Automated TEE Adaptation with LLMs: Identifying, Transforming, and Porting Sensitive Functions in Programs

This paper introduces AUTOTEE, the first LLM-based approach that automatically identifies, transforms, and ports sensitive functions from existing programs into Trusted Execution Environments (TEEs), achieving high accuracy and success rates in Java and Python while significantly reducing the manual effort and domain expertise required for developers.

The Gist

Imagine you have a very valuable recipe for a secret sauce. You want to cook it in a busy, open kitchen (the normal computer world) where anyone can walk by, peek over your shoulder, or even steal your ingredients. But you also know that if someone steals the recipe, they could ruin your business.

Trusted Execution Environments (TEEs) are like a magical, invisible glass booth you can build inside that kitchen. Once you step inside, no one outside can see what you're doing, touch your ingredients, or steal your recipe. It's a super-secure vault for your most sensitive tasks.

The problem? Moving your cooking process into that glass booth is incredibly hard.

Currently, if you want to use this secure booth, you have to:

1. Figure out exactly which part of your recipe needs the booth (is it chopping the onions? or just mixing the sauce?).
2. Rewrite that specific part of the recipe in a completely different language that the booth understands (like switching from English to a secret code).
3. Build a secure tunnel so the main kitchen can talk to the booth without anyone eavesdropping.

This requires a team of expert security architects and takes a lot of time. Most developers just give up.

Enter AutoTEE: The AI Sous-Chef

This paper introduces AutoTEE, a new tool that uses Large Language Models (LLMs)—the same kind of AI that writes poems or helps you code—to do all that hard work for you automatically.

Here is how AutoTEE works, using our kitchen analogy:

1. The Detective (Identifying the Sensitive Parts)

First, AutoTEE acts like a detective. It reads your entire recipe (the computer program) and asks the AI: "Which steps involve secret ingredients or dangerous chemicals?"

• It looks for things like "encryption" (locking the sauce in a box) or "serialization" (packing the sauce into a specific container).
• It ignores the boring stuff like "stirring the pot" or "washing the dishes."
• The Result: It isolates the tiny, critical steps that must go into the glass booth.

2. The Translator (Porting the Code)

Once it finds those secret steps, AutoTEE has to translate them.

• Your original program might be written in Java or Python (like a recipe written in English).
• The glass booth (TEE) usually only understands Rust or C (like a recipe written in a strict, ancient dialect).
• AutoTEE asks the AI to translate the English recipe into the ancient dialect. But it doesn't just guess. It uses a "ReAct" strategy (Reason + Act).
  • Think: "I need to translate this encryption step."
  • Act: Write the Rust code.
  • Check: "Did the compiler (the head chef) say this code works? Does it taste the same as the original?"
  • Fix: If the head chef says, "You forgot the salt!" or "This syntax is wrong," the AI fixes it and tries again. It loops this process until the code is perfect.

3. The Bodyguard (Connecting the Two Worlds)

Now you have a secure version of the recipe inside the glass booth. But how does the main kitchen talk to it?

• AutoTEE builds a secure tunnel (a TLS channel).
• When the main kitchen needs the secret sauce, it sends a request through the tunnel.
• Before the booth even opens the door, it checks an ID badge (Remote Attestation) to prove it's the real, un-tampered booth.
• The data is encrypted while traveling through the tunnel, so even if a spy intercepts the message, they just see gibberish.

Why is this a big deal?

• It's Automatic: Before this, you needed a PhD in security to move code into a TEE. Now, the AI does the heavy lifting.
• It's Accurate: The researchers tested this on hundreds of real-world programs. The AI correctly identified the secret parts 94% of the time for Java and 87% for Python.
• It Works: When the AI rewrote the code, it successfully created a working, secure version 91% of the time for Java and 84% for Python.

The Catch (Limitations)

Like any new tool, it's not perfect yet.

• Complexity: If the "recipe" is incredibly complex (like a 100-step process with weird math), the AI might get confused.
• Environment: Sometimes the AI hardcodes specific settings (like "use this specific oven"), which might need a human to tweak if you move to a different kitchen.
• Human in the Loop: It's not fully "set it and forget it" yet. A human still needs to review the final result to make sure the AI didn't accidentally change the flavor of the sauce.

The Bottom Line

AutoTEE is like hiring a super-smart, tireless AI assistant that can take your messy, open-kitchen code, find the secret ingredients, rewrite them for a high-security vault, and build the secure door—all while making sure the food still tastes exactly the same. It makes high-level security accessible to regular developers, not just security experts.

Technical Summary

Here is a detailed technical summary of the paper "Automated TEE Adaptation with LLMs: Identifying, Transforming, and Porting Sensitive Functions in Programs."

1. Problem Statement

Trusted Execution Environments (TEEs) offer robust security guarantees by isolating sensitive operations (e.g., encryption, key management) from the untrusted "normal world," even if the OS or hypervisor is compromised. However, adopting TEEs is currently hindered by two major challenges:

• Manual Effort & Expertise: Identifying fine-grained sensitive functions within complex codebases requires deep domain knowledge of both application logic and TEE security models.
• Execution Constraints: TEEs (like Intel SGX) often run low-level native code (C/Rust) with restricted APIs (no file I/O, timers, or multi-threading) and limited memory. Porting high-level managed languages (Java, Python) to these environments is difficult due to runtime overhead and API incompatibilities.

