Summary Confidential Consortium Framework for Secure Multiparty Applications arxiv.org
15,973 words - PDF document - View PDF document
One Line
The Confidential Consortium Framework is an open-source platform that enables secure multiparty applications with trusted execution environments.
Slides
Slide Presentation (11 slides)
Key Points
- The Confidential Consortium Framework (CCF) is a platform for developing secure stateful CIA applications.
- CCF combines centralized compute with decentralized trust and leverages hardware-based trusted execution environments (TEEs) for confidentiality and code integrity.
- CCF ensures data confidentiality and integrity during execution, even on untrusted cloud infrastructure.
- CCF's architecture consists of a collection of nodes managed by a consortium, with each node executing the application logic inside TEEs.
- CCF utilizes a consensus protocol inspired by Raft for replicating transactions in the ledger.
- CCF provides additional features such as transactional key-value store, verifiable receipts, and support for read-only and historical transactions.
- CCF offers confidentiality, integrity, and high availability while supporting reconfiguration and fault tolerance.
- Ongoing research is being conducted to improve the security, performance, and compatibility of CCF.
Summaries
18 word summary
The Confidential Consortium Framework (CCF) is an open-source platform for secure multiparty applications, utilizing trusted execution environments (TEEs).
70 word summary
The Confidential Consortium Framework (CCF) is a platform for secure multiparty applications, utilizing trusted execution environments (TEEs) for data confidentiality and code integrity. CCF's architecture includes nodes deployed by operators, managed by a consortium, and uses a consensus protocol for transaction replication. It offers features like a transactional key-value store and verifiable receipts, providing a secure and flexible framework with high throughput. Implemented in C++20, it is an open-source project.
146 word summary
The Confidential Consortium Framework (CCF) is a platform for developing secure multiparty applications with confidentiality, integrity, and high availability. It uses trusted execution environments (TEEs) for data confidentiality and code integrity, along with state machine replication and an auditable immutable ledger for data integrity and high availability. CCF allows each service to bring its own application logic, custom governance model, and deployment scenario. It addresses the challenge of data confidentiality by using TEEs, ensures code integrity through atomic transactions, and records updates in an append-only ledger. CCF's architecture consists of nodes deployed by operators and managed by a consortium. It utilizes a consensus protocol for replicating transactions in the ledger. CCF provides additional features such as a transactional key-value store and verifiable receipts. It offers a secure and flexible framework for multiparty applications with high throughput and has been implemented in C++20 as an open-source project.
484 word summary
The Confidential Consortium Framework (CCF) is a platform that allows for the development of secure multiparty applications with confidentiality, integrity, and high availability. It utilizes trusted execution environments (TEEs) for data confidentiality and code integrity, as well as state machine replication and an auditable immutable ledger for data integrity and high availability. CCF allows each service to bring its own application logic, custom governance model, and deployment scenario.
CCF addresses the challenge of data confidentiality by using TEEs for verifiable confidentiality, enabling organizations to protect their data even when using untrusted cloud infrastructure. Code integrity is ensured by executing transactions atomically over a key-value store interface provided by CCF. The updates to the key-value store are recorded in an append-only ledger, providing data integrity and high availability.
CCF's architecture consists of CCF nodes deployed by operators and managed by a consortium. Users interact with the nodes through endpoints provided by the application logic. The application logic executes operations, updates the service's state, and responds to user requests. CCF ensures confidentiality and integrity by executing the application logic inside TEEs and providing a key-value store interface for accessing data. The updates to the key-value store are recorded in an append-only ledger, which is replicated for high availability.
CCF utilizes a consensus protocol inspired by Raft for replicating transactions in the ledger. Each view includes a primary node and backups. The primary executes user requests, appends transactions to its ledger, and replicates the ledger to backups using append-entries remote procedure calls. In case of primary failure, a new primary is elected through a voting process. Reconfiguration transactions allow for fault tolerance and atomic changes to the node configuration.
CCF offers additional features such as a transactional key-value store, verifiable receipts, and support for read-only and historical transactions. It considers a threat model where CCF nodes and users cannot be trusted. Attestation is used to verify the integrity of TEEs, and cryptographic keys are utilized for confidentiality and integrity protection.
CCF provides a secure and flexible framework for developing multiparty applications with confidentiality, integrity, and high availability. Its architecture combines centralized compute with decentralized trust, leveraging TEEs and an auditable ledger for data integrity. CCF's governance model enables consortium members to oversee operations through governance proposals and ballots.
