Reinforcing Secure Live Migration through Verifiable State Management

• URL: http://arxiv.org/abs/2509.05150v1
• Date: Fri, 05 Sep 2025 14:41:48 GMT
• Title: Reinforcing Secure Live Migration through Verifiable State Management
• Authors: Stefanos Vasileaidis, Thanassis Giannetsos, Matthias Schunter, Bruno Crispo,
• Abstract summary: We present TALOS, a lightweight framework for verifiable state management and trustworthy application migration.<n> TALOS integrates memory introspection and control-flow graph extraction, enabling robust verification of state continuity and execution flow.<n>Thereby achieving strong security guarantees while maintaining efficiency, making it suitable for decentralized settings.
• Score: 1.6204399921642334
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Live migration of applications is a fundamental capability for enabling resilient computing in modern distributed systems. However, extending this functionality to trusted applications (TA) -- executing within Trusted Execution Environments (TEEs) -- introduces unique challenges such as secure state preservation, integrity verification, replay and rollback prevention, and mitigation of unauthorized cloning of TAs. We present TALOS, a lightweight framework for verifiable state management and trustworthy application migration. While our implementation is prototyped and evaluated using Intel SGX with the Gramine LibOS and RISC-V Keystone (evidencing the framework's portability across diverse TEEs), its design is agnostic to the underlying TEE architecture. Such agility is a necessity in today's network service mesh (collaborative computing across the continuum) where application workloads must be managed across domain boundaries in a harmonized fashion. TALOS is built around the principle of minimizing trust assumptions: TAs are treated as untrusted until explicitly verified, and the migration process does not rely on a trusted third party. To ensure both the integrity and secure launch of the migrated application, TALOS integrates memory introspection and control-flow graph extraction, enabling robust verification of state continuity and execution flow. Thereby achieving strong security guarantees while maintaining efficiency, making it suitable for decentralized settings.