Existing solutions either port entire runtimes (introducing high overhead) or require developers to manually trace data and transform code (error-prone and labor-intensive). There is a lack of automated tools to seamlessly adapt existing high-level programs to TEEs.

2. Methodology: AUTOTEE

The authors propose AUTOTEE, the first Large Language Model (LLM)-enabled framework that automatically identifies, transforms, and ports sensitive functions into TEEs. The system operates through three core modules:

A. Sensitive Function Identifier

• Leaf Function Extraction: AUTOTEE parses the source code (Java/Python) into an Abstract Syntax Tree (AST) and extracts leaf functions (functions that do not call other user-defined functions). This minimizes the trusted computing base and avoids complex dependency chains.
• LLM-Based Detection: An LLM agent analyzes these leaf functions using a multi-round prompting strategy to detect sensitive operations, specifically focusing on:
  • Cryptographic operations: Encryption, decryption, signing, hashing, key generation.
  • Serialization: Deserialization of untrusted data.
• Test Input Generation: The LLM generates diverse test inputs for identified functions, guided by an iterative coverage loop (using JaCoCo for Java and pytest-cov for Python) to maximize line and branch coverage.

B. Code Transformer

• Target Language: Sensitive functions are transformed into Rust, chosen for its memory safety and native compatibility with TEEs.
• Iterative Refinement (ReAct Strategy): The transformation is not a one-shot generation. AUTOTEE employs the ReAct (Reasoning + Acting) framework to iteratively refine the code:
  1. Initial Generation: The LLM generates Rust code based on few-shot examples.
  2. Compilability Check: The code is compiled using Cargo. If errors occur, the compiler output is fed back to the LLM.
  3. Equivalence Validation: The transformed code is executed against the generated test inputs. Outputs are compared with the original code.
  4. Action Space: The LLM can take specific actions to fix issues, such as updating dependencies, modifying code, searching for error solutions, or re-running checks.
• Platform Adaptation: The system handles TEE-specific constraints (e.g., replacing unsupported system calls like timers or file I/O with TEE-compatible alternatives or hardcoding environment variables).

C. Execution Linker

• Secure Integration: Once a function is successfully transformed and validated, AUTOTEE modifies the original program to replace the sensitive function with a port-based remote call.
• Attestation & Communication:
  1. The client (normal world) requests an attestation quote from the TEE-resident code.
  2. An external attestation server verifies the code's integrity.
  3. A secure TLS channel is established.
  4. Arguments are encrypted, sent to the TEE, executed, and the result is returned securely.

3. Key Contributions

1. AUTOTEE Framework: The first automated approach to re-engineer high-level programs (Java/Python) for TEE adoption, minimizing manual intervention.
2. Robust Validation Mechanism: A novel iterative loop combining compiler feedback and functional equivalence testing (via coverage-guided test generation) to ensure the transformed code is both compilable and functionally identical to the original.
3. Seamless Integration: A mechanism for integrating TEE-adapted native code (Rust) back into high-level applications with secure attestation and encrypted communication channels.
4. Benchmark Dataset: Construction of a high-quality benchmark dataset comprising 385 sensitive leaf functions from 68 repositories (38 Java, 30 Python), manually verified by experts.

4. Experimental Results

The system was evaluated using four LLMs: GPT-4o, DeepSeek-v3, Qwen2.5, and LLaMA3.1.

• Identification Accuracy:
  • GPT-4o achieved the highest performance with an average F1-score of 0.958 (Java) and 0.883 (Python).
  • The multi-round prompting strategy significantly improved accuracy compared to single-prompt approaches.
• Transformation Success:
  • Using GPT-4o, AUTOTEE successfully transformed 91.8% of Java functions and 84.3% of Python functions into compilable, functionally equivalent Rust code.
  • DeepSeek-v3 performed as a strong open-source alternative (87.5% Java, 76.5% Python).
  • Iterative Refinement: The ReAct strategy was crucial; initial "direct" transformation success rates were low (<21%), but iterative refinement boosted success rates significantly.
• Failure Analysis:
  • Primary failure causes included sophisticated cryptography (complex multi-algorithm logic), bit-shift operations (semantic differences between languages), and missing global variables.
  • Python's lower success rate was attributed to dynamic typing and lack of explicit type declarations, which hindered the LLM's ability to generate correct Rust types.
• Resource Consumption:
  • Overhead: Execution inside the TEE incurs overhead due to attestation and TLS communication. For small, fast functions (e.g., SHA256 in Python), overhead was high (1255x). For computationally intensive tasks (e.g., RSA Key Gen), the relative overhead was low (1.6x).
  • Cost: DeepSeek offered a cost-effective alternative to GPT-4o with comparable performance.

5. Significance and Impact

• Lowering the Barrier to Entry: AUTOTEE democratizes TEE adoption by removing the need for developers to possess deep expertise in low-level TEE programming or manual code partitioning.
• Security Enhancement: By automating the isolation of sensitive operations, it reduces the attack surface and protects against software-based attacks, data leakage, and unauthorized access.
• Practical Viability: The high success rates in transforming complex cryptographic and serialization logic demonstrate that LLMs, when guided by rigorous validation loops (ReAct), can handle complex code migration tasks previously thought to require human experts.
• Future Direction: The work paves the way for fully automated security hardening of legacy applications, with future plans to expand support to more complex data structures and non-standard libraries.

In conclusion, AUTOTEE represents a significant step forward in making TEEs accessible for modern software development, effectively bridging the gap between high-level application logic and low-level secure execution environments through the power of Large Language Models.