DelegaTEE: Brokered Delegation Using Trusted Execution Environments

We introduce a new concept called brokered delegation. Brokered delegation allows users to flexibly delegate credentials and rights for a range of service providers to other users and third parties. We explore how brokered delegation can be implemented using novel trusted execution environments (TEEs). We introduce a system called DelegaTEE that enables users (Delegatees) to log into different online services using the credentials of other users (Owners). Credentials in DelegaTEE are never revealed to Delegatees and Owners can restrict access to their accounts using a range of rich, contextually dependent delegation policies. DelegaTEE fundamentally shifts existing access control models for centralized online services. It does so by using TEEs to permit access delegation at the user\u27s discretion. DelegaTEE thus effectively reduces mandatory access control (MAC) in this context to discretionary access control (DAC). The system demonstrates the significant potential for TEEs to create new forms of resource sharing around online services without the direct support from those services. We present a full implementation of DelegaTEE using Intel SGX and demonstrate its use in four real-world applications: email access (SMTP/IMAP), restricted website access using a HTTPS proxy, e-banking/credit card, and a third-party payment system (PayPal)

One-Time Delegation of Unlinkable Signing Rights and Its Application

Delegation of signing rights can be useful to promote effective resource sharing and smooth cooperation among participants in distributed systems, and in many situations, we often need restricted delegation such as one-timeness and unlinkability rather than simple full delegation. Particularly, one-timesness cannot be achieved just by deploying cryptographic measures, and one needs to resort to some form of tamper-proofness or the assistance from external cloud servers for ``key-disabling\u27\u27. In this work, we extend the latter such that a delegatee can sign a message without the delegator\u27s involvement with the assumption that there exists at least one honest cloud server with secure erasure to achieve one-timeness. In this setting, if the delegator just shares their signing key between the delegatee and cloud servers, it may be problematic. It is because in the worst case, the delegator cannot know whether or not a signing key theft occurred because the signatures generated illegally are indistinguishable from the ones generated legally. To solve this, first we propose an efficient one-time delegation scheme of Okamoto-Schnorr signing. Further we combine the basic delegation scheme with anonymous credentials such that the delegator can detect the signing key theft even if one-time delegation is broken while also achieving unlinkability for both the delegator and cloud servers. Further we show its application to an e-cash scheme, which can prevent double-spending

Overcoming Cloud Concerns with Trusted Execution Environments? Exploring the Organizational Perception of a Novel Security Technology in Regulated Swiss Companies

Trusted execution environments are a new approach for isolating data, specific parts of code, or an entire application within untrusted cloud environments. This emerging security technology could also enable the migration to cloud infrastructures for organizations working with highly sensitive data. As current research does not address the organizational perception of trusted execution environments (TEEs), we conducted an explorative study to clarify the technological, environmental, and organizational views on this technology by health care, life sciences, and banking companies in Switzerland. The interview findings show that in these industries, missing technological knowledge as well as privacy and process regulation are perceived to be the most critical driver for organizational adoption of TEEs. The identified low intrinsic motivation to adopt novel technologies permits us to conclude that clarifying the regulatory impact of TEEs could drive future adoption by organizations

SoK: A Systematic Review of TEE Usage for Developing Trusted Applications

Trusted Execution Environments (TEEs) are a feature of modern central processing units (CPUs) that aim to provide a high assurance, isolated environment in which to run workloads that demand both confidentiality and integrity. Hardware and software components in the CPU isolate workloads, commonly referred to as Trusted Applications (TAs), from the main operating system (OS). This article aims to analyse the TEE ecosystem, determine its usability, and suggest improvements where necessary to make adoption easier. To better understand TEE usage, we gathered academic and practical examples from a total of 223 references. We summarise the literature and provide a publication timeline, along with insights into the evolution of TEE research and deployment. We categorise TAs into major groups and analyse the tools available to developers. Lastly, we evaluate trusted container projects, test performance, and identify the requirements for migrating applications inside them.Comment: In The 18th International Conference on Availability, Reliability and Security (ARES 2023), August 29 -- September 01, 2023, Benevento, Italy. 15 page

TEEvil: Identity Lease via Trusted Execution Environments

We investigate identity lease, a new type of service in which users lease their identities to third parties by providing them with full or restricted access to their online accounts or credentials. We discuss how identity lease could be abused to subvert the digital society, facilitating the spread of fake news and subverting electronic voting by enabling the sale of votes. We show that the emergence of Trusted Execution Environments and anonymous cryptocurrencies, for the first time, allows the implementation of such a lease service while guaranteeing fairness, plausible deniability and anonymity, therefore shielding the users and account renters from prosecution. To show that such a service can be practically implemented, we build an example service that we call TEEvil leveraging Intel SGX and ZCash. Finally, we discuss defense mechanisms and challenges in the mitigation of identity lease services.Comment: 21 pages, 5 figure

Access Control and Service-Oriented Architectures.

