TZ4Fabric: Executing Smart Contracts with ARM TrustZone

TL;DR

TZ4Fabric enhances blockchain privacy by securely executing smart contracts within ARM TrustZone TEEs, balancing security and performance on low-cost devices, and extending Hyperledger Fabric with minimal trusted computing base.

Contribution

It introduces TZ4Fabric, a novel extension of Hyperledger Fabric that leverages ARM TrustZone for secure smart contract execution with minimal trusted computing base.

Findings

Secure smart contract execution with TrustZone reduces data exposure.

Performance trade-offs are observed due to added security measures.

Open-source implementation on low-end devices like Raspberry Pi.

Abstract

Blockchain technology promises to revolutionize manufacturing industries. For example, several supply-chain use-cases may benefit from transparent asset tracking and automated processes using smart contracts. Several real-world deployments exist where the transparency aspect of a blockchain is both an advantage and a disadvantage at the same time. The exposure of assets and business interaction represent critical risks. However, there are typically no confidentiality guarantees to protect the smart contract logic as well as the processed data. Trusted execution environments (TEE) are an emerging technology available in both edge or mobile-grade processors (e.g., Arm TrustZone) and server-grade processors (e.g., Intel SGX). TEEs shield both code and data from malicious attackers. This practical experience report presents TZ4Fabric, an extension of Hyperledger Fabric to leverage Arm TrustZone for the secure execution of smart contracts. Our design minimizes the trusted computing base executed by avoiding the execution of a whole Hyperledger Fabric node inside the TEE, which continues to run in untrusted environment. Instead, we restrict it to the execution of only the smart contract. The TZ4Fabric prototype exploits the open-source OP-TEE framework, as it supports deployments on cheap low-end devices (e.g., Raspberry Pis). Our experimental results highlight the performance trade-off due to the additional security guarantees provided by Arm TrustZone. TZ4Fabric will be released as open-source.