CCF's performance has been evaluated, demonstrating high throughput and the ability to handle thousands of requests per second. It is implemented in C++20 and built on the OpenEnclave SDK, supporting various features such as REST API, TLS encryption, request signing, and user authentication.
CCF is an open-source project that has already been used as a foundation for new systems research. It has involved contributions from various individuals and organizations. Detailed technical documentation is available on CCF's architecture, implementation, and usage.
In conclusion, CCF offers a versatile platform for building secure multiparty applications on untrusted infrastructure. It provides confidentiality, integrity protection, and accountability using TEEs and a distributed consensus algorithm.
642 word summary
The Confidential Consortium Framework (CCF) is a versatile platform for developing secure multiparty applications with confidentiality, integrity, and high availability. It leverages trusted execution environments (TEEs) for data confidentiality and code integrity, along with state machine replication and an auditable immutable ledger for data integrity and high availability. CCF allows each service to bring its own application logic, custom governance model, and deployment scenario, decoupling node operators from the governing consortium.
CCF addresses the challenge of data confidentiality during execution by utilizing TEEs for remotely verifiable confidentiality. This enables organizations to protect their data even when using untrusted cloud infrastructure. Code integrity is ensured by executing transactions atomically over a key-value store interface provided by CCF. The updates to the key-value store are recorded in an append-only ledger, providing a basis for data integrity and high availability.
While cloud computing offers scalability and low entry barriers, it also introduces challenges in ensuring data integrity and confidentiality. CCF solves this by removing cloud providers from the trusted computing base of multiparty applications, allowing developers to leverage the cloud's capabilities while maintaining security.
CCF's architecture consists of CCF nodes deployed by operators and managed by a consortium. Users interact with the nodes through endpoints provided by the application logic. The application logic executes operations, updates the service's state, and responds to user requests. CCF ensures confidentiality and integrity by executing the application logic inside TEEs and providing a key-value store interface for accessing data. The updates to the key-value store are recorded in an append-only ledger, which is replicated for high availability.
CCF utilizes a consensus protocol inspired by Raft for replicating transactions in the ledger. Each view includes a primary node and backups. The primary executes user requests, appends transactions to its ledger, and replicates the ledger to backups using append-entries remote procedure calls. In case of primary failure, a new primary is elected through a voting process. Reconfiguration transactions allow for fault tolerance and atomic changes to the node configuration.
CCF offers additional features such as a transactional key-value store, verifiable receipts, and support for read-only and historical transactions. It considers a threat model where CCF nodes and users cannot be trusted. Attestation is used to verify the integrity of TEEs, and cryptographic keys are utilized for confidentiality and integrity protection.
CCF provides a secure and flexible framework for developing multiparty applications with confidentiality, integrity, and high availability. Its architecture combines centralized compute with decentralized trust, leveraging TEEs and an auditable ledger for data integrity. CCF's governance model enables consortium members to oversee operations through governance proposals and ballots.
CCF ensures availability during management operations and supports long-running applications. It can recover from failures through its disaster recovery protocol. Data confidentiality is achieved through encryption at various stages, while integrity protection is provided by signature transactions and a Merkle tree. CCF achieves high availability through replication across nodes and supports reconfiguration for fault tolerance.
CCF's performance has been evaluated, demonstrating high throughput and the ability to handle thousands of requests per second. It is implemented in C++20 and built on the OpenEnclave SDK, supporting various features such as REST API, TLS encryption, request signing, and user authentication.
CCF differs from other systems by using a unique consensus protocol, removing cloud providers from the trusted computing base, and providing a versatile platform for secure multiparty applications. Ongoing research is being conducted to improve security, performance, and compatibility with different trusted execution platforms.
CCF is an open-source project that has already been used as a foundation for new systems research. It has involved contributions from various individuals and organizations. Detailed technical documentation is available on CCF's architecture, implementation, and usage.
In conclusion, CCF offers a versatile platform for building secure multiparty applications on untrusted infrastructure. It provides confidentiality, integrity protection, and accountability using TEEs and a distributed consensus algorithm. Ongoing efforts are focused on
1878 word summary
The Confidential Consortium Framework (CCF) is a general-purpose foundation for developing secure stateful CIA (Confidentiality, Integrity, and Availability) applications. It combines centralized compute with decentralized trust, allowing deployment on untrusted cloud infrastructure and transparent governance by mutually untrusted parties. CCF leverages hardware-based trusted execution environments (TEEs) for confidentiality and code integrity, along with state machine replication and an auditable immutable ledger for data integrity and high availability. CCF enables each service to bring its own application logic, custom governance model, and deployment scenario, decoupling the operators of nodes from the consortium that governs them.
