- The paper presents Cerisier, a logic that formally verifies attestation mechanisms in capability machines with proven soundness guarantees.
- It integrates Iris separation logic and CHERI-TrEE primitives to enforce exclusive memory ownership and sealed capabilities for secure enclave interactions.
- Case studies demonstrate its effectiveness in secure outsourced computation, mutual attestation, and trusted sensor readout, ensuring robust system-wide safety.
Cerisier: A Program Logic for Attestation in a Capability Machine
Introduction and Motivation
The paper introduces Cerisier, a program logic developed for modular, formal reasoning about attestation in capability machines, specifically targeting systems where trusted, untrusted, and attested code coexist. The motivation stems from the growing demand in trusted computing for rigorous verification of systems involving enclaves—isolated components capable of proving their identity via attestation to other distrusting components. This is a critical requirement for applications such as secure outsourced computation, DRM, and sensor readout, where trust evolves dynamically and needs robust guarantees even in adversarial contexts.
Existing formal verification techniques are insufficient for end-to-end guarantees in such mixed-trust settings; they often restrict themselves to specific system layers (e.g., cryptographic firmware or hardware) without capturing interactions between enclaves, clients, and adversaries. Cerisier addresses this gap by extending the Cerise capability machine model and logic with primitives for attestation, exclusive memory ownership, and sealed capabilities as formalized in CHERI-TrEE. All components are mechanized within Iris separation logic and the Rocq Prover, with proofs available in the accompanying artifact.
Technical Foundations: Capability Machines, Cerise, and CHERI-TrEE
Capability machines like CHERI-RISC-V expose fine-grained primitives for memory isolation and authority transfer, using unforgeable tokens (capabilities) to mediate access to memory and code. Cerisier builds on the Cerise machine, which distinguishes between ordinary integers and capabilities (memory, sentry, sealing), allowing rigorous enforcement of encapsulation and controlled invocation.
Cerise’s program logic is based on Iris, supporting separation and higher-order reasoning about state and invariants. It formalizes a universal contract for safe interaction with adversarial code, mediated by logical relations defining the authority of capabilities. This relation is recursively specified to ensure that shared values do not violate system or enclave contracts, regardless of adversary actions.
Sealed capabilities and exclusive memory ownership primitives are introduced by CHERI-TrEE, which Cerisier adapts for formal reasoning. Sealing creates access-controlled opaque values, essential for attestation and asymmetric key models. Exclusive access is enforced via global memory sweep instructions, modeled as a versioned logical memory layer that supports revocation with invariants ensuring correspondence between logical and physical state. Secure hashing primitives are added to allow dynamic computation and verification of enclave identities.
Attestation Primitives and Operational Semantics
Attestation in Cerisier is enabled via enclave-specific instructions—einit for enclave initialization, estoreid for attestation queries, and edeinit for enclave deinitialization. Initialization involves exclusive allocation of code and data regions, assignment of fresh sealing capabilities, and computation of enclave identity by hashing code and memory layout. The enclave table tracks identities and keys, facilitating client verification and local attestation scenarios.

Figure 1: Cerisier machine state prior to enclave initialization, illustrating exclusive allocation and key assignment.
Sealing capabilities are partitioned for signing and encryption, establishing asymmetric authority. The attestation process covers local identity verification, enabling clients to trust enclaves based on known code hashes and associated predicates. Deinitialization removes enclave entries, ensuring safety against reuse and enforcing resource monotonicity.
Program Logic: Reasoning about Attested, Trusted, and Adversarial Code
A major contribution of Cerisier is its universal contract, a logic-based specification parameterized by user-provided sets of enclave identities and their associated sealing predicates. This contract guarantees that any capabilities produced by adversarial code can only satisfy attestation if they respect the registered sealing predicates for enclaves. The system-wide enclave identity invariant ties predicates, code, and addresses together, enforcing that only validated enclaves may create correctly attested values.
Clients interacting with enclaves reason using persistent resources (e.g., enclave{tidx}{I}), established via attestation instructions and verified via hashes. Adversaries can only initialize enclaves whose sealing predicates have been verified, thus blocking attacks based on arbitrary capability forgery or unsafe memory access.
The proof obligations imposed by the universal contract require recursive verification, handled by L\"ob induction, allowing for modular and scalable proofs of system safety even in highly adversarial settings.
Case Studies: Secure Outsourced Computation, Mutual Attestation, and Sensor Readout
The paper demonstrates Cerisier’s practical utility with three case studies:
- Secure Outsourced Computation (SOC): A trusted client outsources heavy computation to an untrusted enclave via local attestation. The client verifies the attested result and key, ensuring that only correctly initialized enclave code generates valid responses.
- Mutual Attestation: Two mutually distrusting enclaves establish trust using pre-identity tables and MAGE protocol primitives, breaking attestation circularity by separating code hashes and identity tables.
- Trusted Sensor Readout: A stateful enclave initializes and reads data from a simulated sensor, with another enclave transforming the results and clients verifying the processing chain via attestation.
Each scenario is formally verified using Cerisier’s universal contract, with adequacy theorems ensuring that client assertions never fail given valid initial states and properly registered sealing predicates.
Implications and Future Directions
Cerisier advances formal reasoning about attestation and trust evolution in capability machines, providing the first end-to-end logic for modular reasoning across trusted and adversarial boundaries. The logical memory revocation and contract parameterization techniques generalize to other attestation systems, suggesting wider applicability in confidential and trusted computing contexts.
Practical implications include improved assurance for secure outsourced computation, encrypted sensor data processing, and mutually attested enclave architectures. Future work involves extending Cerisier to support remote attestation, integrating probabilistic or symbolic cryptographic models, and developing confidential computing results with memory-mapped I/O support.
Conclusion
Cerisier delivers a mechanized, comprehensive program logic for attestation in capability machines, offering modular reasoning, end-to-end verification, and soundness guarantees for systems combining trusted, untrusted, and attested code. The approach lays a foundation for adapting logical contracts and revocation reasoning to broader trusted computing and secure execution architectures.