SysTEX '25

8th Workshop on System Software for Trusted Execution (SysTEX 2025)

July 4th, 2025

Program

09:45-10:00 Opening and Welcome [ Slides ]
10:00-11:00 Keynote: Shweta Shinde (ETH Zurich), Lessons from a Decade of Confidential Computing [ Slides ]
Abstract:Trusted execution environments (TEEs) have long promised stronger hardware-based security boundaries, but over the past decade, they have coalesced into something broader and more impactful: Confidential Computing. In 2015, Intel SGX marked a seminal moment—ushering in new hardware security primitives—and, perhaps not coincidentally, the very term "Confidential Computing" emerged the same year. Now, in 2025, Confidential Computing has entered the mainstream. It is supported across all major ISAs, championed by hardware vendors, integrated into cloud service offerings, and embedded in an expanding set of real-world applications. As we increasingly rely on large-scale, cloud-based infrastructures for security-sensitive workloads, Confidential Computing stands at the center of this shift.
This talk will take a reflective and systems-oriented view of the evolution of Confidential Computing: from the early abstractions of process-level enclaves, to confidential virtual machines, and now to confidential accelerators. With each step, the security model, trust boundaries, and threat landscape have shifted—sometimes in subtle but profound ways. Drawing from a decade of both offensive and defensive research, this talk will explore not only how we got here, but also the missteps, lessons, and enduring challenges that remain.
At this critical juncture, the goal is to distill insights that can help the research community chart the next decade of Confidential Computing—responsibly, rigorously, and with a deep appreciation for the hard-earned lessons of the past.
Bio: Shweta Shinde is a tenure-track assistant professor at ETH Zurich, where she leads the Secure and Trustworthy Systems Group. Her research is broadly at the intersection of trusted computing, system security, and program analysis. Her group focuses on foundational aspects of confidential computing to protect phones, servers, and accelerators as well as practical aspects of building large systems.
11:00-11:30 Coffee Break
11:30-13:00 Session 1: Pot Pourri
11:30: An Early Experience with Confidential Computing Architecture for On-Device Model Protection [ Slides ]
Sina Abdollahi (Imperial College London), Mohammad Maheri (Imperial College London), Sandra Siby (New York University Abu Dhabi), Marios Kogias (Imperial College London), Hamed Haddadi (Imperial College London & Brave Software)
Artifact Evaluated: AvailableArtifact Evaluated: FunctionalArtifact Evaluated: Reusable
11:55: Proving Attributes about Confidential Compute Services with Validation and Endorsement Services [ Slides ]
Anjo Vahldiek-Oberwagner (Intel Labs), Marcela S. Melara (Intel Labs)
Short Research Statement
12:10: End-to-End Confidentiality with SEV-SNP Leveraging In-Memory Storage [ Slides ]
Lorenzo Brescia (University of Turin, University of Neuchatel), Iacopo Colonnelli (University of Turin), Valerio Schiavoni (University of Neuchatel), Pascal Felber (University of Neuchatel), Marco Aldinucci (University of Turin)
Artifact Evaluated: AvailableArtifact Evaluated: FunctionalArtifact Evaluated: Reusable
12:35: Enclave Application Cache for RISC-V Keystone [ Slides ]
Takumu Umezawa (Waseda University), Akihiro Saiki (Waseda University), Keiji Kimura (Waseda University)
Artifact Evaluated: AvailableArtifact Evaluated: FunctionalArtifact Evaluated: Reusable
13:00-14:00 Lunch Break
14:00-16:10 Session 2: Tools & Trust
14:00: OPENCCA: An Open Framework to Enable Arm CCA Research [ Slides ]
Andrin Bertschi (ETH Zurich), Shweta Shinde (ETH Zurich)
Best Paper Award
14:25: Principled Symbolic Validation of Enclaves on Low-End Microcontrollers [ Slides ]
Gert-Jan Goossens (DistriNet, KU Leuven), Jo Van Bulck (DistriNet, KU Leuven)
Artifact Evaluated: AvailableArtifact Evaluated: FunctionalArtifact Evaluated: Reusable
14:50: Why I Stopped Caring About the TCB [ Slides ]
Adrien Ghosn (Azure Research), Marios Kogias (Imperial College London)
Short Research Statement
15:05: Wait a Cycle: Eroding Cryptographic Trust in Low-End TEEs via Timing Side Channels [ Slides ]
Ruben Van Dijck (DistriNet, KU Leuven), Marton Bognar (DistriNet, KU Leuven), Jo Van Bulck (DistriNet, KU Leuven)
Artifact Evaluated: AvailableArtifact Evaluated: FunctionalArtifact Evaluated: Reusable
Best Paper with Artifacts Award
15:30: Narrowing the Gap between TEEs Threat Model and Deployment Strategies [ Slides ]
Filip Rezabek (Flashbots, Department of Informatics, Technical University of Munich, Germany), Jonathan Passerat-Palmbach (Flashbots, Imperial College London), Moe Mahhouk (Flashbots), Frieder Erdmann (Flashbots), Andrew Miller (Flashbots)
Short Research Statement
15:45: Atlas: A Framework for ML Lifecycle Provenance & Transparency
Marcin Spoczynski (Intel Labs), Marcela S. Melara (Intel Labs), Sebastian Szyller (Intel Labs)
Closing Remarks
16:10-16:30 Coffee Break
16:30-open end Breakout Discussion