Why TEE-Based Smart Contracts Still Aren’t Fully Secure | HackerNoon

Table of Links

Abstract and I. Introduction

II. A Lightning Tour

III. Systematization Methodology

IV. Layer-One Solution

V. Layer-Two Solution

VI. Discussion

VII. Research Challenges

VIII. Concluding Remarks and References

Appendix A. Key Managements

Appendix B. Anonymity and Confidentiality

Appendix C. Background

Appendix D. A TCSC-Based Voting Protocol

VII. RESEARCH CHALLENGES

Key management dilemma. The private keys in TEE-assisted systems are extremely crucial but hard to manage. On the one hand, putting the application keys in a single TEE contributes to the key security. However, it also makes the system raise the risk of a single point of failure. On the other hand, sharing the private key among multiple TEEs offers practical availability but (as a sacrifice) increases key exfiltration risk. Meanwhile, key sharing technologies are too complicated to adopt and cannot completely solve the key issues. Suppose that an attacker steals the attestation key somehow. She might consequently generate the attestation materials to deceive the user with a fake fact: The contract has been executed. Even worse, if a root key stored in the tamper-resistant hardware (e.g., Memory Encryption Engine Key in SGX) is compromised, all key technologies for protecting application keys become useless.

Transparency issues. Compared with cryptographic approaches backed by mathematics [22], [23], [27], the confidential smart contracts relied on TEEs are lack of transparency. On the one hand, contracts are executed inside TEEs, and the outputs are usually encrypted, which lacks public verifiability inherited from traditional blockchain systems. The attestation service can only guarantee that the encrypted outputs indeed come from a TEE. However, neither users nor the blockchain nodes can learn whether a TEE is compromised or executes contracts following the predefined specifications. Even if many TEEs can re-execute the same contract with the same setup (e.g., the same private key) to check outputs, this inevitably increases the key exfiltration risk in the face of a confidentiality breach. On the other hand, the precise architectures of chips are still unclear for some TEE products, such as Intel SGX [80]. TEE-assisted solutions force the user to put too much trust in the manufacturers of this hardware. Users even argue that Intel may have reduced the security of SGX to improve performance to cater for market demand [97]. Additionally, the attestation service used to prove that a program runs inside TEEs is centralized and non-transparent. A compromised provider has the ability to insert fake IDs, and further, steal the confidential state in smart contracts.

The technologies on how to combine smart-contract execution with TEEs are mushrooming nowadays. The absence of systematic work confuses newcomers. In this paper, we provide the first SoK on TEE-assisted confidential smart contract systems. TEE technologies empower transparent smart contracts with confidentiality, greatly extending the scope of upper-layer applications. We summarize state-of-the-art solutions by proposing a unified framework covering aspects of design models, desired properties, and security considerations. Our analysis clarifies existing challenges and future directions for two mainstream architectures (layer-one and layer-two solutions). We believe that this work represents a snapshot of the technologies that have been open-sourced and made public in time. Our evaluation and analysis within this SoK will offer a good guide for communities, and greatly promote the prosperity of development for TCSC applications.

Acknowledgement. Rujia Li and Qi Wang are partially supported by the Shenzhen Fundamental Research Programs under Grant No.20200925154814002. We thank Xinrui Zhang (SUSTech) for her help. Also, we express our appreciation to anonymous reviewers for their valuable comments.

REFERENCES

[1] Nick Szabo. Formalizing and securing relationships on public networks. First monday, 1997.

[2] Gavin Wood et al. Ethereum: A secure decentralised generalised transaction ledger. https://ethereum.github.io/yellowpaper/ paper.pdf , 2022.

[3] Kevin Delmolino et al. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. In FC, pages 79–94. Springer, 2016.

[4] Hewa et al. Survey on blockchain based smart contracts: Technical aspects and future research. IEEE Access, 2021.

[5] Maher Alharby and Aad Van Moorsel. Blockchain-based smart contracts: A systematic mapping study. arXiv preprint arXiv:1710.06372, 2017.

[6] Marc Jansen et al. Do smart contract languages need to be turing complete? In CBA, pages 19–26. Springer, 2019.

[7] Siraj Raval. Decentralized applications: harnessing Bitcoin’s blockchain technology. ” O’Reilly Media, Inc.”, 2016.

[8] Weiqin Zou et al. Smart contract development: Challenges and opportunities. TSE, 2019.

[9] Rui Zhang, Rui Xue, and Ling Liu. Security and privacy on blockchain. CSUR, 52(3):1–34, 2019.

