Introduction
Software updates and secure migration are essential components of modern cybersecurity and resilience. Devices must remain up-to-date against vulnerabilities, and workloads must be migratable across platforms without loss of trust or integrity. In enclavized systems, such as those supported by REWIRE, these processes are even more critical, as updates and migrations directly affect the trusted execution environment (TEE). This blog explores REWIRE’s secure update and migration protocols, which guarantee resilience, consistency, and trustworthiness in runtime operations.
Secure and Authenticated Software Update
Software updates are essential for maintaining secure and reliable systems, but they also introduce significant risks. Without strong safeguards, attackers can inject malicious code, tamper with versioning, or exploit inconsistencies during the update process. To address this, REWIRE introduces an authenticated update protocol that ensures only authorised developers and services can initiate updates, protecting devices and workloads from compromise.
The secure update process follows a structured flow. First, a developer signs the update, including the software ID, version number, and binary. The Software Distribution Service (SDS) then packages the update with a nonce to ensure traceability. Depending on the deployment scenario, updates are distributed in one of two ways: one-to-one, where each update is encrypted with a device-specific Software Update Key, or one-to-many, where the SDS signs updates for multiple devices at once. The Security Monitor (SM) validates the authenticity, integrity, and version number of the update, while stateful enclaves transfer application state securely. An authenticated log entry, bound to the update instance, is generated to strengthen accountability. Finally, timeout and rollback mechanisms provide resilience, allowing the old enclave to resume if the update fails.
This design guarantees several critical security properties. Service state is preserved across updates, ensuring continuity of operations, while crash tolerance allows recovery if an update is unsuccessful. Authorisation enforcement means only trusted entities, such as SDS or developers, can initiate updates, and sealing mechanisms safeguard state confidentiality during rest and transit. Singleton guarantees ensure that only one enclave instance is active at a time, preventing duplication and potential exploitation.
Conclusions
By addressing the critical lifecycle stages of software update and migration, REWIRE ensures that enclavized applications remain trustworthy, consistent, and resilient. The framework provides cryptographic, policy-driven assurance against tampering, crashes, and adversarial exploitation. Software updates are frequent but risky. Without proper safeguards, attackers can inject malicious updates, tamper with versions, or exploit inconsistent update states. REWIRE solves this by designing an authenticated update protocol where only authorised developers and services can initiate updates.