Demo website for "Teamwork makes TEE work: Open and Resilient Remote Attestation on Decentralized Trust"
JANUS Remote Attestation
Embedded Files
Paper Code Demo
Introduction
Introduction
JANUS is an open and resilient scheme targeting the long-standing limitations lying in the traditional Trusted Execution Environment (TEE) Remote Attestation (RA) solutions, specifically:
Closed and centralized trust model: Trust in attestation is always attributed to the trust of a single party (TEE manufacturer or a third-party verification service)
For openness, JANUS introduces Physically Unclonable Function (PUF) as the second Root of Trust (RoT) to decentralize the TEE RoT. Further, to avoid executing verification solitarily, JANUS utilizes smart contract to realize collective on-chain attestation and result audit.
Inflexible design: Attestation is usually rigidly designed under a fixed procedure for common real-world scenarios (RATS) , that is, lack of resilience.
For resilience, JANUS designs a turnout mechanism that allows it to offer flexible RA services under various situations such as network outage, computing exhaustion, etc.
JANUS is implemented as an open-sourced prototype with a Universal Composability (UC) based security proof to demonstrate its scalability and generality.
Motivation
Motivation
To Attest, or not to Attest, that is a question.
To Attest, or not to Attest, that is a question.
How to decentralize the root of trust in TEE remote attestation?
How to decentralize the root of trust in TEE remote attestation?
→ How to make the RoT in TEE more open and trusted ? (attester side)
Insight: The endorsement of a measurement (i.e., signature) in TEE RA should be transfered from single-party to multi-party, that is, multi-party measuring or multi-party signing. Thus, the single centralized RoT in TEE should be decentralized by a new RoT with independent trust.
Solution: The response pseudo-randomness and structure unclonability make PUF a perfect candidate to provide both integrity and authenticity for the input, so that measuring and "signing" can be realized simultaneously. In the first time, JANUS sets PUF as a unique and independent second RoT in TEE.
How to decentralize the verification procedure in TEE remote attestation?
How to decentralize the verification procedure in TEE remote attestation?
→ How to make the verification more open and trusted ? (verifier side)
Insight: Measurement verification should be publicly executable, running on top of a hypothetical "bulletin board". Anyone should be able to engage with the verification process and determine the results which will be permanently and publicly reflected on the "bulletin board"
Solution: Blockchain and smart contract are born for this purpose. In JANUS, a group of verifiers can collectively validate the measurements on-chain. Also, snapshots of RA sessions are taken and then stored onto the blockchain permanently for potential further audit. The trustworthiness of both verification execution and the final results can hence be guaranteed by this decentralized design.
How to improve the resilience of TEE RA to provide flexible attestation services?
How to improve the resilience of TEE RA to provide flexible attestation services?
Insight: Participants should be able to adaptively select attestation methods to cope with e.g., network outages, hardware malfunction, computing exhaustion and other common system failures.
Solution: A turnout mechanism is introduced in JANUS to combine different attestation functions and switch between them. We implemented it as a smart contract to combine the on-chain and off-chain attestation.
Scope
Scope
JANUS focuses on the architectural design of TEE RA schemes. It aims to solve the over-centralization and lack of resilience issues in most designs. Specifically, JANUS wishes to provide:
Lightweight attestation protocols for generic devices;
Practical decentralized RA functionalities using blockchain and smart contract;
Insights of creating trust decentralization and application resilience for TEE RA.
JANUS does not offer an off-the-shelf hardware integration of PUF into exsiting TEEs. Currently, these are out of the scope:
Seamless Integration of PUF into commercial TEE products like Intel SGX, ARM TrustZone, and others;
IC design of new PUF implementations;
Design of new blockchain consensus algorithms and smart contract engines;
TEE SDK development and instruction customization.
We will continue to improve and enrich JANUS in the future. We hope that JANUS is the beginning of a series of work combining PUF and TEE.
Why PUF is better ?
Why PUF is better ?
Physical unclonable function (PUF) is usually used to generate chip IDs or secret keys, but there should be more than that. As shown in this table, let's rethink PUF in cryptography, PUF is the only primitive that derives fresh randomness without using a given secret key. In other words, PUF itself is the key.
Compared to TPM, PUF can provide new security guarantees, independent trust establishment and more succinct usage. It can faithfully decentralize the RoT in TEE.
PUF in Remote Attestation
PUF in Remote Attestation
PUF can realize measuring and signing naturally for RA, which is never achieved by any primitives before:
measuring (integrity) : Only the same challenge results in the same response.
signing (authenticity): Only the same PUF instance produces the same response. This is just like what digital signatures do. However, signatures only authenticate the private keys but PUF authenticates the actual entity.
