arxiv: 2603.00178 · v2 · submitted 2026-02-26 · 💻 cs.CR · cs.AR· cs.OS

Recognition: 2 theorem links

· Lean Theorem

A TEE-Based Architecture for Confidential and Dependable Process Attestation in Authorship Verification

David Condrey

Authors on Pith no claims yet

Pith reviewed 2026-05-15 18:28 UTC · model grok-4.3

classification 💻 cs.CR cs.ARcs.OS

keywords trusted execution environmentprocess attestationauthorship verificationtamper resistancedependability modelevidence chainIntel SGX

0 comments

The pith

A TEE architecture collects continuous process attestation evidence with hardware tamper resistance against adversarial platform owners.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes an architecture for collecting evidence that a continuous physical process such as authorship actually occurred, using Trusted Execution Environments to ensure the collection remains reliable even if the attesting party controls the platform. It introduces graduated assurance levels for input data and a Markov-chain model to measure the dependability of the evidence chain in terms of availability and recovery times. This approach addresses the challenge of maintaining tamper resistance in scenarios where standard software checks could be compromised by the user themselves.

Core claim

We present the first architecture for continuous process attestation evidence collection inside TEEs, providing hardware-backed tamper resistance against trust-inverted adversaries with graduated input assurance from software-channel integrity (Tier 1) through hardware-bound input (Tier 3). A resilient evidence chain protocol maintains chain integrity across TEE crashes, network partitions, and enclave migration. A Markov-chain dependability model quantifies Evidence Chain Availability, Mean Time Between Evidence Gaps, and Recovery Time Objectives, with evaluation showing low overhead and high availability on Intel SGX.

What carries the argument

The resilient evidence chain protocol, which maintains integrity across crashes and migrations while providing graduated input assurance tiers.

If this is right

Evidence Chain Availability exceeds 99.5 percent under Poisson failure models in Monte Carlo simulations.
Per-checkpoint CPU overhead remains under 25 percent, equating to less than 0.3 percent over 30-second intervals.
Recovery from sealed state occurs in under 200 milliseconds.
Formal security bounds apply under combined threat models of trust inversion and TEE side channels.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

This method could support verification in distributed systems where participants may not fully trust the local hardware.
Extensions to other continuous monitoring tasks, such as sensor streams, become feasible with similar isolation.
Empirical validation of side-channel bounds would strengthen the practical deployment of such systems.

Load-bearing premise

The security guarantees depend on a conjectural bound on side-channel leakage that requires empirical validation.

What would settle it

Observing side-channel leakage in a deployed TEE that exceeds the conjectural bound esc would invalidate the formal security analysis.

Figures

Figures reproduced from arXiv: 2603.00178 by David Condrey.

**Figure 1.** Figure 1: TEE-based process attestation architecture. The evidence collection pipeline (SWF engine, CDCE generator) runs inside the TEE enclave. The author and writing application are adversary-controlled. Sealed storage enables crash recovery. Evidence flows to the Verifier via RA-TLS [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗

**Figure 2.** Figure 2: CTMC for evidence collection availability. Evidence is produced only in SA; SD buffers locally during partitions [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗

**Figure 3.** Figure 3: Evidence Chain Availability vs. crash rate for sealed recovery and cold-restartonly configurations. Simulation over 10,000 hours with network partition rate λp = 10−2 /h. Sealed recovery maintains ECA ¿99.5% for crash rates up to 10−2 /h. Results. Simulated ECA: 99.95% with sealed recovery (λc = 10−3/h), matching Theorem 2 to within 0.01%; 99.72% without (cold restart only) [PITH_FULL_IMAGE:figures/full_… view at source ↗

