Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cerisier: A Program Logic for Attestation in a Capability Machine

Published 15 Apr 2026 in cs.PL | (2604.13638v2)

Abstract: A key feature in trusted computing is attestation, which allows encapsulated components (enclaves) to prove their identity to (local or remote) distrusting components. Reasoning about software that uses the technique requires tracking how trust evolves after successful attestation. This process is security-critical and non-trivial, but no existing formal verification technique supports modular reasoning about attestation of enclaves and their clients, or proving end-to-end properties for systems combining trusted, untrusted and attested code. We contribute Cerisier, the first program logic for modular reasoning about trusted, untrusted and attested code, fully mechanized in the Iris separation logic and the Rocq Prover. We formalize a recent proposal, CHERI-TrEE, to extend capability machines with enclave primitives, as an extension to the Cerise capability machine and program logic. Our program logic comes with a universal contract for untrusted code, which captures both capability safety and local enclave attestation. Like Cerise, this universal contract is phrased in terms of a logical relation defining capabilities' authority. We demonstrate Cerisier by proving end-to-end properties for three representative applications of trusted computing: secure outsourced computation, mutual attestation and a modeled trusted sensor component.

Summary

  • The paper presents Cerisier, a logic that formally verifies attestation mechanisms in capability machines with proven soundness guarantees.
  • It integrates Iris separation logic and CHERI-TrEE primitives to enforce exclusive memory ownership and sealed capabilities for secure enclave interactions.
  • Case studies demonstrate its effectiveness in secure outsourced computation, mutual attestation, and trusted sensor readout, ensuring robust system-wide safety.

Cerisier: A Program Logic for Attestation in a Capability Machine

Introduction and Motivation

The paper introduces Cerisier, a program logic developed for modular, formal reasoning about attestation in capability machines, specifically targeting systems where trusted, untrusted, and attested code coexist. The motivation stems from the growing demand in trusted computing for rigorous verification of systems involving enclaves—isolated components capable of proving their identity via attestation to other distrusting components. This is a critical requirement for applications such as secure outsourced computation, DRM, and sensor readout, where trust evolves dynamically and needs robust guarantees even in adversarial contexts.

Existing formal verification techniques are insufficient for end-to-end guarantees in such mixed-trust settings; they often restrict themselves to specific system layers (e.g., cryptographic firmware or hardware) without capturing interactions between enclaves, clients, and adversaries. Cerisier addresses this gap by extending the Cerise capability machine model and logic with primitives for attestation, exclusive memory ownership, and sealed capabilities as formalized in CHERI-TrEE. All components are mechanized within Iris separation logic and the Rocq Prover, with proofs available in the accompanying artifact.

Technical Foundations: Capability Machines, Cerise, and CHERI-TrEE

Capability machines like CHERI-RISC-V expose fine-grained primitives for memory isolation and authority transfer, using unforgeable tokens (capabilities) to mediate access to memory and code. Cerisier builds on the Cerise machine, which distinguishes between ordinary integers and capabilities (memory, sentry, sealing), allowing rigorous enforcement of encapsulation and controlled invocation.

Cerise’s program logic is based on Iris, supporting separation and higher-order reasoning about state and invariants. It formalizes a universal contract for safe interaction with adversarial code, mediated by logical relations defining the authority of capabilities. This relation is recursively specified to ensure that shared values do not violate system or enclave contracts, regardless of adversary actions.

Sealed capabilities and exclusive memory ownership primitives are introduced by CHERI-TrEE, which Cerisier adapts for formal reasoning. Sealing creates access-controlled opaque values, essential for attestation and asymmetric key models. Exclusive access is enforced via global memory sweep instructions, modeled as a versioned logical memory layer that supports revocation with invariants ensuring correspondence between logical and physical state. Secure hashing primitives are added to allow dynamic computation and verification of enclave identities.

Attestation Primitives and Operational Semantics

Attestation in Cerisier is enabled via enclave-specific instructions—einit for enclave initialization, estoreid for attestation queries, and edeinit for enclave deinitialization. Initialization involves exclusive allocation of code and data regions, assignment of fresh sealing capabilities, and computation of enclave identity by hashing code and memory layout. The enclave table tracks identities and keys, facilitating client verification and local attestation scenarios. Figure 1

Figure 1

Figure 1: Cerisier machine state prior to enclave initialization, illustrating exclusive allocation and key assignment.

Sealing capabilities are partitioned for signing and encryption, establishing asymmetric authority. The attestation process covers local identity verification, enabling clients to trust enclaves based on known code hashes and associated predicates. Deinitialization removes enclave entries, ensuring safety against reuse and enforcing resource monotonicity.

Program Logic: Reasoning about Attested, Trusted, and Adversarial Code

A major contribution of Cerisier is its universal contract, a logic-based specification parameterized by user-provided sets of enclave identities and their associated sealing predicates. This contract guarantees that any capabilities produced by adversarial code can only satisfy attestation if they respect the registered sealing predicates for enclaves. The system-wide enclave identity invariant ties predicates, code, and addresses together, enforcing that only validated enclaves may create correctly attested values.

Clients interacting with enclaves reason using persistent resources (e.g., enclave{tidx}{I}), established via attestation instructions and verified via hashes. Adversaries can only initialize enclaves whose sealing predicates have been verified, thus blocking attacks based on arbitrary capability forgery or unsafe memory access.

The proof obligations imposed by the universal contract require recursive verification, handled by L\"ob induction, allowing for modular and scalable proofs of system safety even in highly adversarial settings.

Case Studies: Secure Outsourced Computation, Mutual Attestation, and Sensor Readout

The paper demonstrates Cerisier’s practical utility with three case studies:

  • Secure Outsourced Computation (SOC): A trusted client outsources heavy computation to an untrusted enclave via local attestation. The client verifies the attested result and key, ensuring that only correctly initialized enclave code generates valid responses.
  • Mutual Attestation: Two mutually distrusting enclaves establish trust using pre-identity tables and MAGE protocol primitives, breaking attestation circularity by separating code hashes and identity tables.
  • Trusted Sensor Readout: A stateful enclave initializes and reads data from a simulated sensor, with another enclave transforming the results and clients verifying the processing chain via attestation.

Each scenario is formally verified using Cerisier’s universal contract, with adequacy theorems ensuring that client assertions never fail given valid initial states and properly registered sealing predicates.

Implications and Future Directions

Cerisier advances formal reasoning about attestation and trust evolution in capability machines, providing the first end-to-end logic for modular reasoning across trusted and adversarial boundaries. The logical memory revocation and contract parameterization techniques generalize to other attestation systems, suggesting wider applicability in confidential and trusted computing contexts.

Practical implications include improved assurance for secure outsourced computation, encrypted sensor data processing, and mutually attested enclave architectures. Future work involves extending Cerisier to support remote attestation, integrating probabilistic or symbolic cryptographic models, and developing confidential computing results with memory-mapped I/O support.

Conclusion

Cerisier delivers a mechanized, comprehensive program logic for attestation in capability machines, offering modular reasoning, end-to-end verification, and soundness guarantees for systems combining trusted, untrusted, and attested code. The approach lays a foundation for adapting logical contracts and revocation reasoning to broader trusted computing and secure execution architectures.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.