Here I am starting to collect a list of (mostly) papers that are relevant to Project Open TEE, which is an effort to arrive at a TEEs with acceptable security models for “web3”.

Good for understanding TEEs in general:

• SoK: Hardware-supported Trusted Execution Environments
  • the main thing I got out of this paper is a nice taxonomy of adversarial models and subproblems in TEE design
  • they also provide a framework to think about different kinds of techniques employed to solve key subproblems.
• Keystone
  • really clean explanation of how a TEE works at a high level.
• SGX explained
  • really long and detailed. Better to go looking for something specific than read front to end
• TDX Demystified
  • Mostly useful to coming to understand how TEEs actually work.
  • found the attestation section useful
  • still had some questions on the hardware
• Google’s TDX security review
  • lists a bunch of vulnerabilities found in an audit.
  • provides more colour on where keys are stored in hardware

Side Channels:

• Spectre, Meltdown
• Opening Pandora’s Box: A Systematic Study of
  New Ways Microarchitecture Can Leak Private Data
• Differential Power Analysis
• PHANTOM: practical oblivious computation in a secure processor
• Converting power channels into remote timing channels: Hertzbleed
• Silicon Echoes: Non-Invasive Trojan Detection
• Sanctum (improves over SGX in terms of cache-based side channels and access pattern leaks)
• MIRAGE: mitigating conflict-based cache attacks
• Scan Based Side Ch annel Attack on Data Encryption Standard
  • This one is old but important. Scan chains are a tool we would like to use for trojan detection, but, as this paper shows, they can introduce other attack vectors.

Fault-based attacks on TEEs

• Bypassing Isolated Execution on RISCV with Fault Injection
  • Shows how faults can be used to get around PMP which the the RISCV primitive used to provide memory isolation.
  • IMO attacks like these support the idea that we should avoid sharing hardware resources as much as possible.
• Prime Masking vs Faults
  • Fault attacks can allow attackers to observe faulty (or missing if safeguard exist) outputs that provide insight into input or intermediate values. Boolean masking does not defend well against this, but prime masking does. Boolean masking also requires minimum levels of noise present in the chip.
  • This paper builds on previous research to prove that prime masking can be efficiently applied.
• Beware Insufficient Redundancy
  • Demonstrates an attack on a design that is secure against an unrealistically weak adversary.

Security verification:

• [2023] Security Verification of the OpenTitan Hardware Root of Trust

DRAM attack and defense:

• An Off-Chip Attack on Hardware Enclaves via the Memory Bus
  • good for understanding bus attacks
• Software-Based Off-Chip Memory Protection for RISC-V Trusted Execution Environments
  • useful for understanding how memory protection works

Masking

• Unifying Leakage Models: from Probing Attacks to Noisy
  Leakage
  • Motivates the d-probe model
• Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference
  • Defines PINI which is the notion to assure composability of masked circuits
• HPC3 - Low-latency Hardware Private Circuits
  • Introduces the first 2-input AND gate in a single clock cycle for arbitrary security order. Randomness and latency can be traded off.
• Automated Generation of Masked Hardware
  • Great overview (precedes HPC-3)
  • About automated techniques to make application of masking practical
• Prime Masking vs Faults
  • Fault attacks can allow attackers to observe faulty (or missing if safeguard exist) outputs that provide insight into input or intermediate values. Boolean masking does not defend well against this, but prime masking does. Boolean masking also requires minimum levels of noise present in the chip.
  • This paper builds on previous research to prove that prime masking can be efficiently applied.

Side Channel Resistance Instruction Sets/Processors
Note, the section above provides the primitives required to build what we find in this section.

• A RISC-V Instruction Set Extension for Flexible Hardware/Software Protection of Cryptosystems Masked at High Orders
  • Introduces a bitwise masked ALU and benchmarks AES.
  • Since only bitwise, this isn’t a “general purpose masked ISE”
  • A security order is chosen and fixed at manufacturing time. Using software techniques (bit and share slicing), security orders can be increased after manufacturing.
  • Testing side-channel security of cryptographic implementations against future microarchitectures
    • Provides a language to describe microarchitecture features (typically speculative) to analyse their leakage profile.
• Threshold Implementations in Software: Micro-architectural Leakages in Algorithms
  • Gives an overview of required microarchitectural changes to facilitate secure SW masking.

Tamper Resistance

• Secure Physical Enclosures from Covers with Tamper-Resistance
  • this one is particularly appealing because the tamper-resistance is tied to secret generation. The hope would be that this implies that there is no point in the production process in which the device secrets are vulnerable to physical attackers.
• Hardware-Based Methods for Electronic Device Protection against Invasive and Non-Invasive Attacks
• Smart Anti-Tamper Conformal Coating System for Electronic Circuits
• New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions
• Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks

Trojans

• Trojan Assets and Attack Vectors in Processors by Chuah et al. 2024
  • Focuses on trojans inserted in the RTL. Assumes RTL is closed.
  • Doesn’t address caches, predictors, speculation, etc. which are potent side channels for data disclosure
• This paper and update from “Bunnie” Huang are really good
• This is probably the toughest trojan that we’re aware of: Stealthy Dopant-Level Hardware Trojans. It’s addressed in Bunnie’s update above and also detected in: Reversing Stealthy Dopant-Level Circuits
• Hardware Trojan: Threats and Emerging Solutions
• Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations

Irreproducible Keys (Secrecy of Hardware Secrets)

• Towards Secret-Free Security
• A PUF Taxonomy
• SIMPL Systems: On a Public Key Variant of Physical
  Unclonable Functions
• Physically Unclonable Functions: A Study on the State of the Art and Future
  Research Directions
• A Provably Secure Strong PUF Based on LWE: Construction and Implementation

Making TEEs go fast (in case we have to make them too slow to make them secure)

• PPMLAC: High Performance Chipset Architecture for Secure Mutli-Party Computation
• Toward Scalable Fully Homomorphic Encryption Through Light Trusted Computing Assistance
• Verifiable ASICs

Auditing design files

• FANCI: Identification of Stealthy Malicious Logic Using
  Boolean Functional Analysis
  • Finds triggered trojans in RTL/netlists
• A Red Team/Blue Team Assessment of Functional Analysis Methods for Malicious Circuit Identification
  • Tests FANCI