read the original abstract

Process attestation systems verify that a continuous physical process, such as human authorship, actually occurred, rather than merely checking system state. These systems face a fundamental dependability challenge: the evidence collection infrastructure must remain available and tamper-resistant even when the attesting party controls the platform. Trusted Execution Environments (TEEs) provide hardware-enforced isolation that can address this challenge, but their integration with continuous process attestation introduces novel resilience requirements not addressed by existing frameworks. We present the first architecture for continuous process attestation evidence collection inside TEEs, providing hardware-backed tamper resistance against trust-inverted adversaries with graduated input assurance from software-channel integrity (Tier 1) through hardware-bound input (Tier 3). We develop a Markov-chain dependability model quantifying Evidence Chain Availability (ECA), Mean Time Between Evidence Gaps (MTBEG), and Recovery Time Objectives (RTO). We introduce a resilient evidence chain protocol maintaining chain integrity across TEE crashes, network partitions, and enclave migration. Our security analysis derives formal bounds under combined threat models including trust inversion and TEE side channels, parameterized by a conjectural side-channel leakage bound esc that requires empirical validation. Evaluation on Intel SGX demonstrates under 25% per-checkpoint CPU overhead (<0.3% of the 30 s checkpoint interval), >99.5% Evidence Chain Availability (ECA) (the fraction of session time with active evidence collection) in Monte Carlo simulation under Poisson failure models, and sealed-state recovery under 200 ms.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

A TEE architecture for continuous process attestation with usable metrics, but security bounds rest on an unvalidated conjectural leakage parameter.

read the letter

The paper's core contribution is an architecture that runs continuous process attestation inside a TEE, with three tiers of input assurance and a protocol meant to keep the evidence chain intact across crashes and migrations. It also adds a Markov-chain model for Evidence Chain Availability and related metrics. That combination does not appear in the cited prior work, so the claim of novelty holds up on the surface. The evaluation reports concrete numbers from an Intel SGX implementation: under 25% CPU overhead per checkpoint, over 99.5% ECA in Monte Carlo runs under Poisson failures, and recovery under 200 ms. Those figures show the authors thought through implementation cost and basic resilience, which is useful for anyone building similar systems. The soft spot is the security analysis. Formal bounds are given for combined trust-inversion and side-channel threats, but they are parameterized by a conjectural leakage quantity esc that receives no empirical bound, measurement, or sensitivity check in the reported results. The evaluation stays with performance and availability; it does not test whether the claimed hardware-backed resistance actually holds once esc is instantiated. The model itself follows standard techniques and does not appear self-referential. For readers working on confidential computing or remote attestation, the tiered design and dependability model are worth seeing. The paper is coherent enough on its own terms to deserve referee time, though any review would need to press on validation of esc and the tightness of the derived bounds.

Referee Report

2 major / 2 minor

Summary. The paper proposes the first TEE-based architecture for continuous process attestation evidence collection in authorship verification. It provides hardware-backed tamper resistance against trust-inverted adversaries via graduated input assurance tiers (software-channel to hardware-bound). A Markov-chain dependability model quantifies Evidence Chain Availability (ECA), Mean Time Between Evidence Gaps (MTBEG), and Recovery Time Objectives (RTO). A resilient evidence chain protocol handles TEE crashes, partitions, and migration. Security analysis derives formal bounds under combined threat models (trust inversion + TEE side channels) parameterized by conjectural leakage esc. SGX evaluation reports <25% CPU overhead per checkpoint, >99.5% ECA in Monte Carlo simulation under Poisson failures, and <200 ms recovery.

Significance. If the central claims hold after addressing the esc parameterization, the work would advance confidential computing by integrating TEE isolation with continuous attestation for dependability against strong adversaries. The Markov model and protocol offer quantifiable metrics and resilience properties not addressed in prior TEE frameworks. Simulation results under standard failure models provide practical evidence of low overhead and high availability, strengthening applicability to authorship verification scenarios.

major comments (2)

[Security analysis] Security analysis (abstract and § on formal bounds): The tamper-resistance claims rest on formal bounds under trust inversion and side-channel threats that are explicitly parameterized by the conjectural esc leakage quantity. No empirical upper bound, measurement, or sensitivity analysis of esc is provided in the evaluation, which reports only CPU overhead, ECA, and recovery latency. This leaves the security statements conditional rather than unconditional.
[Evaluation] Evaluation and dependability model: The Monte Carlo results claim >99.5% ECA and <200 ms RTO under Poisson models, but the manuscript provides no detailed derivations, parameter fitting, or full data for the Markov chain. Without these, it is not possible to verify how the model parameters were obtained or whether they support the cross-scenario claims.