[10] Steven Goldfeder. Private smart contracts. 2018.

[11] Samuel S., Benjamin Bichsel, Mario Gersbach, Noa Melchior, Petar Tsankov, and Martin Vechev. zkay: Specifying and enforcing data privacy in smart contracts. In CCS, pages 1759–1776, 2019.

[12] Karim Baghery. On the efficiency of privacy-preserving smart contract systems. In AFRICACRYPT, pages 118–136. Springer, 2019.

[13] A. Unterweger, F. Knirsch, et al. Lessons learned from implementing a privacy-preserving smart contract in ethereum. NTMS, pages 1–5, 2018.

[14] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. Town crier: An authenticated data feed for smart contracts. In CCS, pages 270–282, 2016.

[15] Erik-Oliver Blass and Florian Kerschbaum. Borealis: Building block for sealed bid auctions on blockchains. In AsiaCCS, pages 558–571, 2020.

[16] Hisham S Galal and Amr M Youssef. Trustee: full privacy preserving vickrey auction on top of ethereum. In FC, pages 190–207. Springer, 2019.

[17] Véronique Cortier, David Galindo, Ralf Küsters, Johannes Mueller, and Tomasz Truderung. Sok: Verifiability notions for e-voting protocols. In SP, pages 779–798. IEEE, 2016.

[18] Geetanjali Rathee et al. On the design and implementation of a blockchain enabled e-voting application within iot-oriented smart cities. IEEE Access, 9:34165–34176, 2021.

[19] General data protection regulation. https://gdpr-info.eu/. 2020.

[20] Paul Voigt et al. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 10:3152676, 2017.

[21] Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In SP, pages 839–858. IEEE, 2016.

[22] Harry Kalodner et al. Arbitrum: Scalable, private smart contracts. In USENIX Security, pages 1353–1370, 2018.

[23] B. Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell. Bulletproofs: Short proofs for confidential transactions and more. In SP, pages 315–334. IEEE, 2018.

[24] Benedikt Bünz et al. Zether: Towards privacy in a smart contract world. In FC, pages 423–443. Springer, 2020.

[25] Yu Chen, Xuecheng Ma, Cong Tang, and Man Ho Au. Pgc: Decentralized confidential payment system with auditability. In ESORICS, pages 591–610. Springer, 2020.

[26] Ravital Solomon et al. smartfhe: Privacy-preserving smart contracts from fully homomorphic encryption. IACR Cryptol. ePrint Arch., 2021:133, 2021.

[27] Guy Zyskind et al. Enigma: Decentralized computation platform with guaranteed privacy. arXiv:1506.03471, 2015.

[28] Dayeol Lee, David Kohlbrenner, et al. Keystone: An open framework for architecting trusted execution environments. In EuroSys, pages 1– 16, 2020.

[29] Jan-Erik Ekberg et al. Trusted execution environments on mobile devices. In CCS, pages 1497–1498, 2013.

[30] Seongmin Kim et al. Enhancing security and privacy of tor’s ecosystem by using trusted execution environments. In NSDI, pages 145–161, 2017.

[31] David Kaplan, Jeremy Powell, and Tom Woller. Amd memory encryption. White paper, 2016.

[32] Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. Sanctuary: Arming trustzone with userspace enclaves. In NDSS, 2019.

[33] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. Innovative instructions and software model for isolated execution. Hasp@ isca, 10(1), 2013.

[34] ChongChong Zhao et al. On the performance of intel sgx. In WISA, pages 184–187. IEEE, 2016.

[35] Jinhua Cui et al. Dynamic binary translation for sgx enclaves. arXiv preprint arXiv:2103.15289, 2021.

[36] Rujia Li, Qin Wang, et al. An offline delegatable cryptocurrency system. arXiv preprint arXiv:2103.12905, 2021.

[37] Ying Yan, Changzheng Wei, et al. Confidentiality support over financial grade consortium blockchain. In SIGMOD, pages 2227–2240, 2020.

[38] Rohit Sinha et al. Luciditee: A tee-blockchain system for policycompliant multiparty computation with fairness.

[39] Chinese chang’an chain enterprise blockchain joins digital yuan project, Mar 2021.

[40] Financials. Changan chain, the first independent and controllable blockchain technology system in china, was released today.

[41] Yong Wang et al. Hybridchain: A novel architecture for confidentialitypreserving and performant permissioned blockchain using trusted execution environment. IEEE Access, 8:190652–190662, 2020.

