TEE is not a Healer: Rollback-Resistant Reliable Storage (Extended Version)

TL;DR

This paper examines the challenges of implementing reliable storage using TEEs, addressing rollback attacks, and introduces TEE-Rex, a novel algorithm for distributed state recovery without specialized hardware.

Contribution

It introduces a unified failure model for TEE-based systems and presents TEE-Rex, the first correct distributed recovery algorithm that avoids durable storage and specialized hardware.

Findings

Established tight bounds on fault-tolerance in TEE-based register models.

Designed TEE-Rex, a dynamic register emulation algorithm.

Proved TEE-Rex's correctness without requiring trusted counters.

Abstract

Recent advances in secure hardware technologies, such as Intel SGX or ARM TrustZone, offer an opportunity to substantially reduce the costs of Byzantine fault-tolerance by placing the program code and state within a secure enclave known as a Trusted Execution Environment (TEE). However, the protection offered by a TEE only applies during program execution. Once power is switched off, the non-volatile portion of the program state becomes vulnerable to rollback attacks wherein it is undetectably reverted to an older version. In this paper we consider the problem of implementing reliable read/write registers out of failure-prone replicas subject to state rollbacks. To this end, we introduce a new unified model that captures multiple failure types that can affect a TEE-based system and establish tight bounds on the fault-tolerance of register constructions in this model. We consider both the static case, where failure thresholds hold throughout the entire execution, and the dynamic case, where any number of replicas can roll back, provided these failures do not occur too often. Our dynamic register emulation algorithm, TEE-Rex, provides the first correct implementation of a distributed state recovery procedure that requires neither durable storage nor specialized hardware, such as trusted monotonic counters.