minor comments (2)

[Abstract] The abstract asserts this is the 'first architecture' for continuous process attestation inside TEEs; a short related-work paragraph contrasting with existing TEE attestation schemes would clarify the precise novelty.
[Security analysis] Notation for esc is introduced without an explicit definition or range in the provided text; adding a table or equation defining its units and assumed bounds would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the novelty of the TEE-based continuous attestation architecture. We address each major comment below and will revise the manuscript to strengthen the security analysis and evaluation transparency.

read point-by-point responses

Referee: [Security analysis] Security analysis (abstract and § on formal bounds): The tamper-resistance claims rest on formal bounds under trust inversion and side-channel threats that are explicitly parameterized by the conjectural esc leakage quantity. No empirical upper bound, measurement, or sensitivity analysis of esc is provided in the evaluation, which reports only CPU overhead, ECA, and recovery latency. This leaves the security statements conditional rather than unconditional.

Authors: We agree that the security claims are conditional on the conjectural parameter esc, as already noted in the manuscript. In the revised version we will add a dedicated sensitivity analysis subsection that varies esc over a plausible range (0 to 0.05) and reports the resulting changes to the formal bounds on evidence integrity. This will quantify how the tamper-resistance guarantees degrade with increasing leakage and will make the conditional nature of the claims explicit with supporting figures. revision: yes
Referee: [Evaluation] Evaluation and dependability model: The Monte Carlo results claim >99.5% ECA and <200 ms RTO under Poisson models, but the manuscript provides no detailed derivations, parameter fitting, or full data for the Markov chain. Without these, it is not possible to verify how the model parameters were obtained or whether they support the cross-scenario claims.

Authors: We will expand the evaluation section and add an appendix containing the full Markov-chain transition matrix, the derivation of state probabilities from the Poisson failure rates, the exact parameter values used in the Monte Carlo runs, and the simulation configuration. These additions will allow independent verification of the ECA, MTBEG, and RTO results across the reported scenarios. revision: yes

Circularity Check

0 steps flagged

Derivation chain is self-contained with no circular reductions

full rationale

The paper derives its Markov-chain dependability model for ECA, MTBEG, and RTO from standard dependability techniques applied to TEE isolation and crash-recovery properties, without defining any quantity in terms of its own outputs. The resilient evidence chain protocol is constructed from TEE primitives (sealing, migration) and does not reduce to fitted parameters or self-referential definitions. Security bounds are explicitly parameterized by the external conjectural esc (requiring separate empirical validation) rather than derived from the paper's measurements. Evaluation metrics (CPU overhead, ECA under Poisson models, recovery latency) are reported as independent observations and do not close any loop back into the model equations or protocol definitions. No self-citation load-bearing steps or ansatz smuggling appear in the load-bearing claims.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The architecture rests on standard TEE isolation properties as a domain assumption and introduces a conjectural leakage parameter esc without independent empirical support or falsifiable handle outside the paper.

free parameters (1)

esc
Conjectural side-channel leakage bound used to parameterize formal security bounds in the analysis.

axioms (1)

domain assumption Trusted Execution Environments provide hardware-enforced isolation that remains available and tamper-resistant against trust-inverted adversaries
Invoked as the foundation for tamper resistance and evidence collection in the architecture description.

pith-pipeline@v0.9.0 · 5566 in / 1370 out tokens · 46390 ms · 2026-05-15T18:28:04.380216+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages · 1 internal anchor

[1]

In: ACM Conference on Computer and Communications Security (CCS)

