Light Squares
← Back to blog

From Cambridge to Taipei: presenting Attestable Builds at ACM CCS

Presenting Attestable Builds at ACM CCS 2025 in Taipei, Taiwan

We travelled to Taiwan to present our research on verifiable build attestation at ACM CCS 2025—one of the world's top security conferences. Our new approach ensures provenance and integrity of digital artifacts and addresses a critical gap in modern software supply chain security.

How to make the supply chain trustworthy?

Our paper addresses a critical issue in software security: how can we verify that software is truthfully built from the underlying source code? High-profile incidents have demonstrated the devastating impact of supply chain attacks, including the SolarWinds hack (where the build server itself was compromised), the XZ backdoor, and the recent attack on LiteLLM, a tool downloaded 3.4 million times per day. Existing approaches, such as making the build process reproducible, suffer from high engineering and maintenance costs and are not applicable in commercial settings where code needs to remain confidential. As supply chain attacks continue to rise and effective mitigations remain limited, one conclusion is inevitable:

Modern software supply chains can no longer be implicitly trusted—they must be verifiable

Building a verifiable build environment leveraging Confidential Computing.

Our research introduces “Attestable Builds”, a new approach for establishing a strong, verifiable link between source code and the resulting binary. It provides a high degree of assurance about the provenance and integrity of a software artifact that can be instantly verified by everyone. By leveraging hardware-backed trusted execution environments (TEEs), we create isolated and verifiable build environments—drastically reducing the trust overhead. This approach provides strong security guarantees out-of-the-box, making supply chain security more accessible for everyone.

Confidential Computing is everywhere

TEEs were high-up on the research agenda across many tracks—from novel attacks and defenses to enabling new systems. We are seeing a maturity in both the technology and its use in the latest research. As with every healthy field, open questions abound: how can we reduce the required trust in singular hardware vendors? How can we bootstrap trust in the pre-attestable world? We enjoyed presenting at ACM CCS (2025's most competitive top-tier security conference with an acceptance rate <14%) and the many discussions that we had around it. However, while validating the significance and importance of our research, a paper does not have an impact in itself. That's why we are now building the real thing at Light Squares.