[42] Raymond Cheng, Fan Zhang, Jernej Kos, Warren He, Nicholas Hynes, Noah Johnson, Ari Juels, Andrew Miller, and Dawn Song. Ekiden: A platform for confidentiality-preserving, trustworthy, and performant smart contracts. In EuroSP, pages 185–200. IEEE, 2019.

[43] Poulami Das et al. Fastkitten: Practical smart contracts on bitcoin. In USENIX Security, pages 801–818, 2019.

[44] Christina Müller, Marcus Brandenburger, et al. Tz4fabric: Executing smart contracts with arm trustzone. arXiv preprint arXiv:2008.11601, 2020.

[45] Mark Russinovich et al. Ccf: A framework for building confidential verifiable replicated services. Technical Report MSR-TR-2019-16, Microsoft, April 2019.

[46] Mic Bowman et al. Private data objects: an overview. arXiv preprint arXiv:1807.05686, 2018.

[47] Adam Young and Moti Yung. The dark side of “black-box” cryptography or: Should we trust capstone? In CRYPTO, pages 89–103. Springer, 1996.

[48] Rujia Li, David Galindo, and Qi Wang. Auditable credential anonymity revocation based on privacy-preserving smart contracts. In CBT, pages 355–371. Springer, 2019.

[49] Rujia Li, Qin Wang, et al. An accountable decryption system based on privacy-preserving smart contracts. In ISC, pages 372–390. Springer, 2020.

[50] Oasis lab. https:// github.com/ oasislabs/ secret-ballot/ blob/master/ contracts/ SecretBallot.sol.

[51] Véronique Cortier et al. Election verifiability for helios under weaker trust assumptions. In ESORICS, pages 327–344. Springer, 2014.

[52] Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, H. Perl, I. Goldberg, and M. Smith. Sok: Secure messaging. SP, pages 232– 249, 2015.

[53] Elli Androulaki, Ghassan O Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun. Evaluating user privacy in bitcoin. In FC, pages 34–51. Springer, 2013.

[54] Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, et al. A fistful of bitcoins: characterizing payments among men with no names. In IMC, pages 127–140, 2013.

[55] Ferdinand Brasser et al. Software grand exposure:{SGX} cache attacks are practical. In WOOT, 2017.

[56] Yuanzhong Xu et al. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In SP, pages 640–656. IEEE, 2015.

[57] Mark D Hill et al. On the spectre and meltdown processor security vulnerabilities. IEEE Micro, 39(2):9–19, 2019.

[58] Cynthia Dwork. Differential privacy: A survey of results. In International conference on theory and applications of models of computation, pages 1–19. Springer, 2008.

[59] Ivan Homoliak and Pawel Szalachowski. Aquareum: A centralized ledger enhanced with blockchain and trusted computing. arXiv preprint arXiv:2005.13339, 2020. [60] Marcus Brandenburger et al. Blockchain and trusted computing: Problems, pitfalls, and a solution for hyperledger fabric. arXiv preprint arXiv:1805.08541, 2018.

[61] Enigma – securing the decentralized web. https://www.enigma.co/.

[62] Juan Garay et al. The bitcoin backbone protocol: Analysis and applications. In EUROCRYPT, pages 281–310. Springer, 2015.

[63] Juan Garay et al. The bitcoin backbone protocol with chains of variable difficulty. In CRYPTO, pages 291–323. Springer, 2017.

[64] Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronous networks. In EUROCRYPT, pages 643–673. Springer, 2017.

[65] Juan Garay and Aggelos Kiayias. Sok: A consensus taxonomy in the blockchain era. In RSA, pages 284–318. Springer, 2020.

[66] Intel. Intel software guard extensions (intel sgx). Accessible on https:// software.intel.com/content/www/ us/en/ develop/topics/ software-guard-extensions.html, 2020.

[67] Robert Krahn, Donald Dragoti, Franz Gregor, et al. Teemon: A continuous performance monitoring framework for tees. In Middleware, pages 178–192, 2020.

[68] Rui Yuan et al. Shadoweth: Private smart contract on public blockchain. JCST, 33(3):542–556, 2018.

[69] Yin Hang, Zhou Shunfan, and Jiang Jun. Phala network: A confidential smart contract network based on polkadot. https://files.phala.network/phala-paper.pdf, 2019.

[70] Taxa. Taxa network: a universal logic layer for blockchain. Website, 2021. https://taxa.network/.

[71] Enigma. The developer quickstart guide to enigma | by enigma project | enigma. https:// blog.enigma.co/ the-developer-quickstart-guide-to-enigma-880c3fc4308.