Access Control and Service-Oriented Architectures" investigates in which way logical access control can be achieved effectively, in particular in highly dynamic environments such as service-oriented architectures (SOA's). The author combines state-of-the-art best-practice and projects these onto the SOA. In doing so, he identifies strengths of current approaches, but also pinpoints weaknesses. These weaknesses are subsequently mitigated by introducing an innovative new framework called EFSOC. The framework is validated empirically and preliminary implementations are discussed.

Access control and service-oriented architectures

Access Control and Service-Oriented Architectures" investigates in which way logical access control can be achieved effectively, in particular in highly dynamic environments such as service-oriented architectures (SOA's). The author combines state-of-the-art best-practice and projects these onto the SOA. In doing so, he identifies strengths of current approaches, but also pinpoints weaknesses. These weaknesses are subsequently mitigated by introducing an innovative new framework called EFSOC. The framework is validated empirically and preliminary implementations are discussed.

DECO: Liberating Web Data Using Decentralized Oracles for TLS

Thanks to the widespread deployment of TLS, users can access private data over channels with end-to-end confidentiality and integrity. What they cannot do, however, is prove to third parties the {\em provenance} of such data, i.e., that it genuinely came from a particular website. Existing approaches either introduce undesirable trust assumptions or require server-side modifications. As a result, the value of users' private data is locked up in its point of origin. Users cannot export their data with preserved integrity to other applications without help and permission from the current data holder. We propose DECO (short for \underline{dec}entralized \underline{o}racle) to address the above problems. DECO allows users to prove that a piece of data accessed via TLS came from a particular website and optionally prove statements about such data in zero-knowledge, keeping the data itself secret. DECO is the first such system that works without trusted hardware or server-side modifications. DECO can liberate data from centralized web-service silos, making it accessible to a rich spectrum of applications. To demonstrate the power of DECO, we implement three applications that are hard to achieve without it: a private financial instrument using smart contracts, converting legacy credentials to anonymous credentials, and verifiable claims against price discrimination.Comment: This is the extended version of the CCS'20 pape

Health Care Reform Through Medicaid Managed Care: Tennessee (TennCare) as a Case Study and a Paradigm

TennCare is a Medicaid demonstration project that allows Tennessee to require all Medicaid beneficiaries to secure medical care through a mandatory managed care system. Enrollees contract with private managed care organizations ( MCOs\u27), which are responsible for organizing a network of care providers and delivering medical care to covered beneficiaries. Driven by rapidly escalating Medicaid costs, TennCare\u27s mandatory managed care program has succeeded in saving money for the state in its Medicaid program. To secure the federal waiver that allowed the program to proceed, the state included non-Medicaid-eligible uninsured and uninsurable residents as TennCare beneficiaries. Federal matching funds accrue for all TennCare expenditures, including those for non-Medicaid-eligible enrollees, but federal matching is subject to a global cap. Cost savings from managed care were to pay for the improved access. The program covers about 1.3 million persons, 38% of whom are non- Medicaid-eligibles. The Medicaid component of TennCare has been stable, but the non-Medicaid-eligible TennCare population has risen by about 41% in the last two fiscal years, stressing the fiscal capacity of the program. The Article provides background on the development of TennCare, describing the political effect of the federal matching (cooperative federalism) aspect of TennCare on both state-level and federal- level decisionmaking. The Article identifies what it describes as the political moral hazard dimensions of these federal-state partnerships on state political decisionmaking and the correlative lock-in effect of the program on the state. Federal matching funds make program enhancement appealing and make cutbacks extremely painful. The interaction of state and federal program incentives is considered in depth, and both the state responses (use of private funding and provider-focused taxation) and federal responses (limits on federal matching for those sources of state revenue) to these incentives are described and analyzed