RAPTEE: Leveraging trusted execution environments for Byzantine-tolerant peer sampling services

TL;DR

This paper introduces RAPTEE, a protocol that uses trusted execution environments to enhance Byzantine resilience in peer sampling, significantly reducing malicious influence in large-scale distributed systems.

Contribution

RAPTEE leverages trusted hardware like Intel SGX to improve Byzantine tolerance in peer sampling, integrating trusted gossip to limit adversarial bias in node views.

Findings

RAPTEE reduces Byzantine influence by up to 17% with 1% trusted nodes.

The protocol maintains security even against attackers targeting trusted nodes.

Experiments with 10,000 nodes validate RAPTEE's effectiveness in large-scale systems.

Abstract

Peer sampling is a first-class abstraction used in distributed systems for overlay management and information dissemination. The goal of peer sampling is to continuously build and refresh a partial and local view of the full membership of a dynamic, large-scale distributed system. Malicious nodes under the control of an adversary may aim at being over-represented in the views of correct nodes, increasing their impact on the proper operation of protocols built over peer sampling. State-of-the-art Byzantine resilient peer sampling protocols reduce this bias as long as Byzantines are not overly present. This paper studies the benefits brought to the resilience of peer sampling services when considering that a small portion of trusted nodes can run code whose authenticity and integrity can be assessed within a trusted execution environment, and specifically Intel's software guard extensions technology (SGX). We present RAPTEE, a protocol that builds and leverages trusted gossip-based communications to hamper an adversary's ability to increase its system-wide representation in the views of all nodes. We apply RAPTEE to BRAHMS, the most resilient peer sampling protocol to date. Experiments with 10,000 nodes show that with only 1% of SGX-capable devices, RAPTEE can reduce the proportion of Byzantine IDs in the view of honest nodes by up to 17% when the system contains 10% of Byzantine nodes. In addition, the security guarantees of RAPTEE hold even in the presence of a powerful attacker attempting to identify trusted nodes and injecting view-poisoned trusted nodes.