{"id":"https://openalex.org/W7116954410","doi":"https://doi.org/10.48550/arxiv.2512.17363","title":"What You Trust Is Insecure: Demystifying How Developers (Mis)Use Trusted Execution Environments in Practice","display_name":"What You Trust Is Insecure: Demystifying How Developers (Mis)Use Trusted Execution Environments in Practice","publication_year":2025,"publication_date":"2025-12-19","ids":{"openalex":"https://openalex.org/W7116954410","doi":"https://doi.org/10.48550/arxiv.2512.17363"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2512.17363","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.17363","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2512.17363","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5121074362","display_name":"Yuqing Niu","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Niu, Yuqing","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002667771","display_name":"Jieke Shi","orcid":"https://orcid.org/0000-0002-0799-5018"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shi, Jieke","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037808916","display_name":"Ruidong Han","orcid":"https://orcid.org/0000-0001-6859-6005"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Han, Ruidong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121033389","display_name":"Ye Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Ye","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121060142","display_name":"Chengyan Ma","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ma, Chengyan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5016180477","display_name":"Yunbo Lyu","orcid":"https://orcid.org/0009-0004-2522-7348"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lyu, Yunbo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5081036622","display_name":"David Lo","orcid":"https://orcid.org/0000-0002-4367-7201"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lo, David","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5121074362"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.951200008392334,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.951200008392334,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.025699999183416367,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.00279999990016222,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.757099986076355},{"id":"https://openalex.org/keywords/software-portability","display_name":"Software portability","score":0.708899974822998},{"id":"https://openalex.org/keywords/trusted-computing","display_name":"Trusted Computing","score":0.5778999924659729},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5285999774932861},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.46869999170303345},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.45080000162124634},{"id":"https://openalex.org/keywords/trusted-computing-base","display_name":"Trusted computing base","score":0.44589999318122864},{"id":"https://openalex.org/keywords/focus","display_name":"Focus (optics)","score":0.4000999927520752},{"id":"https://openalex.org/keywords/best-practice","display_name":"Best practice","score":0.3978999853134155}],"concepts":[{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.757099986076355},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7484999895095825},{"id":"https://openalex.org/C63000827","wikidata":"https://www.wikidata.org/wiki/Q3080428","display_name":"Software portability","level":2,"score":0.708899974822998},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.5778999924659729},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5285999774932861},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5127999782562256},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.46869999170303345},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.45080000162124634},{"id":"https://openalex.org/C147346212","wikidata":"https://www.wikidata.org/wiki/Q5492632","display_name":"Trusted computing base","level":4,"score":0.44589999318122864},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.4000999927520752},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.3978999853134155},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.39660000801086426},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.38040000200271606},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.3319000005722046},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.33079999685287476},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.31310001015663147},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.30799999833106995},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.3025999963283539},{"id":"https://openalex.org/C187303228","wikidata":"https://www.wikidata.org/wiki/Q867330","display_name":"Cyclomatic complexity","level":3,"score":0.29820001125335693},{"id":"https://openalex.org/C169796023","wikidata":"https://www.wikidata.org/wiki/Q3708936","display_name":"Direct Anonymous Attestation","level":3,"score":0.29120001196861267},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.2824999988079071},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2824000120162964},{"id":"https://openalex.org/C139089976","wikidata":"https://www.wikidata.org/wiki/Q2142273","display_name":"Trusted third party","level":2,"score":0.2736000120639801},{"id":"https://openalex.org/C2778306010","wikidata":"https://www.wikidata.org/wiki/Q606563","display_name":"Health Insurance Portability and Accountability Act","level":3,"score":0.2565000057220459},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.2513999938964844}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2512.17363","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.17363","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2512.17363","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.17363","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Trusted":[0],"Execution":[1],"Environments":[2],"(TEEs),":[3],"such":[4,221],"as":[5,152,222],"Intel":[6,75],"SGX":[7,76],"and":[8,16,21,29,61,77,96,111,140,165,189,204,225,247],"ARM":[9,78],"TrustZone,":[10],"provide":[11],"isolated":[12],"regions":[13],"of":[14,55,169,176,209,211,244],"CPU":[15],"memory":[17],"for":[18,240],"secure":[19],"computation":[20],"are":[22,161],"increasingly":[23],"used":[24],"to":[25,191],"protect":[26],"sensitive":[27],"data":[28],"code":[30],"across":[31,99],"diverse":[32],"application":[33,109],"domains.":[34],"However,":[35],"little":[36],"is":[37,126,149],"known":[38],"about":[39],"how":[40,159],"developers":[41,249],"actually":[42],"use":[43,124],"TEEs":[44,160],"in":[45,114,250],"practice.":[46],"This":[47],"paper":[48],"presents":[49],"the":[50,70,105,122,170,212,242],"first":[51],"large-scale":[52],"empirical":[53],"study":[54],"real-world":[56],"TEE":[57,115,245],"applications.":[58],"We":[59,119],"collected":[60],"analyzed":[62,158],"241":[63],"open-source":[64],"projects":[65,106,171,213],"from":[66],"GitHub":[67],"that":[68,121,167,182,206],"utilize":[69],"two":[71],"most":[72],"widely-adopted":[73],"TEEs,":[74,220],"TrustZone.":[79],"By":[80],"combining":[81],"manual":[82,202],"inspection":[83,203],"with":[84,134],"customized":[85],"static":[86],"analysis":[87],"scripts,":[88],"we":[89,103,157,197],"examined":[90,198],"their":[91,231],"adoption":[92,116],"contexts,":[93],"usage":[94],"patterns,":[95],"development":[97],"practices":[98,200],"three":[100],"phases.":[101],"First,":[102],"categorized":[104],"into":[107,163],"8":[108],"domains":[110],"identified":[112],"trends":[113],"over":[117],"time.":[118],"found":[120,205],"dominant":[123],"case":[125],"IoT":[127],"device":[128],"security":[129,199,233],"(30%),":[130],"which":[131,229],"contrasts":[132],"sharply":[133],"prior":[135],"academic":[136],"focus":[137],"on":[138],"blockchain":[139],"cryptographic":[141,173],"systems":[142],"(7%),":[143],"while":[144],"AI":[145],"model":[146],"protection":[147],"(12%)":[148],"rapidly":[150],"emerging":[151],"a":[153],"growing":[154],"domain.":[155],"Second,":[156],"integrated":[162],"software":[164,252],"observed":[166],"32.4%":[168],"reimplement":[172],"functionalities":[174],"instead":[175],"using":[177,219],"official":[178],"SDK":[179],"APIs,":[180],"suggesting":[181],"current":[183],"SDKs":[184,246],"may":[185],"have":[186,237],"limited":[187],"usability":[188,243],"portability":[190],"meet":[192],"developers'":[193],"practical":[194],"needs.":[195],"Third,":[196],"through":[201],"25.3%":[207],"(61":[208],"241)":[210],"exhibit":[214],"insecure":[215],"coding":[216],"behaviors":[217],"when":[218],"hardcoded":[223],"secrets":[224],"missing":[226],"input":[227],"validation,":[228],"undermine":[230],"intended":[232],"guarantees.":[234],"Our":[235],"findings":[236],"important":[238],"implications":[239],"improving":[241],"supporting":[248],"trusted":[251],"development.":[253]},"counts_by_year":[],"updated_date":"2025-12-23T23:15:37.779995","created_date":"2025-12-23T00:00:00"}