Trusted Execution Environments (TEEs), such as Intel SGX and ARM TrustZone, provide isolated regions of CPU and memory for secure computation and are increasingly used to protect sensitive data and code across diverse application domains. However, little is known about how developers actually use TEEs in practice. This paper presents the first large-scale empirical study of real-world TEE applications. We collected and analyzed 241 open-source projects from GitHub that utilize the two most widely-adopted TEEs, Intel SGX and ARM TrustZone. By combining manual inspection with customized static analysis scripts, we examined their adoption contexts, usage patterns, and development practices across three phases. First, we categorized the projects into 8 application domains and identified trends in TEE adoption over time. We found that the dominant use case is IoT device security (30%), which contrasts sharply with prior academic focus on blockchain and cryptographic systems (7%), while AI model protection (12%) is rapidly emerging as a growing domain. Second, we analyzed how TEEs are integrated into software and observed that 32.4% of the projects reimplement cryptographic functionalities instead of using official SDK APIs, suggesting that current SDKs may have limited usability and portability to meet developers' practical needs. Third, we examined security practices through manual inspection and found that 25.3% (61 of 241) of the projects exhibit insecure coding behaviors when using TEEs, such as hardcoded secrets and missing input validation, which undermine their intended security guarantees. Our findings have important implications for improving the usability of TEE SDKs and supporting developers in trusted software development.

翻译：可信执行环境（如Intel SGX与ARM TrustZone）通过提供CPU与内存的隔离区域来实现安全计算，正被日益广泛地应用于保护各类应用场景中的敏感数据与代码。然而，开发者如何在实践中实际使用TEE，目前仍缺乏深入认知。本文首次对现实世界中的TEE应用进行了大规模实证研究。我们从GitHub收集并分析了241个采用两种最广泛部署的TEE（Intel SGX与ARM TrustZone）的开源项目。通过结合人工审查与定制化的静态分析脚本，我们从三个阶段系统考察了这些项目的应用背景、使用模式与开发实践。首先，我们将项目划分为8个应用领域，并识别出TEE采用随时间变化的趋势。研究发现，最主要的应用场景是物联网设备安全（30%），这与学术界先前重点关注区块链与密码系统（7%）形成鲜明对比，而人工智能模型保护（12%）正快速崛起为一个增长领域。其次，我们分析了TEE如何被集成到软件中，观察到32.4%的项目选择重新实现密码学功能而非使用官方SDK API，这表明当前SDK在满足开发者实际需求方面的可用性与可移植性可能存在局限。第三，通过人工审查安全实践，我们发现25.3%（241个项目中的61个）的项目在使用TEE时表现出不安全的编码行为，例如硬编码密钥与缺失输入验证，这些行为削弱了其预期的安全保障。我们的研究结果对于改进TEE SDK的可用性、支持开发者开展可信软件开发具有重要启示。