Data confidentiality is a crucial consideration for organizations, as they are responsible for protecting personal data and complying with privacy laws. Encryption at rest and in-flight are well-established methods for achieving confidentiality, but encryption alone does not fully solve the problem. CCF addresses the challenge of confidentiality during execution by leveraging TEEs for remotely verifiable confidentiality. This allows organizations to protect their data even when leveraging untrusted cloud infrastructure.
Integrity protection is also essential for maintaining data confidentiality. Organizations are obligated to protect data from unauthorized or unintended modification. Code integrity, along with transparency, allows parties who share data to agree on how it can be used while maintaining confidentiality. CCF ensures code integrity by executing transactions atomically over a key-value store interface provided by CCF. The updates to the key-value store are recorded in an append-only ledger, which provides a basis for data integrity and high availability.
Cloud computing offers efficient scaling and a low barrier to entry, but it also introduces challenges in ensuring data integrity and confidentiality. Highly sensitive applications, such as medical, financial, or governmental services, often cannot migrate to the public cloud due to security concerns. CCF addresses this challenge by removing cloud providers from the trusted computing base (TCB) of multiparty applications, allowing developers to leverage the cloud's compute and storage capabilities while maintaining security.
CCF's architecture consists of a collection of CCF nodes deployed by operators and managed by a consortium. Users interact with the nodes through endpoints provided by the application logic. The application logic executes operations, updates the state of the service, and responds to user requests. CCF ensures confidentiality and integrity by executing the application logic inside TEEs and providing a key-value store interface for accessing data. The updates to the key-value store are recorded in an append-only ledger, which is replicated to other nodes for high availability.
CCF utilizes a consensus protocol inspired by Raft for replicating transactions in the ledger. Each view consists of a primary node and backups. The primary executes user requests, appends transactions to its ledger, and replicates the ledger to backups using append-entries remote procedure calls (RPCs). In the event of a primary failure, a new primary is elected through a voting process. Reconfiguration transactions are used to add or remove nodes from the network, allowing for fault tolerance and atomic changes to the node configuration.
CCF provides additional features such as transactional key-value store, verifiable receipts, and support for read-only and historical transactions. The underlying key-value store consists of maps for storing data, with updates recorded in the ledger. Verifiable receipts allow users to verify the validity of transactions offline. Read-only and historical transactions can be executed against the latest version of the key-value store without being recorded in the ledger.
CCF's design considers a threat model where hosts running CCF nodes cannot be trusted, and users are also untrusted. Attestation is used to verify the integrity of TEEs, and cryptographic keys are utilized for confidentiality and integrity protection. CCF assumes that the code running inside TEEs and the hardware have been implemented correctly but does not trust other applications, operating systems, hypervisors, or BIOS.
In conclusion, CCF provides a secure and flexible framework for developing multiparty applications with confidentiality, integrity, and high availability. Its architecture combines centralized compute with decentralized trust, leveraging
The Confidential Consortium Framework (CCF) is a platform designed to support secure multiparty applications with confidentiality, integrity, and high availability. It utilizes trusted execution environments (TEEs), such as Intel SGX, to protect sensitive data and ensure the integrity of the system. CCF's approach to multiparty governance involves consortium members overseeing governance operations through governance proposals and ballots. The programmable constitution, written in JavaScript, defines the available governance actions and voting criteria.
CCF's default constitution provides a set of governance actions that can be used to manage the system. These actions include adding users, adding consortium members, updating JavaScript application logic, allowing new code IDs, enabling nodes to join or retire, updating the constitution, and setting recovery thresholds. The constitution also defines a resolve function that determines if a governance proposal has been accepted and an apply function that modifies the key-value store based on an accepted proposal.
Node retirement in CCF involves updating the node's status to "RETIRING" in a reconfiguration transaction. Once the transaction is committed, the retired node is removed from the configuration. Before shutting down the retiring node, the primary ensures that all future primaries are aware of the retirement. This is done by adding a second reconfiguration transaction to update the node's state to "RETIRED," which is committed before shutting down the node.
CCF's governance proposals and ballots are recorded on the underlying ledger and always originate from a request signed by a consortium member. The default constitution requires a strict majority of consortium members to vote in favor of a proposal for it to be accepted. However, alternative constitutions can grant different voting power to consortium members or vary the number of votes needed depending on the action.
CCF is designed to remain available during management operations such as node replacement, live code updates, and changes to users. It supports long-running applications and ensures confidentiality and integrity throughout the process. CCF can recover from failures through its disaster recovery protocol, which restores the service to a safe state using ledger files and snapshot files. The recovered service has a new identity to indicate the recovery.
