Trusted execution enhanced IC (Motion proposal)
The Internet Computer (IC) is a general infrastructure for a wide variety of applications processing all kinds of security-sensitive data ranging from user-centric private information to financial digital assets. While the IC as of today already provides a high level of fault-tolerance and security, all available technical means to improve its security and resilience should be explored. With the wide-spread advent of hardware-based trusted execution, the current protection of the IC against attacks such as rogue data centers providers and intrusions at the host level can be further strengthened and fortified.
Objective
Devise a trusted execution harnessed IC to further increase its security in terms of integrity and privacy against privileged local attackers. Provide additional means for users to validate the integrity of the IC. Together, this will substantially increase the security of the IC and all its hosted assets and data.
Background
In a nutshell, recent hardware-aided trusted execution support ensures that code and data outside the CPU is handled in an encrypted form and only decrypted, while being processed by a secured execution context inside the CPU. In addition, remote attestation makes it possible to validate that the secured execution context has been initialized on trustworthy hardware in a certain state, thereby comprising only the requested code and data.
The IC is deployed and managed via tailored virtual machines that serve its code and data. Accordingly, trusted execution should be applied at the level of whole virtual machine instances as this puts all necessary code and data under its protection and is a natural fit. This scope also limits the integration overhead and paves the way for interoperability between different trusted execution technologies.
Why this is important
Securing the decentralized infrastructure of the IC is a key concern of the DFINITY Foundation. Along these lines the admission process of new node providers will be more and more relaxed with the aim to enable rapid growth and empower the community to participate in all matters of the IC. However, attached with a lightweight process to become a node provider, there is also the risk of abuse and the integration of improperly secured environments. In order to address these concerns, trusted execution will be utilized to additionally protect the virtual machines of the IC against unauthorized access from local privileged attackers. As a consequence the integration of trusted execution can be considered as an enabler for the further growth and decentralisation of the IC.
Proposal
To make the IC and its software ready for trusted execution, current technology has to be evaluated. As a prime candidate, AMD SEV-SNP as an upcoming technology that provides mechanisms to secure virtual machines and flexible remote attestation is considered. Furthermore, technologies such as Intel’s TDX will be explored.
Independent of the utilized technology, the current build and deployment process of the IC virtual machines has to be tailored for trusted execution. In particular, a deterministic build process and virtual machine instantiation enabling remote attestation has to be designed and implemented. While the IC virtual machines are already secured against various attacks, additional security measures have to be implemented to protect against local privileged attackers. Basing on this extended support, the IC will make use of remote attestation to enable the vetted integration of new virtual machine instances. The IC protocol will have to be extended to enable remote attestation performed from multiple locations to account for malicious nodes, thereby matching the failure model of the IC. The protocol extensions will undergo a security review and an approach for the migration has to be devised.
In the beginning, the plan is to focus on a certain trusted execution technology for the initial deployment, next the focus will be widened and at least one further technology will be investigated. The core motivation is not to depend on a single hardware provider and to devise the trusted execution support for the IC to be as vendor-neutral as possible.
While the work outlined so far primarily focuses on the internal security of the IC, it must be possible for the end-users to validate these enhancements in such a way that a user will perform remote attestation implicitly by accessing the IC. As a consequence, hardware-aided end-to-end security between the user and the IC virtual machines can be established, which requires the design, development, and testing of additional software executed on the user-side.
Key milestones
This motion proposal targets a long-term perspective and as such is planned for three years. Parts of it will be detailed and refined as the work progresses. At this stage six milestones are planned:
- M1: The build and deployment process of the IC is ready for applying trusted execution and performing remote attestation
- M2: Trusted execution has been deployed and secures the VMs of selected subnets featuring the next generation of the IC hardware
- M3: Remote attestation has been integrated into the IC protocol
- M4: Client-side validation via remote attestation of the IC nodes is enabled
- M5: Widespread integration of trusted execution to a majority of the IC nodes
- M6: Vendor-neutral support for trusted execution is enabled and demonstrated
Discussion leads
As members of the DFINITY research team Rüdiger Kapitza and Helge Bahmann will drive the proposal and are available for discussion.
Why the DFINITY Foundation should make this a long-running R&D project
While trusted execution is marked-available for a few years now and cloud-vendors have launched initial commercial offerings it is still a cutting-edge technology that rapidly evolves and new hardware extensions as well as updates to existing ones will surface. Integrating such a promising but also disruptive technology requires carefully adapting and evolving central parts of the IC over the next few years. This gets especially visible with the aim to integrate trusted execution despite the strong hardware dependencies as vendor-neutral as possible.
Skills and Expertise necessary to accomplish this
The implementation of this motion proposal will require a diverse set of expertise as applying trusted execution to the IC is a cross-cutting endeavour. At the lowest level it demands a solid understanding of the trusted execution hardware including being able to access and possibly mitigate aspects of side-channel attacks. At the system level the integration of the hardware into the operating system and the virtualization layer has to be performed and existing hardware-vendor support extended for the demands of the IC. Based on the devised system layer the offered functionality and services of the trusted execution hardware have to be integrated into the protocol of the IC.
To conclude the required expertise spans topics related to hardware security, operating systems, systems security and the engineering of distributed protocols.
In line with the above stated expertise and skills this will be a strong multi-team. In particular it is expected that initially the node team that is responsible for the operating system of the IC will lead the proposal. However, as the work progresses other teams such as the consensus and networking as well as the SDK team will play an increasingly important role. Finally, as the results of the proposal will need to be tested and deployed additional teams will be involved.
Open Research questions
Strengthening the security of IC by the crosscutting-integration of trusted execution poses a unique research challenge. While applying trusted execution to distributed applications has recently been a subject of various research efforts, there is to our knowledge no operative decentralised system that is near to the size of the IC which already employs trusted execution. In particular, this notion proposal will answer the following research questions:
- How to integrate trusted execution in a scalable and decentralized infrastructure such as the IC? Any centralised control should be avoided.
- How to design and implement a vendor-neutral system support for trusted execution? As the IC evolves the transparent use of different trusted execution technology should be enabled.
- How to seamlessly integrate trusted execution into the IC protocol so distributed remote attestation that matches the fault model the IC becomes possible?
- How to empower the users in validating the security of the IC via remote attestation? This validation step should be transparent while accessing the IC and not only directed to the accessed machine but span, for example, all nodes of a subnet.
Examples where community can integrate into project
Due to the wide scope of required expertise for this motion proposal it is expected that it will be carried out in tight interaction with the community. In particular it is planned to organise workshops as the motion proposal evolves to discuss hardware security, system integration and protocol integration. Especially, in scope of diversifying the hardware support the community could enable a rapid evolution. Furthermore, a critical assessment and discussion regarding the security implications of the utilized hardware is of strong interest.
What we are asking the community
Trusted execution is a novel and rapidly evolving technology that will require intense discussion and exchange to integrate it in a vendor-neutral and future-proof fashion. While hardware-based security is on the rise it also comes attached with concerns and vulnerabilities will surface. All along the implementation of this motion proposal a constant exchange with the community is essential to make it a success. Accordingly, we welcome comments, questions and feedback and hope for a positive vote on the proposal.