Code Encryption with Intel TME-MK for Control-Flow Enforcement

Martin Unterguggenberger; Lukas Lamster; Mathias Oberhuber; Simon Scherer; Stefan Mangard

doi:10.1007/978-3-032-07891-9_19

Code Encryption with Intel TME-MK for Control-Flow Enforcement

^*Corresponding author for this work

Institute of Information Security (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Memory safety errors enable an adversary to corrupt code pointers, diverting the program’s control flow. Recent CPU features, such as Intel CET/IBT, harden software systems against exploitation attempts that maliciously redirect control flow operations. While IBT limits valid indirect branch targets, forward-edge transfers can still be redirected to any IBT-marked function. Thus, IBT cannot provide fine-grained protection against forward-edge control-flow attacks.

This paper presents code encryption with Intel TME-MK, a novel approach for control-flow enforcement against software exploitation on off-the-shelf x86 machines. We repurpose the Intel TME-MK runtime encryption to achieve function-level code encryption. Encrypted functions are only accessible through function pointers associated with the correct key, thereby enforcing fine-grained restrictions for control-flow transfers. We demonstrate two new encryption-based techniques for software hardening in practice: forward-edge control-flow integrity and library encryption. We implement a security-hardened toolchain that combines compiler instrumentation and a loader extension to ensure the validity of the program’s execution flow through efficient hardware-backed encryption. Our prototype shows a geomean performance overhead of 7.8 % for forward-edge control-flow integrity and 2.2 % for library encryption evaluated with the SPEC CPU2017 benchmark suite.

Original language	English
Title of host publication	Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings
Editors	Vincent Nicomette, Abdelmalek Benzekri, Nora Boulahia-Cuppens, Jaideep Vaidya
Publisher	Springer
Pages	359-378
Number of pages	20
ISBN (Print)	9783032078902
DOIs	https://doi.org/10.1007/978-3-032-07891-9_19
Publication status	Published - 2025
Event	30th European Symposium on Research in Computer Security, ESORICS 2025 - Toulouse, France Duration: 22 Sept 2025 → 24 Sept 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16054 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	30th European Symposium on Research in Computer Security, ESORICS 2025
Abbreviated title	ESORICS 25
Country/Territory	France
City	Toulouse
Period	22/09/25 → 24/09/25

Keywords

Code Encryption
Control-Flow Integrity
Intel TME-MK
Intel TME-MK

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Fields of Expertise

Information, Communication & Computing

Access to Document

10.1007/978-3-032-07891-9_19

Code Encryption with Intel TME-MK for Control-Flow EnforcementSubmitted manuscript, 406 KBLicence: CC BY 4.0

Cite this

Unterguggenberger, M., Lamster, L., Oberhuber, M., Scherer, S., & Mangard, S. (2025). Code Encryption with Intel TME-MK for Control-Flow Enforcement. In V. Nicomette, A. Benzekri, N. Boulahia-Cuppens, & J. Vaidya (Eds.), Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings (pp. 359-378). (Lecture Notes in Computer Science; Vol. 16054 LNCS). Springer. https://doi.org/10.1007/978-3-032-07891-9_19

Code Encryption with Intel TME-MK for Control-Flow Enforcement. / Unterguggenberger, Martin ; Lamster, Lukas ; Oberhuber, Mathias et al.
Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings. ed. / Vincent Nicomette; Abdelmalek Benzekri; Nora Boulahia-Cuppens; Jaideep Vaidya. Springer, 2025. p. 359-378 (Lecture Notes in Computer Science; Vol. 16054 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Unterguggenberger, M , Lamster, L , Oberhuber, M , Scherer, S & Mangard, S 2025, Code Encryption with Intel TME-MK for Control-Flow Enforcement. in V Nicomette, A Benzekri, N Boulahia-Cuppens & J Vaidya (eds), Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings. Lecture Notes in Computer Science, vol. 16054 LNCS, Springer, pp. 359-378, 30th European Symposium on Research in Computer Security, ESORICS 2025, Toulouse, France, 22/09/25. https://doi.org/10.1007/978-3-032-07891-9_19

Unterguggenberger M , Lamster L , Oberhuber M , Scherer S , Mangard S. Code Encryption with Intel TME-MK for Control-Flow Enforcement. In Nicomette V, Benzekri A, Boulahia-Cuppens N, Vaidya J, editors, Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings. Springer. 2025. p. 359-378. (Lecture Notes in Computer Science). Epub 2025 Oct 17. doi: 10.1007/978-3-032-07891-9_19

Unterguggenberger, Martin ; Lamster, Lukas ; Oberhuber, Mathias et al. / Code Encryption with Intel TME-MK for Control-Flow Enforcement. Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings. editor / Vincent Nicomette ; Abdelmalek Benzekri ; Nora Boulahia-Cuppens ; Jaideep Vaidya. Springer, 2025. pp. 359-378 (Lecture Notes in Computer Science).

