Beyond software updates, workloads sometimes need to migrate between hosts—for maintenance, hardware replacement, or load balancing. Without a secure migration protocol, adversaries could exploit migration to fork enclaves, steal state, or tamper with execution.
Beyond updates, secure migration of workloads between hosts is also vital. Migration is required for scenarios such as hardware replacement, system maintenance, or balancing loads. However, without protection, adversaries could exploit migration to fork enclaves, steal state, or interfere with execution. REWIRE tackles this with a migration protocol designed to resist adversaries who might control untrusted software, memory, storage, or networks outside enclaves, or attempt unauthorised migrations and state forking.
REWIRE’s migration protocol enforces several objectives to mitigate these threats. Atomicity ensures only one enclave runs at a time, either at the source or destination. Authentication guarantees that only trusted entities can initiate migration, while confidentiality and integrity mechanisms safeguard both code and state. Forking protection further ensures that enclaves cannot be duplicated during the process.
The migration protocol workflow begins with the SDS issuing a signed migration request. The source Security Monitor (SMS) validates the request, pauses the enclave, and securely extracts the code and state. The sealed state is decrypted and transferred via TLS to the target Security Monitor (SMT). At the destination, the state is re-encrypted with the new sealing key and verified for integrity. Once the target enclave successfully attests, the source enclave is destroyed. Synchronisation is ensured through acknowledgements between SDS, SMS, and SMT. More concretely, the migration protocol workflow can be described using the following steps:
Protocol Workflow
- SDS issues a signed migration request.
- Source SM (SMS) validates request and pauses enclave.
- Source SM extracts code and state, decrypts sealed state.
- Data is transmitted securely via TLS to target SM (SMT).
- Target SM re-encrypts state with its sealing key, verifies integrity.
- Source enclave is destroyed once the target enclave attests successfully.
- Acknowledgements ensure synchronisation across SDS, SMS, SMT.
These mechanisms deliver strong security properties for migration. Atomic migration ensures that enclaves exist only at one location at any time, while TLS-secured transmission and sealed-state handling prevent data leaks. Timeout and acknowledgement mechanisms maintain consistency across all parties, and strict non-parallel execution prevents forking.
Taken together, REWIRE’s update and migration framework offers a comprehensive solution for maintaining system security throughout the lifecycle of software and workloads. It enhances resilience against crashes and failures, provides end-to-end cryptographic assurance, and enables policy-driven trust levels such as Authorisation Trust Level (ATL) checks during migration. Its harmonised mechanisms support cross-platform operability while maintaining continuous security assurance, positioning REWIRE as a robust enabler of trusted computing environments.
Conclusion
By addressing the critical lifecycle stages of software update and migration, REWIRE ensures that enclavized applications remain trustworthy, consistent, and resilient. The framework provides cryptographic, policy-driven assurance against tampering, crashes, and adversarial exploitation.
In practice, this means that organisations using REWIRE-enabled hardware and software can operate with confidence: updates won’t compromise trust, and migrations won’t create forks or leaks. This sets a new benchmark for secure runtime assurance in systems of systems.