PUF provides a different way to build trust compared to TPM or TEE. Simply compiling TPM into or with TEE does not offer extra advantages against advanced physical attackers.
Design Overview
Design Overview
JANUS is working under three stages: Provision, Initialization, and Attestation.
Provision
TEE Manufacturer provisions the device root key and other hardware-specific keys into the device.
The public key certificate is issued.
A unique PUF chip is installed as well.
Initialization
Devices set up a blockchain network.
Attestation Manager groups the participants and generates communication keys .
The Manager uploads related information to the registration contract.
Attestation
PUF-based mutual local and remote attestation protocol
On-chain attestation and audit smart contract
Attestation turnout mechanism
Application Scenarios
Application Scenarios
JANUS is suited for most modern computing systems, such as cloud computing and IoT. It also supports these cutting-edge scenarios:
FaaS (Function as a Service) is a cloud computing paradigm allowing developers to run code in small functions. JANUS enables batch attestation to efficiently verify distributed functions.
Google zero trust architecture, BeyondCorp, requires a trust-level design. JANUS provides trust rating for attested platforms, which can facilitate remote attestation integrated with BeyondCorp.
CISA Trusted Internet Connections (TIC) uses auditing to independently assess an entity's compliance with the defined security controls. The audit contract in JANUS provides a practical way to achieve remote attestation in this scenario.
Relations to real-world TEE RA solutions
Relations to real-world TEE RA solutions
Compatibilty
JANUS is designed with keeping general compatibilty as one of its goals, specifically:
JANUS implements its attestation evidence based on the format of publicly-available mainstream TEEs.
The off-chain RA protocol preserves a symmetric structure, which makes it scalable and lightweight enough regardless whether the second RoT (PUF) is installed.
The smart contracts in on-chain attestation are loosely coupled with device hardware configurations.
In the future, we will further demonstrate the possibility of extending JANUS to heterogeneous TEE devices.
Replacement?
With the significance of openess though, JANUS does NOT expect to be the replacement of the currently available TEE RA schemes. Instead, JANUS is rather expecting and also friendly for integrating with real-world RA schemes involving hardware manufacturers, attestation services like Azure and Intel Amber, which may show interests in joining the consortium of JANUS attestation.
Possible Improvement
We hope JANUS can provide both theoretical insights and practical references to address the long-standing limitations lying in TEE RA. This may help improve the real-world TEE RA solutions, facilitate their evolution and even move towards the standardization of this decentralized RA paradigm.
With the popularity of TEE RAs and their diverse use cases, JANUS might set the stage for the real-world solutions to enrich their applications. For instance, the attestation for FaaS, Zero Trust, and IoV, requiring QoS in distinct angles, could all be built on top of JANUS. See our paper for details!
Other Questions
Other Questions
Why the name is JANUS ?
Why the name is JANUS ?
JANUS is the god of beginnings, gates, transition and doorways in Roman mythology. He was often depicted as having two faces and this duality is exactly in line with the off-chain/on-chain RA functions of our design.
What exactly is Attestation Turnout?
What exactly is Attestation Turnout?
Just like the railway turnouts, the attestation turnout mechanism of JANUS allows participants to choose whether to conduct off-chain or on-chain attestation freely. It can be realized in different forms according to the actual RA schemes.
Why the LPC board is the verifier but the EMC server is the attester?
Why the LPC board is the verifier but the EMC server is the attester?
It is okay to call either party the attester or verifier in the context of mutual attestation. However, The EMC server can more conveniently collaborate with a PUF instance. Thus, we let it be the attester to satisfy the assumption in the paper.
Who uses JANUS ?
Who uses JANUS ?
Anyone using remote attestation services can use JANUS, i.e., those stakeholders that need to ensure their code is securely deployed on a remote TEE platform, such as cloud service providers, data owners, and developers.
What might cost to integrate PUF into a real-world TEE product? What is the possible workaround?
What might cost to integrate PUF into a real-world TEE product? What is the possible workaround?
The integration of PUF into an exsiting TEE requires CPU / xPU extensions and new xPU-PUF interface design. Potential extra efforts includes:
On the PUF side, it should be defined as an attestable fixed module but can be in varied forms. It should be setup with a clear secure model (e.g., side-channel resistant).
On the CPU / xPU side, new HW extensions should be added to corporate with the injected PUF. Then RA related instructions (e.g., measurement or signing) could optionally be enforced by PUF.
The (off-die) physical link (if any) between xPU and PUF should be encrypted. It potentially requires additional device attestation mechanism and atomic data import / export. The xPU-PUF interface should be securely designed with minimal necessary operations.
Google Sites
Report abuse