Execution integrity without implicit trust of system software

When trusted application code in a TEE computes over results produced by an untrusted kernel and hypervisor [1, 2], it is difficult at best to reason about the secrecy and integrity properties achieved by the overall ensemble---to establish, despite the wide breadth of the Linux system call interface, that in-enclave code is immune to Iago attacks [3]. In this paper, we argue that an attractive use case for TEEs is tamper-proof audit: the TEE executes a trusted observer (TO) that allows efficient offline validation that application code running outside the TEE has executed as expected. We describe a TO design that inherently does not require any trust of system call results (and thus of the kernel or hypervisor), and DOG, a prototype TO implementation for Intel SGX that upholds application execution integrity, even for applications that do not fit within today's SGX virtual memory limits, and incurs modest execution overhead.