Data confidentiality in CCF is achieved through encryption at various stages, including transit, execution, and storage. TLS connections are used to encrypt data in transit between users and CCF nodes. The TEEs encrypt data during execution and in memory. Transactions in the ledger are encrypted with a ledger secret, and the ledger secret is protected through encryption and encryption key distribution.
Integrity protection in CCF is provided by signature transactions and the Merkle tree constructed for these transactions. Signature transactions ensure that the ledger cannot be modified undetected while in persistent storage. The Merkle tree allows for integrity proofs and protects against rollback attacks. CCF does not rely on dedicated rollback or forking protection mechanisms.
CCF achieves high availability through replication across nodes and supports reconfiguration to restore fault tolerance. Reconfiguration can be used to add or remove nodes, change the replication factor, or update code. CCF's consensus layer supports arbitrary reconfiguration and can continue to operate even when up to a minority of nodes fail simultaneously. Users can connect to any CCF node, and requests are handled locally or forwarded to the primary depending on the type of request.
CCF's performance has been evaluated using different configurations and workloads. It has demonstrated high throughput, with the ability to handle thousands of requests per second. The performance impact of generating signature transactions has been measured, showing a slight increase in response time and a tradeoff between time to commit and overall throughput.
CCF is implemented in C++20 and built on the OpenEnclave SDK. It supports various features such as REST API, TLS encryption, request signing, user authentication, and customizable indexing strategy. CCF can be deployed on hosts with or without TEEs and provides highly available state machine replication even in virtual mode or on a single node.
In comparison to other TEE-based approaches, CCF offers a combination of data confidentiality, execution integrity, data
The Confidential Consortium Framework (CCF) is a versatile platform for building secure and highly available services. It offers support for delegation to untrusted cloud infrastructure and governance by mutually untrusted parties. CCF is built upon Intel Software Guard Extensions (SGX) and provides confidentiality, integrity protection, and accountability for multiparty applications. It uses a distributed consensus algorithm based on Raft, which ensures that all nodes agree on the state of the system. CCF is an open-source project that is already being used as a foundation for new systems research.
CCF differs from other existing systems in several ways. It uses a unique consensus protocol called Byzantine Fault Tolerance (BFT), which requires only one phase instead of the usual two. This reduces the complexity and overhead of the consensus process. Additionally, CCF utilizes Trusted Execution Environments (TEEs) to provide secure execution environments for applications. However, unlike other systems that use TEEs, CCF removes cloud providers from the trusted computing base, minimizing the need to trust them.
Hyperledger Fabric is a permissioned blockchain that can be extended with Intel SGX to provide private execution of chaincode inside enclaves. However, the consensus layer remains outside the TEEs in Fabric PC. Avocado and Treaty are two other systems built on Intel SGX for secure key-value storage and distributed transactions, respectively. These systems address specific use cases but do not provide the same level of confidentiality, integrity protection, and accountability as CCF.
CCF is designed to be a production-quality platform that can be deployed on untrusted infrastructure. It offers features such as disaster recovery procedures, atomic reconfiguration, and a governance model that can be useful in their own right. However, it is important to note that CCF is not the final word on confidential computing. Ongoing research is being conducted to verify the correctness of the code and protect against side-channel attacks. Exploits of Intel SGX have also been discovered in the past, highlighting the need for continued security improvements.
In response to the limitations of Intel SGX, CCF recently added experimental support for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The platform aims to support future trusted execution platforms such as Intel Total Memory Encryption (TME) and Intel Trust Domain Extensions (TDX). These efforts are aimed at improving performance and expanding the availability of trusted execution environments.
CCF's threat model is a significant improvement over existing systems, as it removes cloud providers from the trusted computing base. This opens up new possibilities for multiparty distributed systems that leverage the compute capability of the cloud while minimizing trust in cloud providers. CCF provides a foundation for building secure and highly available services that can be deployed on untrusted infrastructure.
The development of CCF has involved contributions from various individuals and organizations. It is an open-source project that has already been built upon by other systems. The technical documentation for CCF provides detailed information on its architecture, implementation, and usage. The project has also released a technical report describing an earlier iteration of CCF and a subsequent paper on a technique for providing accountability following TEE compromise.
In conclusion, CCF is a versatile platform for building secure multiparty applications on untrusted infrastructure. It offers confidentiality, integrity protection, and accountability using TEEs and a distributed consensus algorithm based on Raft. While CCF is already being used as a foundation for new systems research, ongoing efforts are focused on improving its security, performance, and compatibility with different trusted execution platforms.