Trusted Execution Environments (TEEs) such as Intel SGX provide strong hardware-enforced security guarantees by isolating sensitive code and data within secure enclaves. However, current SGX development workflows are primarily targeted at low-level languages like C/C++ and often require significant manual effort, hindering the development of applications that benefit from enclave technology and slowing adoption of TEEs. Prior research has proposed abstractions to ease enclave integration, but these either obscure enclave boundaries or fail to meet all functional and security requirements needed for practical use. In this work, we present a novel framework that enables frictionless integration of enclaves into modern modular software applications. Our prototype, EnC# offers an elegant way to define and integrate Intel SGX enclaves into C# code. With minimal annotations, developers can isolate security-critical components into SGX enclaves, while the framework enforces strict interaction across trust boundaries and generates secure enclave binaries. At runtime, a lightweight in-enclave execution environment securely hosts trusted components and preserves SGX’s isolation guarantees. Our approach offers excellent usability, without compromising on strong enclave-level security, distinguishing it from other SGX-based solutions.
Gilang Mentari Hamidy, Pieter Philippaerts, and Wouter Joosen. 2026. EnC#: Frictionless Trusted Execution for Managed Languages. In The 41st ACM/SIGAPP Symposium on Applied Computing (SAC ’26), March 23–27, 2026, Thessaloniki, Greece. https://doi.org/10.1145/3748522.3779756
This repository contains a reproducible artifact of EnC# which can be built and run from the scratch. This repository also provides the sample programs that we used in the evaluation part of our papers.
- Machine with Intel SGX support (SGX1 is supported)
- Linux machine with Docker (unfortunately Docker on Windows is not supported since Windows SGX driver works differently)
While it is possible to build directly on host machine, we recommend using the provided Dockerfile to build a fully working Docker image that can build and run EnC# program. The Dockerfile compiles all the EnC# infrastructures automatically and results in a working NuGet package that is directly installed in the resulting Docker image. You can also definitely use the NuGet package outside the Docker environment by copying it from the Docker container.
git clone https://github.com/DistriNet/EnCSharp
git submodule update --init --recursive --depth 1
cd EnCSharp
docker build ./ -t encsharp
docker run --rm --it --entrypoint bash encsharp
docker run --rm -it --device=/dev/sgx_enclave --entrypoint bash encsharp
If you want to go on the hard way compiling directly on the host machine, please refer to the Dockerfile on the build steps. The Dockerfile is based on CentOS distro as it is one of few supported distros for Intel SGX SDK.
You can refer to the test/evaluation/*/encsharp directory for sample programs. But in general, EnC# works with the default .NET project template. Therefore, it is always possible to start with dotnet new console.
The project file for EnC# program is as follow:
<Project>
<Sdk Name="EnCSharp.Sdk" Version="1.0.0" />
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<EnCSharpSGXSignKeyFile>SigningKey.pem</EnCSharpSGXSignKeyFile>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup Condition="$(EnCSharpIsolateBuild) == 'true'">
<Compile Remove="Main.cs" />
</ItemGroup>
</Project>
The project file needs to specify the EnC# SDK by adding the <Sdk Name="EnCSharp.Sdk" Version="1.0.0" /> tag on the top of the project file. It informs the MSBuild to use EnC# SDK instead of the regular .NET SDK to compile the project.
EnCSharpSGXSignKeyFile tag must also be set in the PropertyGroup to specify the signing key for the SGX enclave.
You can exclude specific source files from the build by adding Condition="$(EnCSharpIsolateBuild) == 'true'" to ItemGroup or Compile property. EnCSharpIsolateBuild is evaluated to true when EnC# is compiling for the enclave. You may want to do this if the source file may be used exclusively in the untrusted domain and cannot be compiled for the enclave.
To run the program, you can just simply call dotnet run just like every other .NET program.
EnC# is mainly implemented in this repository, with additional git submodules, which are:
dotnet-runtimefork that consists of partial modification to support compiling and running the .NET runtime inside the SGX enclave. It includes the Platform Abstraction Layer (PAL) for Intel SGX target.icufork to support compilingicustatically, which is (currently) a required dependency for .NET runtime.
Got any question? Want to contribute? Feel free to contact me (Gilang Hamidy) via
[FIRSTNAME] [AT] [LASTNAME] [DOT] [NET]!