Department of Computer Science and Technology

Technical reports

Attestable Builds: compiling verifiable binaries on untrusted systems using trusted execution environments

Daniel Hugenroth, Mario Lins, René Mayrhofer, Alastair R. Beresford

October 2025, 26 pages

Originally published in Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

DOIhttps://doi.org/10.48456/tr-1002

Abstract

In this paper we present attestable builds, a new paradigm to provide strong source-to-binary correspondence in software artifacts. We tackle the challenge of opaque build pipelines that disconnect the trust between source code, which can be understood and audited, and the final binary artifact which is difficult to inspect. Our system uses modern trusted execution environments (TEEs) and sandboxed build containers to provide strong guarantees that a given artifact was correctly built from a specific source code snapshot. As such it complements existing approaches like reproducible builds which typically require time-intensive modifications to existing build configurations and dependencies, and require independent parties to continuously build and verify artifacts. In comparison, an attestable build requires only minimal changes to an existing project, and offers nearly instantaneous verification of the correspondence between a given binary and the source code and build pipeline used to construct it. We evaluate it by building open-source software libraries—focusing on projects which are important to the trust chain and have proven difficult to be built deterministically. The overhead (42 seconds start-up latency and 14% increase in build duration) is small in comparison to the overall build time. Importantly, our prototype can build complex projects such as LLVM Clang without requiring any modifications to their source code and build scripts. Finally, we formally model and verify the attestable build design to demonstrate its security against well-resourced adversaries.

Full text

PDF (2.9 MB)

BibTeX record

@TechReport{UCAM-CL-TR-1002,
  author =	 {Hugenroth, Daniel and Lins, Mario and Mayrhofer, Ren{\'e}
          	  and Beresford, Alastair R.},
  title = 	 {{Attestable Builds: compiling verifiable binaries on
         	   untrusted systems using trusted execution environments}},
  year = 	 2025,
  month = 	 oct,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-1002.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-1002},
  number = 	 {UCAM-CL-TR-1002}
}