Trusted Execution Environments (TEEs), such as Intel SGX and ARM TrustZone, provide isolated regions of CPU and memory for secure computation and are increasingly used to protect sensitive data and code across diverse application domains. However, little is known about how developers actually use TEEs in practice. This paper presents the first large-scale empirical study of real-world TEE applications. We collected and analyzed 241 open-source projects from GitHub that utilize the two most widely-adopted TEEs, Intel SGX and ARM TrustZone. By combining manual inspection with customized static analysis scripts, we examined their adoption contexts, usage patterns, and development practices across three phases. First, we categorized the projects into 8 application domains and identified trends in TEE adoption over time. We found that the dominant use case is IoT device security (30%), which contrasts sharply with prior academic focus on blockchain and cryptographic systems (7%), while AI model protection (12%) is rapidly emerging as a growing domain. Second, we analyzed how TEEs are integrated into software and observed that 32.4% of the projects reimplement cryptographic functionalities instead of using official SDK APIs, suggesting that current SDKs may have limited usability and portability to meet developers' practical needs. Third, we examined security practices through manual inspection and found that 25.3% (61 of 241) of the projects exhibit insecure coding behaviors when using TEEs, such as hardcoded secrets and missing input validation, which undermine their intended security guarantees. Our findings have important implications for improving the usability of TEE SDKs and supporting developers in trusted software development.

翻译：可信执行环境（TEEs），如 Intel SGX 和 ARM TrustZone，为安全计算提供了 CPU 和内存的隔离区域，正日益广泛地用于保护不同应用领域中的敏感数据和代码。然而，关于开发者如何在实践中实际使用 TEEs，目前所知甚少。本文首次对现实世界中的 TEE 应用进行了大规模实证研究。我们从 GitHub 上收集并分析了 241 个使用两种最广泛采用的可信执行环境——Intel SGX 和 ARM TrustZone——的开源项目。通过结合人工检查与定制的静态分析脚本，我们考察了它们在三个阶段的采用背景、使用模式和开发实践。首先，我们将这些项目归类为 8 个应用领域，并识别了 TEE 采用随时间变化的趋势。我们发现，最主要的用例是物联网设备安全（30%），这与学术界先前主要关注区块链和密码系统（7%）形成鲜明对比，而 AI 模型保护（12%）正迅速成为一个不断增长的领域。其次，我们分析了 TEEs 如何被集成到软件中，并观察到 32.4% 的项目重新实现了加密功能，而不是使用官方的 SDK API，这表明当前的 SDK 在满足开发者的实际需求方面，其可用性和可移植性可能有限。第三，我们通过人工检查考察了安全实践，发现 25.3%（241 个中的 61 个）的项目在使用 TEEs 时表现出不安全的编码行为，例如硬编码密钥和缺少输入验证，这削弱了其预期的安全保障。我们的发现对于改进 TEE SDK 的可用性以及支持开发者进行可信软件开发具有重要意义。