=shared#untrusted- shared-memory. Accessed Jan. 22, 2025

    work page 2025

  42. [43]

    https://github .com/ gramineproject/gsc

    Gramine Shielded Containers (GSC). https://github .com/ gramineproject/gsc. Accessed Jan. 22, 2025

    work page 2025

  43. [44]

    https://github .com/gramineproject/gramine/tree/ master/common/src/protected files

    gramine/common/src/protected files at master · graminepro- ject/gramine. https://github .com/gramineproject/gramine/tree/ master/common/src/protected files. Accessed Jan. 22, 2025

    work page 2025

  44. [45]

    https://github .com/gramineproject/ gramine

    gramineproject/gramine. https://github .com/gramineproject/ gramine. Accessed Jan. 22, 2025

    work page 2025

  45. [46]

    https://github .com/ gramineproject/gramine-tdx

    gramineproject/gramine-tdx. https://github .com/ gramineproject/gramine-tdx. Accessed Jan. 22, 2025

    work page 2025

  46. [47]

    https://github .com/ inclavare-containers/inclavare-containers

    inclavare-containers/inclavare-containers. https://github .com/ inclavare-containers/inclavare-containers. Accessed Jan. 22, 2025

    work page 2025

  47. [48]

    https://github .com/inclavare- containers/inclavare-containers/tree/master/rune

    inclavare-containers/rune at master · inclavare- containers/inclavare-containers. https://github .com/inclavare- containers/inclavare-containers/tree/master/rune. Accessed Jan. 22, 2025

    work page 2025

  48. [49]

    https://www .intel.com/content/www/us/en/developer/ articles/technical/intel-sdm.html

    Intel 64 and IA-32 Architectures Software Developer’s Manual. https://www .intel.com/content/www/us/en/developer/ articles/technical/intel-sdm.html. Accessed Jan. 22, 2025

    work page 2025

  49. [50]

    https://github .com/intel/linux-sgx-driver

    Intel SGX Driver. https://github .com/intel/linux-sgx-driver. Accessed Jan. 22, 2025

    work page 2025

  50. [51]

    https://software .intel.com/en-us/sgx-sdk/

    Intel SGX SDK. https://software .intel.com/en-us/sgx-sdk/. Accessed Jan. 22, 2025

    work page 2025

  51. [52]

    https: //www.intel.com/content/www/us/en/developer/tools/ software-guard-extensions/overview.html

    Intel Software Guard Extensions Overview. https: //www.intel.com/content/www/us/en/developer/tools/ software-guard-extensions/overview.html. Accessed Jan. 22, 2025

    work page 2025

  52. [53]

    https://software .intel.com/ content/dam/develop/external/us/en/documents/tdx- whitepaper-final9-17.pdf

    Intel Trust Domain Extensions. https://software .intel.com/ content/dam/develop/external/us/en/documents/tdx- whitepaper-final9-17.pdf. Accessed Jan. 22, 2025

    work page 2025

  53. [54]

    https://github.com/intel/linux-sgx/commit/ b0af6e75ac519ad5002a68fda0b672feddc1c92d

    intel/linux-sgx at Commit b0af6e7. https://github.com/intel/linux-sgx/commit/ b0af6e75ac519ad5002a68fda0b672feddc1c92d. Accessed Jan. 22, 2025

    work page 2025

  54. [55]

    https://github .com/bytedance-jeddak/ jeddak

    Jeddak - Sandbox-LLM. https://github .com/bytedance-jeddak/ jeddak. Accessed Jan. 22, 2025

    work page 2025

  55. [56]

    https://katacontainers .io/

    Kata Container. https://katacontainers .io/

    work page

  56. [57]

    https://katacontainers .io/collateral/ kata-containers-overview-july22 .pdf

    Kata Containers Overview. https://katacontainers .io/collateral/ kata-containers-overview-july22 .pdf. Accessed Jan. 22, 2025

    work page 2025

  57. [58]

    https://github .com/kata-containers/kata-containers/ tree/main/src/runtime

    kata-containers/src/runtime at master · kata-containers/kata- containers. https://github .com/kata-containers/kata-containers/ tree/main/src/runtime. Accessed Jan. 22, 2025

    work page 2025

  58. [59]

    https://github .com/linux-test-project/ltp

    linux-test-project/ltp. https://github .com/linux-test-project/ltp. Accessed Jan. 22, 2025

    work page 2025

  59. [60]

    https://www.edgeless.systems/products/marblerun

    Marblerun - The control plane for confidential computing. https://www.edgeless.systems/products/marblerun. Accessed Jan. 22, 2025

    work page 2025

  60. [61]

    https://github .com/mesalock-linux/ mesapy

    mesalock-linux/mesapy. https://github .com/mesalock-linux/ mesapy. Accessed Jan. 22, 2025

    work page 2025

  61. [62]

    https://github .com/microsoft/CCF

    microsoft/CCF. https://github .com/microsoft/CCF. Accessed Jan. 22, 2025

    work page 2025

  62. [63]

    https://github .com/asterinas/mlsdisk

    MlsDisk. https://github .com/asterinas/mlsdisk. Accessed Jan. 22, 2025

    work page 2025

  63. [64]

    https://github .com/deislabs/ mystikos/blob/main/doc/kernel-limitations.md#file-system- limitations

