Decentralized Translator of Trust: Supporting Heterogeneous TEE for Critical Infrastructure Protection

TL;DR

This paper introduces DHTee, a decentralized blockchain-based system that enables secure interaction and trust establishment among heterogeneous TEE devices in critical infrastructure, enhancing security and flexibility.

Contribution

It proposes a novel decentralized coordination mechanism using blockchain to support heterogeneous TEE environments in critical infrastructure protection.

Findings

Supports mutual trust among diverse TEE devices.

Enables secure attestation across different TEE technologies.

Flexible integration of new TEE schemes without system disruption.

Abstract

Trusted execution environment (TEE) technology has found many applications in mitigating various security risks in an efficient manner, which is attractive for critical infrastructure protection. First, the natural of critical infrastructure requires it to be well protected from various cyber attacks. Second, performance is usually important for critical infrastructure and it cannot afford an expensive protection mechanism. While a large number of TEE-based critical infrastructure protection systems have been proposed to address various security challenges (e.g., secure sensing and reliable control), most existing works ignore one important feature, i.e., devices comprised the critical infrastructure may be equipped with multiple incompatible TEE technologies and belongs to different owners. This feature makes it hard for these devices to establish mutual trust and form a unified TEE environment. To address these challenges and fully unleash the potential of TEE technology for critical infrastructure protection, we propose DHTee, a decentralized coordination mechanism. DHTee uses blockchain technology to support key TEE functions in a heterogeneous TEE environment, especially the attestation service. A Device equipped with one TEE can interact securely with the blockchain to verify whether another potential collaborating device claiming to have a different TEE meets the security requirements. DHTee is also flexible and can support new TEE schemes without affecting devices using existing TEEs that have been supported by the system.