Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
8-2025
Abstract
Intel TDX empowers cloud service providers to construct confidential virtual machines called trust domains (TDs) on x86 platforms. Similar to its counterparts from AMD and Arm, TDX's hardware based protection over integrity and secrecy of virtual machine memory and vCPU states inevitably hinders legitimate virtual machine management such as introspection. At the presence of compromised high-privileged software (e.g., the guest kernel), neither the cloud service provider nor the TD owner can securely carry out a task within the TD. To tackle this problem, we propose TETD, an in-TD trusted execution technique without trusting any TD system software. Our design does not pivot on in-VM privilege layering, a popular approach used in existing VM security enhancement schemes. Instead, we leverage the virtual machine monitor's existing capability of resource management to directly separate memory and vCPU used for trusted execution from the TD system software. We implement a TETD prototype on a TDX server and run extensive experiments. The performance overhead incurred by TETD to the TD depends on the workload. In our benchmark evaluations, the highest toll is about 6.8%. Moreover, our three applications also demonstrate that TETD provides a TD owner a practical and secure foothold at the presence of a compromised kernel.
Discipline
Information Security
Areas of Excellence
Digital transformation
Publication
SEC '25: Proceedings of the 34th USENIX Conference on Security Symposium, Seattle, USA, August 13-15
First Page
1187
Last Page
1206
Identifier
10.5555/3766078.3766140
Publisher
ACM
City or Country
New York
Citation
WANG, Zhanbo; ZHAN, Jiaxin; DING, Xuhua; ZHANG, Fengwei; and HU, Ning.
TETD: Trusted execution in trust domains. (2025). SEC '25: Proceedings of the 34th USENIX Conference on Security Symposium, Seattle, USA, August 13-15. 1187-1206.
Available at: https://ink.library.smu.edu.sg/sis_research/10969
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.5555/3766078.3766140