@inproceedings{17ed1bd7103c4f9cae062f8c364eb037,

title = "Code Encryption with Intel TME-MK for Control-Flow Enforcement",

abstract = "Memory safety errors enable an adversary to corrupt code pointers, diverting the program{\textquoteright}s control flow. Recent CPU features, such as Intel CET/IBT, harden software systems against exploitation attempts that maliciously redirect control flow operations. While IBT limits valid indirect branch targets, forward-edge transfers can still be redirected to any IBT-marked function. Thus, IBT cannot provide fine-grained protection against forward-edge control-flow attacks. This paper presents code encryption with Intel TME-MK, a novel approach for control-flow enforcement against software exploitation on off-the-shelf x86 machines. We repurpose the Intel TME-MK runtime encryption to achieve function-level code encryption. Encrypted functions are only accessible through function pointers associated with the correct key, thereby enforcing fine-grained restrictions for control-flow transfers. We demonstrate two new encryption-based techniques for software hardening in practice: forward-edge control-flow integrity and library encryption. We implement a security-hardened toolchain that combines compiler instrumentation and a loader extension to ensure the validity of the program{\textquoteright}s execution flow through efficient hardware-backed encryption. Our prototype shows a geomean performance overhead of 7.8 \% for forward-edge control-flow integrity and 2.2 \% for library encryption evaluated with the SPEC CPU2017 benchmark suite.",

keywords = "Code Encryption, Control-Flow Integrity, Intel TME-MK, Intel TME-MK",

author = "Martin Unterguggenberger and Lukas Lamster and Mathias Oberhuber and Simon Scherer and Stefan Mangard",

year = "2025",

doi = "10.1007/978-3-032-07891-9\_19",

language = "English",

isbn = "9783032078902",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "359--378",

editor = "Vincent Nicomette and Abdelmalek Benzekri and Nora Boulahia-Cuppens and Jaideep Vaidya",

booktitle = "Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings",

address = "United States",

note = "30th European Symposium on Research in Computer Security, ESORICS 2025, ESORICS 25 ; Conference date: 22-09-2025 Through 24-09-2025",

}

TY - GEN

T1 - Code Encryption with Intel TME-MK for Control-Flow Enforcement

AU - Unterguggenberger, Martin

AU - Lamster, Lukas

AU - Oberhuber, Mathias

AU - Scherer, Simon

AU - Mangard, Stefan

PY - 2025

Y1 - 2025

N2 - Memory safety errors enable an adversary to corrupt code pointers, diverting the program’s control flow. Recent CPU features, such as Intel CET/IBT, harden software systems against exploitation attempts that maliciously redirect control flow operations. While IBT limits valid indirect branch targets, forward-edge transfers can still be redirected to any IBT-marked function. Thus, IBT cannot provide fine-grained protection against forward-edge control-flow attacks. This paper presents code encryption with Intel TME-MK, a novel approach for control-flow enforcement against software exploitation on off-the-shelf x86 machines. We repurpose the Intel TME-MK runtime encryption to achieve function-level code encryption. Encrypted functions are only accessible through function pointers associated with the correct key, thereby enforcing fine-grained restrictions for control-flow transfers. We demonstrate two new encryption-based techniques for software hardening in practice: forward-edge control-flow integrity and library encryption. We implement a security-hardened toolchain that combines compiler instrumentation and a loader extension to ensure the validity of the program’s execution flow through efficient hardware-backed encryption. Our prototype shows a geomean performance overhead of 7.8 % for forward-edge control-flow integrity and 2.2 % for library encryption evaluated with the SPEC CPU2017 benchmark suite.

AB - Memory safety errors enable an adversary to corrupt code pointers, diverting the program’s control flow. Recent CPU features, such as Intel CET/IBT, harden software systems against exploitation attempts that maliciously redirect control flow operations. While IBT limits valid indirect branch targets, forward-edge transfers can still be redirected to any IBT-marked function. Thus, IBT cannot provide fine-grained protection against forward-edge control-flow attacks. This paper presents code encryption with Intel TME-MK, a novel approach for control-flow enforcement against software exploitation on off-the-shelf x86 machines. We repurpose the Intel TME-MK runtime encryption to achieve function-level code encryption. Encrypted functions are only accessible through function pointers associated with the correct key, thereby enforcing fine-grained restrictions for control-flow transfers. We demonstrate two new encryption-based techniques for software hardening in practice: forward-edge control-flow integrity and library encryption. We implement a security-hardened toolchain that combines compiler instrumentation and a loader extension to ensure the validity of the program’s execution flow through efficient hardware-backed encryption. Our prototype shows a geomean performance overhead of 7.8 % for forward-edge control-flow integrity and 2.2 % for library encryption evaluated with the SPEC CPU2017 benchmark suite.

KW - Code Encryption

KW - Control-Flow Integrity

KW - Intel TME-MK

UR - https://www.scopus.com/pages/publications/105020692057

U2 - 10.1007/978-3-032-07891-9_19

DO - 10.1007/978-3-032-07891-9_19

M3 - Conference paper

SN - 9783032078902

T3 - Lecture Notes in Computer Science

SP - 359

EP - 378

BT - Computer Security - ESORICS 2025 - 30th European Symposium on Research in Computer Security, 2025, Proceedings

A2 - Nicomette, Vincent

A2 - Benzekri, Abdelmalek

A2 - Boulahia-Cuppens, Nora

A2 - Vaidya, Jaideep

PB - Springer

T2 - 30th European Symposium on Research in Computer Security, ESORICS 2025

Y2 - 22 September 2025 through 24 September 2025

ER -

Code Encryption with Intel TME-MK for Control-Flow Enforcement

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Fields of Expertise

Access to Document

Other files and links

Fingerprint

RESIST - Enabling Secure RISC-V Architectures Through Efficient Software Integrity and Isolation Technologies

AWARE - Hardware-Ensured Software Security