International Association
for Cryptologic Research

Legacy applications continue to be widely used in embedded systems, despite high maintenance costs, primarily due to the challenges involved in modifying them. Traditional Trusted Execution Environments (TEEs), though valuable for securing sensitive computations, fall short in supporting these legacy workloads. Most existing TEEs require significant application modifications, or incur high system call overheads. Additionally, TEEs often enforce fixed enclave sizes failing to accommodate the dynamic memory needs of applications. Many do not consider the security of I/O operations, and those that do, expand the Trusted Computing Base (TCB) significantly, weakening the TEE.We present TESLA, a novel TEE architecture designed to natively support the execution of unmodified legacy applications on embedded systems. TESLA introduces Fluid Enclaves, which dynamically adjust enclave sizes based on the application’s runtime memory requirements. To minimize system call overheads, TESLA introduces Enclave Windows that permit an untrusted Operating System temporary access to system call parameters within the enclave. TESLA also ensures confidentiality and integrity of I/O data exchanged between enclaves and peripherals. We have implemented a prototype of TESLA on a RISC-V processor running the Linux kernel, synthesizing it on an FPGA to demonstrate its feasibility. The evaluation quantifies the hardware and runtime performance overheads, demonstrating TESLA’s practicality and effectiveness in overcoming key limitations of existing TEEs.