Blockchain is becoming popular as a distributed and reliable ledger which allows distrustful parties to transact safely without trusting third parties. Emerging blockchain systems like Ethereum support smart contracts...Blockchain is becoming popular as a distributed and reliable ledger which allows distrustful parties to transact safely without trusting third parties. Emerging blockchain systems like Ethereum support smart contracts where miners can run arbitrary user-defined programs. However, one of the biggest concerns about the blockchain and the smart contract is privacy, since all the transactions on the chain are exposed to the public. In this paper, we present ShadowEth, a system that leverages hardware enclave to ensure the confidentiality of smart contracts while keeping the integrity and availability based on existing public blockchains like Ethereum. ShadowEth establishes a confidential and secure platform protected by trusted execution environment (TEE) off the public blockchain for the execution and storage of private contracts. It only puts the process of verification on the blockchain. We provide a design of our system including a protocol of the cryptographic communication and verification and show the applicability and feasibility of ShadowEth by various case studies. We implement a prototype using the Intel SGX on the Ethereum network and analyze the security and availability of the system.展开更多
Nowadays,application migration becomes more and more attractive.For example,it can make computation closer to data sources or make service closer to end-users,which may significantly decrease latency in edge computing...Nowadays,application migration becomes more and more attractive.For example,it can make computation closer to data sources or make service closer to end-users,which may significantly decrease latency in edge computing.Yet,migrating applications among servers that are controlled by different platform owners raises security issues.We leverage hardware-secured trusted execution environment(TEE,aka.,enclave)technologies,such as Intel SGX,AMD SEV,and ARM TrustZone,for protecting critical computations on untrusted servers.However,these hardware TEEs propose non-uniform programming abstractions and are based on heterogeneous architectures,which not only forces programmers to develop secure applications targeting some specific abstraction but also hinders the migration of protected applications.Therefore,we propose UniTEE which gives a unified enclave programming abstraction across the above three hardware TEEs by using a microkernel-based design and enables the secure enclave migration by integrating heterogeneous migration techniques.We have implemented the prototype on real machines.The evaluation results show the migration support incurs nearly-zero runtime overhead and the migration procedure is also efficient.展开更多
Using a password manager is known to be more convenient and secure than not using one, on the assmnption that the password manager itself is safe. However recent studies show that most popular password managers have s...Using a password manager is known to be more convenient and secure than not using one, on the assmnption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of tile parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.展开更多
基金This work was supported by the National Key Research and Development Program of China under Grant No. 2016YFB1000104, the National Natural Science Foundation of China under Grant Nos. 61572314 and 61525204, and the Young Scientists Fund of the National Natural Science Foundation of China under Grant No. 61303011.
文摘Blockchain is becoming popular as a distributed and reliable ledger which allows distrustful parties to transact safely without trusting third parties. Emerging blockchain systems like Ethereum support smart contracts where miners can run arbitrary user-defined programs. However, one of the biggest concerns about the blockchain and the smart contract is privacy, since all the transactions on the chain are exposed to the public. In this paper, we present ShadowEth, a system that leverages hardware enclave to ensure the confidentiality of smart contracts while keeping the integrity and availability based on existing public blockchains like Ethereum. ShadowEth establishes a confidential and secure platform protected by trusted execution environment (TEE) off the public blockchain for the execution and storage of private contracts. It only puts the process of verification on the blockchain. We provide a design of our system including a protocol of the cryptographic communication and verification and show the applicability and feasibility of ShadowEth by various case studies. We implement a prototype using the Intel SGX on the Ethereum network and analyze the security and availability of the system.
基金supported in part by the National Key Research and Development Program of China under Grant No.2020AAA-0108502the National Natural Science Foundation of China under Grant Nos.61972244,U19A2060,and 61925206the HighTech Support Program from Shanghai Committee of Science and Technology under Grant No.19511121100.
文摘Nowadays,application migration becomes more and more attractive.For example,it can make computation closer to data sources or make service closer to end-users,which may significantly decrease latency in edge computing.Yet,migrating applications among servers that are controlled by different platform owners raises security issues.We leverage hardware-secured trusted execution environment(TEE,aka.,enclave)technologies,such as Intel SGX,AMD SEV,and ARM TrustZone,for protecting critical computations on untrusted servers.However,these hardware TEEs propose non-uniform programming abstractions and are based on heterogeneous architectures,which not only forces programmers to develop secure applications targeting some specific abstraction but also hinders the migration of protected applications.Therefore,we propose UniTEE which gives a unified enclave programming abstraction across the above three hardware TEEs by using a microkernel-based design and enables the secure enclave migration by integrating heterogeneous migration techniques.We have implemented the prototype on real machines.The evaluation results show the migration support incurs nearly-zero runtime overhead and the migration procedure is also efficient.
基金This work was supported by the National Key Research and Development Program of China under Grant No. 2016YFB1000104, the National Natural Science Foundation of China under Grant Nos. 61572314 and 61525204, and the Young Scientists Fund of the National Natural Science Foundation of China under Grant No. 61303011.
文摘Using a password manager is known to be more convenient and secure than not using one, on the assmnption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of tile parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.