[72] Hyperledger. Introducing hyperledger avalon. www.hyperledger.org/ blog/2019/10/03/introducing-hyperledger-avalon, 2019. (Accessed on 04/19/2021).

[73] Andreas Erwig, S. Faust, et al. Commitee: An efficient and secure commit-chain protocol using tees. IACR Cryptol. ePrint Arch., 2020:1486, 2020.

[74] Yang Xiao et al. Privacyguard: Enforcing private data usage control with blockchain and attested off-chain contract execution. In ESORICS, pages 610–629. Springer, 2020.

[75] Perun Network. Introducing erdstall: Scaling ethereum using trusted execution environments | by perun network | perunnetwork | medium.

[76] Erdstall. Technology – erdstall. https://erdstall.dev/technology/. (Accessed on 04/17/2021).

[77] Wentao Liu. Research on dos attack and detection programming. In Third International Symposium on Intelligent Information Technology Application, volume 1, pages 207–210. IEEE, 2009.

[78] Roberto De Prisco et al. Revisiting the paxos algorithm. Theoretical Computer Science, 243(1-2):35–91, 2000.

[79] Peter Gaži, Aggelos Kiayias, and Dionysis Zindros. Proof-of-stake sidechains. In SP, pages 139–156. IEEE, 2019.

[80] Victor Costan and Srinivas Devadas. Intel sgx explained. IACR Cryptol. ePrint Arch., 2016(86):1–118, 2016.

[81] Nico W., Pierre-Louis Aublin, and Rüdiger Kapitza. sgx-perf: A performance analysis tool for intel sgx enclaves. In Middleware, pages 201–213, 2018.

[82] R. Pries et al. A new replay attack against anonymous communication networks. ICC, pages 1578–1582, 2008.

[83] Marcus Brandenburger, Christian Cachin, Rüdiger Kapitza, and Alessandro Sorniotti. Trusted computing meets blockchain: Rollback attacks and a solution for hyperledger fabric. In SRDS, pages 324– 32409. IEEE, 2019.

[84] Shenbin Zhang et al. A solution for the risk of non-deterministic transactions in hyperledger fabric. In ICBC, pages 253–261. IEEE, 2019.

[85] Rosario Gennaro, Stanisław Jarecki, Hugo Krawczyk, and Tal Rabin. Secure distributed key generation for discrete-log based cryptosystems. In EUROCRYPT, pages 295–310. Springer, 1999.

[86] Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.

[87] Shari Pfleeger and Robert Cunningham. Why measuring security is hard. IEEE SP, 8(4):46–54, 2010.

[88] Intel. Introduction to intel® sgx sealing. Website, 2016. https://software.intel.com/content/www/us/en/develop/blogs/ introduction-to-intel-sgx-sealing.html.

[89] Sandro Pinto and Nuno Santos. Demystifying arm trustzone: A comprehensive survey. CSUR, 51(6):1–36, 2019.

[90] Scott Johnson et al. Titan: enabling a transparent silicon root of trust for cloud. In Hot Chips: A Symposium on High Performance Chips, volume 194, 2018.

[91] Cynthia Dwork. Microsoft azure. 2021.

[92] Jo Van Bulck et al. Foreshadow: Extracting the keys to the intel sgx kingdom with transient out-of-order execution. In USENIX Security, pages 991–1008, 2018.

[93] Kit Murdock, David Oswald, Flavio D Garcia, et al. Plundervolt: Software-based fault injection attacks against intel sgx. In SP, pages 1466–1482. IEEE, 2020.

[94] Zitai Chen et al. Voltpillager: Hardware-based fault injection attacks against intel sgx enclaves using the svid voltage scaling interface. In USENIX Security, 2021.

[95] Jo Van Bulck, David Oswald, et al. A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. In CCS, pages 1741–1758, 2019.

[96] Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In CRYPOTO, pages 513–525. Springer, 1997.

[97] Tu Dinh Ngoc, Bao Bui, et al. Everything you should know about intel sgx performance on virtualized systems. POMACS, 3(1):1–21, 2019.

[98] Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, and Steven Goldfeder. Bitcoin and cryptocurrency technologies: a comprehensive introduction. Princeton University Press, 2016.

[99] Tsz Hon Yuen, Shi-feng Sun, et al. Ringct 3.0 for blockchain confidential transaction: Shorter size and stronger security. In FC, pages 464–483. Springer, 2020.

[100] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Technical report, Manubot, 2008.

[101] Ying Lan et al. Trustcross: Enabling confidential interoperability across blockchains using trusted hardware. arXiv preprint arXiv:2103.13809, 2021.

---