<?xml version="1.0" encoding="UTF-8"?><ns2:project xmlns:ns1="http://gtr.rcuk.ac.uk/gtr/api" xmlns:ns2="http://gtr.rcuk.ac.uk/gtr/api/project" xmlns:ns3="http://gtr.rcuk.ac.uk/gtr/api/fund" xmlns:ns4="http://gtr.rcuk.ac.uk/gtr/api/person" xmlns:ns5="http://gtr.rcuk.ac.uk/gtr/api/project/outcome" xmlns:ns6="http://gtr.rcuk.ac.uk/gtr/api/organisation" ns1:created="2026-06-03T15:52:43Z" ns1:href="http://gtr.ukri.org/gtr/api/projects/9FD90DC5-57AC-48AD-85E7-970B0628863E" ns1:id="9FD90DC5-57AC-48AD-85E7-970B0628863E"><ns1:links><ns1:link ns1:href="http://gtr.ukri.org/gtr/api/persons/F55BAE5D-743E-4206-B0D0-D1B2F8A2A761" ns1:rel="PM_PER"/><ns1:link ns1:href="http://gtr.ukri.org/gtr/api/organisations/BA5C6E86-61C3-42E5-8F7A-CDC80006093A" ns1:rel="LEAD_ORG"/><ns1:link ns1:href="http://gtr.ukri.org/gtr/api/organisations/BA5C6E86-61C3-42E5-8F7A-CDC80006093A" ns1:rel="PARTICIPANT_ORG"/><ns1:link ns1:end="2021-09-29T23:00:00Z" ns1:href="http://gtr.ukri.org/gtr/api/funds/4A246B5F-8028-4396-B86C-740E177018B9" ns1:rel="FUND" ns1:start="2021-03-31T23:00:00Z"/></ns1:links><ns2:identifiers><ns2:identifier ns2:type="RCUK">10004575</ns2:identifier></ns2:identifiers><ns2:title>A TEE-aware compartmentalization framework based on DSbD</ns2:title><ns2:status>Closed</ns2:status><ns2:grantCategory>Collaborative R&amp;D</ns2:grantCategory><ns2:leadFunder>ISCF</ns2:leadFunder><ns2:abstractText>Through this project, we will contribute to our industry's understanding of how to build a capability architecture based Trusted Execution Environment (TEE) that provides strong isolation and secure data sharing across the secure and normal worlds. As a company, we require this for our products but the opportunity is much bigger than our sector alone (identity verification). Many use cases exist, for example in financial services, in enterprise and in media to enhance security around transactions, data and content.

With this grant, our objective is to investigate a solution that could mitigate current vulnerabilities posed by existing TEEs, by researching a capability architecture based TEE development framework for strong isolation and secure sharing of systems resources and application data across secure and normal worlds by controlling dataflows within object capabilities via isolated compartments with assured pipelines.

We are a passionate AIOT SME but security underpins our technology, our positioning and our growth. TEEs is an area our CTO has done a lot of work in. Winning this grant would allow us to put resource behind this real market problem. Our vision is that this research could be used as a basis for us to build a prototype in the future, which would strengthen not only our product's security, but also play our part in radicalising the UK's digital computing infrastructure.

Using the FVP platform with CHERI processor prototype, CheriBSD kernel, Clang/LLVM and CheriBSD's userspace, our key objectives are to:

* Investigate the performance, semantics, vulnerability mitigations and merits of compartmentalized TEE in comparison to existing standard TEE environments Intel SGX and ARM TrustZone TEE
* Understand if a framework like this helps towards ease of development and adoption as well as knowing if it supports hardware independence
* Explore enclave life cycle management

We will focus on the application layer compartmentalization by separation of concerns between the normal world and secure world functions, and further decomposition of capabilities within the secure (enclave) world including modular abstraction with isolated compartments with single responsibility principles and the separation of privileges.This is innovative because working with DSbD technologies, it aims to move the separation of concerns between the two worlds away from the hardware or the OS stack while retaining the integrity of TEE but addressing the vulnerabilities of existing approaches.

After completing this research, we endeavour to build a prototype framework for further testing internally, and ideally with the wider software and DSbD community.</ns2:abstractText></ns2:project>