    Mystikos untrusted HostFS. https://github .com/deislabs/ mystikos/blob/main/doc/kernel-limitations.md#file-system- limitations. Accessed Jan. 22, 2025

    work page 2025

  64. [65]

    https://aws .amazon.com/ec2/nitro/nitro- enclaves/

    Nitro Enclaves. https://aws .amazon.com/ec2/nitro/nitro- enclaves/. Accessed Jan. 22, 2025

    work page 2025

  65. [66]

    https://occlum .readthedocs.io/ en/latest/filesystem/fs overview.html

    Occlum File System Overview. https://occlum .readthedocs.io/ en/latest/filesystem/fs overview.html. Accessed Jan. 22, 2025

    work page 2025

  66. [67]

    https://github .com/StanPlatinum/ occlum-vs-graphene

    occlum-vs-graphene. https://github .com/StanPlatinum/ occlum-vs-graphene. Accessed Jan. 22, 2025

    work page 2025

  67. [68]

    https://github .com/ occlum/occlum/tree/master/docs

    occlum/docs at master · occlum/occlum. https://github .com/ occlum/occlum/tree/master/docs. Accessed Jan. 22, 2025

    work page 2025

  68. [69]

    https://github .com/occlum/occlum

    occlum/occlum. https://github .com/occlum/occlum. Accessed Jan. 22, 2025

    work page 2025

  69. [70]

    https://github .com/occlum/ reproduce-asplos20

    occlum/reproduce-asplos20. https://github .com/occlum/ reproduce-asplos20. Accessed Jan. 22, 2025

    work page 2025

  70. [71]

    https://github.com/occlum/ngo/tree/master/src/libos/crates/ async-sfs

    occlum/src/libos/crates/async-sfs at master · occlum/ngo. https://github.com/occlum/ngo/tree/master/src/libos/crates/ async-sfs. Accessed Jan. 22, 2025

    work page 2025

  71. [72]

    https://occlum .readthedocs.io/en/ latest/filesystem/fs overview.html#hostfs

    Occulum untrusted HostFS. https://occlum .readthedocs.io/en/ latest/filesystem/fs overview.html#hostfs. Accessed Jan. 22, 2025

    work page 2025

  72. [73]

    https://opencontainers .org/

    Open Container Initiative: Establishing Open Industry Stan- dards for Containers. https://opencontainers .org/. Accessed Jan. 22, 2025

    work page 2025

  73. [74]

    https://openenclave .io/sdk/

    Open Enclave SDK. https://openenclave .io/sdk/. Accessed Jan. 22, 2025

    work page 2025

  74. [75]

    https:// github.com/confidential-containers/operator

    Operator to deploy confidential containers runtime. https:// github.com/confidential-containers/operator. Accessed Jan. 22, 2025

    work page 2025

  75. [76]

    https://vulert.com/vuln-db/debian-12-linux-175967

    Out of Bound Error in virtio net - Linux Kernel Vulnerability. https://vulert.com/vuln-db/debian-12-linux-175967. Accessed Jan. 22, 2025

    work page 2025

  76. [77]

    https://github .com/project-oak/oak

    project-oak/oak. https://github .com/project-oak/oak. Accessed Jan. 22, 2025

    work page 2025

  77. [78]

    https://www .pypy.org/

    PyPy. https://www .pypy.org/. Accessed Jan. 22, 2025

    work page 2025

  78. [79]

    https://ratel-enclave .github.io/

    Ratel. https://ratel-enclave .github.io/. Accessed Jan. 22, 2025

    work page 2025

  79. [80]

    https://github.com/confidential-containers/confidential- containers/issues/126

    [RFC] Proposal for Container Metadata Validation. https://github.com/confidential-containers/confidential- containers/issues/126. Accessed Jan. 22, 2025

    work page 2025

  80. [81]

    https:// scontain.com/index.html

    SCONE - A Secure Container Environment. https:// scontain.com/index.html

    work page

Showing first 80 references.