Abera, T., Asokan, N., Davi, L., Ekberg, J.E., Nyman, T., Paverd, A., Sadeghi, A.R., Tsudik, G.: C-FLAT: Control-flow attestation for embedded systems soft- ware. In: ACM Conference on Computer and Communications Security (CCS). pp. 743–754 (2016)

work page 2016
[2]

In: IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN)

Alder, F., Scopelliti, G., Bulck, J.V., M¨ uhlberg, J.T., Piessens, F.: Migrating SGX enclaves with persistent state. In: IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN). pp. 97–109 (2022)

work page 2022
[3]

In: IEEE Symposium on Security and Privacy (2024)

Ammar, M., et al.: SoK: Integrity, attestation, and auditing of program execution. In: IEEE Symposium on Security and Privacy (2024)

work page 2024
[4]

apache.org/(2024)

Apache Software Foundation: Apache teaclave SGX SDK.https://teaclave. apache.org/(2024)

work page 2024
[5]

In: ACM Conference on Security and Privacy in Wireless and Mobile Net- works (WiSec) (2022)

Arfaoui, G., et al.: Deep attestation: Formally secure attestation across trust do- mains. In: ACM Conference on Security and Privacy in Wireless and Mobile Net- works (WiSec) (2022)

work page 2022
[6]

In: USENIX Symposium on Operating Systems Design and Implementation (OSDI)

Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’Keeffe, D., Stillwell, M.L., Goltzsche, D., Eyers, D., Kapitza, R., Pietzuch, P., Fetzer, C.: SCONE: Secure Linux containers with Intel SGX. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI). pp. 689–703 (2016)

work page 2016
[7]

IEEE Transactions on Dependable and Secure Computing1(1), 11–33 (2004)

Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxon- omy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing1(1), 11–33 (2004)

work page 2004
[8]

RFC 9334, IETF (Jan 2023)

Birkholz, H., Thaler, D., Richardson, M., Smith, N., Pan, W.: Remote ATtestation procedures (RATS) architecture. RFC 9334, IETF (Jan 2023)

work page 2023
[9]

In: IEEE European Symposium on Security and Privacy (EuroS&P)

Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: New generation of memory- hard functions for password hashing and other applications. In: IEEE European Symposium on Security and Privacy (EuroS&P). pp. 292–302 (2016)

work page 2016
[10]

In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Brandenburger, M., Cachin, C., Lorenz, M., Kapitza, R.: Rollback and forking detection for trusted execution environments using lightweight collective memory. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 157–168 (2017)

work page 2017
[11]

In: USENIX Security Symposium

Bulck, J.V., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Sil- berstein, M., Wenisch, T.F., Yarom, Y., Strackx, R.: Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium. pp. 991–1008 (2018)

work page 2018
[12]

In: IEEE European Symposium on Security and Privacy (EuroS&P)

Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: SgxPectre: Stealing Intel secrets from SGX enclaves via speculative execution. In: IEEE European Symposium on Security and Privacy (EuroS&P). pp. 142–157 (2019)

work page 2019
[13]

IACR Cryptology ePrint Archive 2016, 086 (2016)

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016, 086 (2016)

work page 2016
[14]

In: USENIX Security Symposium

Crosby, S.A., Wallach, D.S.: Efficient data structures for tamper-evident logging. In: USENIX Security Symposium. pp. 317–334 (2009)

work page 2009
[15]

In: Advances in Cryptology – EUROCRYPT 2016

Groth, J.: On the size of pairing-based non-interactive arguments. In: Advances in Cryptology – EUROCRYPT 2016. pp. 305–326. Springer (2016)

work page 2016
[16]

In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Gu, Z., Huang, H., Zhang, J., Su, D., Jamjoom, H., Lamba, A., Pendarakis, D., Mol- loy, I.: Secure live migration of SGX enclaves on untrusted cloud. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 225– 236 (2017)

work page 2017
[17]

Computers & Security108, 102331 (2021)

Hussain, M.A., Kanhere, S.S., Jha, S.K.: A survey on online exam proctoring. Computers & Security108, 102331 (2021)

work page 2021
[18]

In: AMD White Paper (2020)

Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. In: AMD White Paper (2020)

work page 2020
[19]

Integrating Remote Attestation with Transport Layer Security

Knauth, T., Steiner, M., Chakrabarti, S., Li, L., Xing, C., Vij, M.: Integrating re- mote attestation with transport layer security. In: arXiv preprint arXiv:1801.05863 (2018), rA-TLS

work page internal anchor Pith review Pith/arXiv arXiv 2018
[20]

In: IEEE Symposium on Security and Privacy (S&P)

Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: Exploiting speculative execution. In: IEEE Symposium on Security and Privacy (S&P). pp. 1–19 (2019)

work page 2019
[21]

In: International Symposium on Principles and Practice of Declarative Programming (PPDP) (2024)

Kretz, I.D., Parran, C.C., Ramsdell, J.D., Rowe, P.D.: Evidence tampering and chain of custody in layered attestations. In: International Symposium on Principles and Practice of Declarative Programming (PPDP) (2024)

work page 2024
[22]

security-by-crash

Li, M., Zhang, Y., Lin, Z.: CrossLine: Breaking “security-by-crash” based memory isolation in AMD SEV. In: ACM Conference on Computer and Communications Security (CCS). pp. 2937–2950 (2021)

work page 2021
[23]

In: Workshop on Hardware and Architectural Support for Security and Privacy (HASP)

McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Workshop on Hardware and Architectural Support for Security and Privacy (HASP). pp. 10:1–10:1 (2013)

work page 2013
[24]

arXiv preprint arXiv:2006.13598 (2020)

Nilsson, A., Bideh, P.N., Brorsson, J.: A survey of published attacks on Intel SGX. arXiv preprint arXiv:2006.13598 (2020)

work page arXiv 2006
[25]

In: NASA Formal Methods Symposium

Petz, A., Alexander, P.: An infrastructure for faithful execution of remote attes- tation protocols. In: NASA Formal Methods Symposium. pp. 268–286. Springer (2023)

work page 2023
[26]

ACM Computing Surveys51(6), 130:1–130:36 (2019)

Pinto, S., Santos, N.: Demystifying ARM TrustZone: A comprehensive survey. ACM Computing Surveys51(6), 130:1–130:36 (2019)

work page 2019
[27]

In: International Conference on Principles of Security and Trust (POST)

Ramsdell, J.D., Rowe, P.D., Alexander, P.: Orchestrating layered attestations. In: International Conference on Principles of Security and Trust (POST). pp. 197–221 (2019)

work page 2019
[28]

van Schaik, S., Kwong, A., Genkin, D., Yarom, Y.: SGAxe: How SGX fails in practice (2020), extends CacheOut attack to extract SGX attestation keys

work page 2020
[29]

In: Workshop on Technical AI Governance (TAIG) at ICML (2024)

Schnabl, C., Hugenroth, D., Marino, B., Beresford, A.R.: Attestable audits: Veri- fiable AI safety benchmarks using trusted execution environments. In: Workshop on Technical AI Governance (TAIG) at ICML (2024)

work page 2024
[30]

In: ACM Conference on Computer and Communications Security (CCS)

Stefanov, E., van Dijk, M., Shi, E., Chan, T.H.H., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path ORAM: An extremely simple oblivious RAM protocol. In: ACM Conference on Computer and Communications Security (CCS). pp. 299–310 (2013)

work page 2013
[31]

In: USENIX Security Symposium

Strackx, R., Piessens, F.: Ariadne: A minimal approach to state continuity. In: USENIX Security Symposium. pp. 875–892 (2016)

work page 2016
[32]

John Wiley & Sons, 2nd edn

Trivedi, K.S.: Probability and Statistics with Reliability, Queuing, and Computer Science Applications. John Wiley & Sons, 2nd edn. (2002)

work page 2002
[33]

In: USENIX ATC (2017)

che Tsai, C., Porter, D.E., Vij, M.: Graphene-SGX: A practical library OS for unmodified applications on SGX. In: USENIX ATC (2017)

work page 2017