Related papers

• Architecting Trust: A Framework for Secure IoT Systems Through Trusted Execution and Semantic Middleware [1.7277199466514768]
  The Internet of Things (IoT) security landscape requires the architectural solutions that can address the technical and operational challenges.<n>This paper presents the comprehensive security framework for IoT that should integrate the Trusted Execution Environments (TEEs) with the semantic and blockchain technologies.<n>The architecture includes the hardware rooted trust at peripheral level, the zero trust principles at network level, and the semantic security mechanisms at application level.
  arXiv  Detail & Related papers  (2026-02-11T11:48:41Z)
• CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents [60.98294016925157]
  AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior to steal credentials or cause financial loss.<n>We introduce Single-Shot Planning for CUAs, where a trusted planner generates a complete execution graph with conditional branches before any observation of potentially malicious content.<n>Although this architectural isolation successfully prevents instruction injections, we show that additional measures are needed to prevent Branch Steering attacks.
  arXiv  Detail & Related papers  (2026-01-14T23:06:35Z)
• Towards Verifiably Safe Tool Use for LLM Agents [53.55621104327779]
  Large language model (LLM)-based AI agents extend capabilities by enabling access to tools such as data sources, APIs, search engines, code sandboxes, and even other agents.<n>LLMs may invoke unintended tool interactions and introduce risks, such as leaking sensitive data or overwriting critical records.<n>Current approaches to mitigate these risks, such as model-based safeguards, enhance agents' reliability but cannot guarantee system safety.
  arXiv  Detail & Related papers  (2026-01-12T21:31:38Z)
• Zero Trust Security Model Implementation in Microservices Architectures Using Identity Federation [0.0]
  The article itself is a case on the need of the Zero Trust Security Model of micro services ecosystem.<n>It is proposed that the solution framework will be based on industry-standard authentication and authorization and end-to-end trust identity technologies.<n>The research results overlay that the federated identity combined with the Zero Trust basics not only guarantee the rules relating to authentication and authorization but also fully complies with the latest DevSecOps standards of microservice deployment.
  arXiv  Detail & Related papers  (2025-11-07T02:03:05Z)
• Dstack: A Zero Trust Framework for Confidential Containers [6.276046587137382]
  Web3 applications require execution platforms that maintain confidentiality and integrity without relying on centralized trust authorities.<n>Current implementations face significant limitations when applied to Web3 contexts.<n>This paper presents dstack, a comprehensive framework that transforms raw TEE technology into a true Zero Trust platform.
  arXiv  Detail & Related papers  (2025-09-15T03:36:27Z)
• Closing the Visibility Gap: A Monitoring Framework for Verifiable Open RAN Operations [15.81088947348504]
  We propose a monitoring framework for low-trust Open Radio Access Network (Open RAN) environments.<n>Our system provides scalable, verifiable oversight to enhance transparency and trust in O-RAN operations.
  arXiv  Detail & Related papers  (2025-09-03T04:17:57Z)
• Bridging the Mobile Trust Gap: A Zero Trust Framework for Consumer-Facing Applications [51.56484100374058]
  This paper proposes an extended Zero Trust model designed for mobile applications operating in untrusted, user-controlled environments.<n>Using a design science methodology, the study introduced a six-pillar framework that supports runtime enforcement of trust.<n>The proposed model offers a practical and standards-aligned approach to securing mobile applications beyond pre-deployment controls.
  arXiv  Detail & Related papers  (2025-08-20T18:42:36Z)
• Endorsement-Driven Blockchain SSI Framework for Dynamic IoT Ecosystems [0.39462888523270856]
  Self-Sovereign Identity (SSI) offers significant potential for managing identities in the Internet of Things (IoT)<n>Existing SSI frameworks limit issuance credential and revocation to trusted entities, such as IoT manufacturers.<n>We propose a blockchain-based SSI framework that allows any individual with a verifiable trust linkage to act as a credential issuer.
  arXiv  Detail & Related papers  (2025-07-14T02:03:14Z)
• DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents [52.92354372596197]
  Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities.<n>This interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior.<n>We propose a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control and data-level constraints.
  arXiv  Detail & Related papers  (2025-06-13T05:01:09Z)
• Zero-Trust Foundation Models: A New Paradigm for Secure and Collaborative Artificial Intelligence for Internet of Things [61.43014629640404]
  Zero-Trust Foundation Models (ZTFMs) embed zero-trust security principles into the lifecycle of foundation models (FMs) for Internet of Things (IoT) systems.<n>ZTFMs can enable secure, privacy-preserving AI across distributed, heterogeneous, and potentially adversarial IoT environments.
  arXiv  Detail & Related papers  (2025-05-26T06:44:31Z)
• EILID: Execution Integrity for Low-end IoT Devices [12.193184827858326]
  EILID is a hybrid architecture that ensures software execution integrity on low-end devices.<n>It is built atop CASU, a prevention-based (i.e., active) hybrid Root-of-Trust (RoT) that guarantees software immutability.
  arXiv  Detail & Related papers  (2025-01-16T00:31:39Z)
• ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• VeriCHERI: Exhaustive Formal Security Verification of CHERI at the RTL [4.652188875442064]
  CHERI provides and enforces fine-grained memory protection directly in the hardware. VeriCHERI is conceptionally different from previous works in that it does not require any ISA specification. We demonstrate the effectiveness and scalability of VeriCHERI on a RISC-V based processor implementing a CHERI variant.
  arXiv  Detail & Related papers  (2024-07-26T11:48:55Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Blockchain-based Zero Trust on the Edge [5.323279718522213]
  This paper proposes a novel approach based on Zero Trust Architecture (ZTA) extended with blockchain to further enhance security. The blockchain component serves as an immutable database for storing users' requests and is used to verify trustworthiness by analyzing and identifying potentially malicious user activities. We discuss the framework, processes of the approach, and the experiments carried out on a testbed to validate its feasibility and applicability in the smart city context.
  arXiv  Detail & Related papers  (2023-11-28T12:43:21Z)
• Recursively Feasible Probabilistic Safe Online Learning with Control Barrier Functions [60.26921219698514]
  We introduce a model-uncertainty-aware reformulation of CBF-based safety-critical controllers. We then present the pointwise feasibility conditions of the resulting safety controller. We use these conditions to devise an event-triggered online data collection strategy.
  arXiv  Detail & Related papers  (2022-08-23T05:02:09Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.