Using TEEs without trusting them

Fan Zhang

Assistant Professor, Yale University

@0xfanzhang

​

SBC MEV Workshop, August 6^th, 2024

completely

Trusted hardware: Isolated execution

SBC MEV Workshop 2024

2

Code & Data

Trusted hardware: Remote attestation

SBC MEV Workshop 2024

3

It’s indeed X running in a genuine TEE.

Remote user

Mental model: trusted third party!

Use cases in Web3

• Oracles: e.g., Town Crier (CCS’16)
• Bridges: e.g., Avalanche
• Payment channels: e.g., TEEChain (SOSP’19)
• Private smart contracts
• Ekiden (EuroS&P’19), Oasis Labs, Secret Network
• Private block builders
• TEE-based one-time signatures
• Web3 account encumbrance (e.g., Dark DAO)
• Web2 account encumbrance
• …

SBC MEV Workshop 2024

4

SBC MEV Workshop 2024

5

Draft by Team Encumbrance: https://tinyurl.com/web2encumbrance

Just a small problem: TEEs aren’t perfect

SBC MEV Workshop 2024

6

• “SoK: Understanding Design Choices and Pitfalls of Trusted Execution Environments” (AsiaCCS’24)
• Vulnerable design
• Controlled side channels
• Micro-architectural side channels
• Speculative execution
• Micro-architecture flaw
• Hardware flaw
• Most widely available TEEs had some vulnerabilities.
• All vulnerabilities break confidentiality; some also break integrity (i.e., leaked attestation keys.)

If history tells us anything

• Hard for me to say it but it’s a matter of time before our favorite TEEs get broken!
• Building TEE is hard for several reasons
• strong adversary model (e.g., malicious OS)
• modern architecture is complex
• close-source design (changing with open hardware)
• There is hope: there has been invaluable effort towards secure-by-design TEEs
• How to systematically hedge against the risks of TEE breaches?

SBC MEV Workshop 2024

7

Some cool ideas out there

• “Trust less”
• Sealed-Glass Proofs (2017): rely on TEE only for integrity, not confidentiality
• somewhat justified by empirical evidence
• Takeaway: transparent TEEs can function like zero-knowledge proofs
• “Trust until failure detected”
• Sting framework (2023): Injecting crafted inputs to TEEs so that leakage is detectable & verifiable.
• Allow upper level protocols to handle failures.
• (Incomplete list)

​

SBC MEV Workshop 2024

8

This talk: two more ideas

• Idea #1: Trust TEE for liveness only
• For systems easily DoS’able by clients, use TEE to prevent DoS.
• → liveness failures can be detected
• Application: Dining Cryptographer networks (DC net)
• Idea #2: insurance & bug bounty for TEE leakage
• When secrets in TEE have economical values & leakage is verifiable, use smart contracts to automatically slash service provider & pay users
• → Disincentivize service provider from attacking
• Application: TEE-protected key management systems (e.g., custodial wallets, Certificate Authority (CA))

SBC MEV Workshop 2024

9

ZIPNet: making DC nets cheap with (dis)Trusted Execution Environments.

SBC MEV Workshop 2024

10

Dining Cryptographers network (DC nets)

• Anonymous Broadcast: broadcast while hiding the sender’s IP address.

​

​

​

​

​

​

SBC MEV Workshop 2024

11

Important for dissent, activism, whistleblower, etc

Private digital payments

Pretty much any privacy system

• Privacy-preserving ML
• Differentially private telemetry
• Blockchain protocols
• …

​

​

Tradeoffs in DC net systems

• 👍 DC nets are attractive for strong anonymity (e.g., immune to traffic analysis unlike Tor)
• 👍 “Anytrust” assumption (as long as one server is honest…)
• 👎 Brittle liveness: easily DoS’able by client
• Cryptographical prevention is expensive
• 👎 Expensive to operate a server
• high computation and bandwidth cost
• Problem: few servers will exist → anonymity weakened

SBC MEV Workshop 2024

12

ZIPNet’s use of TEEs

• ZIPNet introduces a few novel designs
• For DoS prevention, run client code in TEE
• TEE checks client input and signs
• In case of TEE breaches
• Attacker can corrupt outputs
• happily, corruption is easy to detect
• Most importantly, anonymity is intact!
• TEE can be realized by SGX, TDX, something on mobile, or even software-based solutions

SBC MEV Workshop 2024

13

ZIPNet uses TEEs w/o trusting them completely

• Benefits in ZIPNet:
• Much simplified server algorithm (only symmetric-key operations per message)
• Performant at low cost (4x-7x faster than the state of the art at 20x lower cost (~$150 vs ~$3300))
• Principle: Using TEEs without trusting them completely
• When TEE works, things are well and fast.
• TEE breach doesn’t harm the core property (anonymity)
• TEE breach is detectable
• Allows handling of TEE breaches: e.g., switching to a more expensive protocol.
• May generalize to other protocols

​

​

SBC MEV Workshop 2024

14

This talk: two more ideas

• Idea #1: Trust TEE for liveness only
• For systems easily DoS’able by clients, use TEE to prevent DoS.
• → liveness failures can be detected
• Application: Dining Cryptographer networks (DC net)
• Idea #2: insurance & bug bounty for TEE leakage
• When secrets in TEE have economical values & leakage is verifiable, use smart contracts to automatically slash service provider & pay users
• → Disincentivize service provider from attacking
• Application: TEE-protected key management systems (e.g., custodial wallets, Certificate Authority (CA))

SBC MEV Workshop 2024

15

CrudiTEE: a Stick-and-Carrot approach to side channels (AFT’24)

• Useful for TEE-based key management systems where
• secrets in TEEs have economic values
• leakage of secrets is detectable
• Examples: custodial wallets, Certificate Authority (CA)

​

SBC MEV Workshop 2024

16

The Stick-and-Carrot approach

• Service providers (SP) v.s. outsider attackers
• SP have root access to TEEs so they can mount all forms of side channel attacks (they can exfiltrate keys easily)
• Outsiders can only mount remote attacks (need more time and cost to exfiltrate keys)

​

• Stick: SP funds an insurance that pays users for leaked keys
• Goal: SP doesn’t benefit from attacks
• Carrot: bug bounty for outsider attackers
• Goal: incentivize outsider attackers to stop early

SBC MEV Workshop 2024

17

Protocol skeleton of a CrudiTEE wallet

• Secret keys are generated within the TEEs and never exported outside.
• Keys are secret-shared among multiple TEEs (a knot to turn)
• Users use OAuth to authenticate
• SP keeps all OAuth tokens (later)
• Deploy insurance and bug bounty

​

SBC MEV Workshop 2024

18

Key design questions

• Q: How to hold service provider (SP) accountable for leakage?
• A: key accesses are logged on chain in transactions
• SP needs to present an OAuth token for any TX upon challenge by users.
• If she can’t, SP is slashed.

​

• Q: How much collateral does SP need to put down in the insurance?
• A: Ideally the same as the wallet balances, but rate limiting can reduce required collateral.

​

• Q: How to incentivize attackers to stop early?
• A: give rewards for partial success, and condition rewards on time

​

• Details in paper: https://arxiv.org/pdf/2407.16473

SBC MEV Workshop 2024

19

Summary

• How to systematically hedge against TEE breaches?
• “Trust less”: ZIPNet: rely on TEE for liveness
• “Trust until failure detected”: CrudiTEE framework: insurance and bug bounty for TEE leakage

SBC MEV Workshop 2024

20

https://eprint.iacr.org/2024/1227

https://arxiv.org/abs/2407.16473 (AFT’24)