Attestation and Confidential Computing – a technical introduction
This article introduces attestation as it relates to Confidential Computing, explaining key features and why it matters for security assurances in executing applications within Trusted Execution Environments.
Mike Bursell
Introduction
This article introduces the important topic of attestation as it relates to Confidential Computing. Super Protocol is a provider of services that use Confidential Computing and a strong proponent of the importance of attestation: all of Super Protocol's services employ attestation to provide users and other stakeholders with strong cryptographic assurances around the security of various aspects of the services. This article, first in a series of three, looks at some of the key features of attestation - and why it matters! - as an introduction to a second article, Advanced use cases for Confidential Computing – a Technical Introduction, which details use cases for advanced attestation mechanisms, and the third article, How Super Protocol Uses Attestation, which examines how Super Protocol's solution uses various techniques to allow simple and efficient security for all its stakeholders.
Why attestation matters
Super Protocol provides a platform to allow applications to be run using Confidential Computing. This means that the applications - and the data that they are processing - are protected from external attacks and interference, even by the person who owns the hardware on which they're running. It does this by running them within Trusted Execution Environments (TEEs), which give hardware-based isolation, provided at the chip level by Super Protocol's partners such as Intel and Nvidia. You can think of a TEE as a silicon-protected box in which applications run, and whose RAM is isolated from the rest of the system and the outside world.
Let's say, however, that you want to run an application on somebody else's system, whether that's an individual or a Cloud Service Provider. How might setting up such an arrangement happen? Let's model it, with me as the system provider, and you as the consumer. Remember - you don't trust me to run the application without interfering with it (which is why you want to use a TEE in the first place!).
You: I have an important and sensitive application that I want to run in a TEE: can you do that?
Me: Yes, I have Intel TDX-enabled systems.
You: Excellent. Please set one up, and let me know when you're done.
Me: OK, done. Please send over the application.
You: That sounds good: could you please send me proof that it's set up before I send the app?
Me: Um, no, it's fine. You can trust me: please send the application and I'll run it in a TEE.
See the problem? If you don't trust me to run my application without interference (you may not even trust me to look at my application), then how can you trust that I've set up the TEE as requested?
Introducing attestation
Luckily, there's a solution to this problem, which is called remote attestation, or just attestation for short. Attestation is used to describe a variety of processes within computing, but has a very special meaning within Confidential Computing.
Attestation Process Steps:
- An application within the TEE requests an attestation measurement from the chip (CPU/GPU).
- The measurement (cryptographically hashed data about the environment) is signed by a key within the chip.
- The signed attestation measurement is returned to the application.
- The measurement is sent to another entity (verifying party) for attestation verification.
- The verifying party checks the hash values (against expected values for the application, firmware, etc.) and the signature's validity (using vendor services like Intel's or Nvidia's).
Note: The verification must be carried out by a trusted party, often a third-party Attestation Verification Service (AVS), not the system owner.
Providing what is known as an attestation verification service (AVS) can be a complex undertaking as it must itself be both as secure as possible and often highly available, and while it is possible run an AVS as the consumer of TEE services, an increasing number of organisations are offering AVS as a third party service.
Trusting the silicon vendor
Is the Silicon Vendor Trustworthy?
Yes, trusting the silicon vendor (Intel, Nvidia, etc.) is generally necessary for Confidential Computing. You need to trust something to execute your workloads, and that ultimately relies on the hardware manufacturer. While deeper supply chain security questions exist, for most use cases, trusting the vendor is appropriate.
What attestation provides
Key Assurances from Attestation:
- Integrity assurances: Confirmation that the application and environment haven't been tampered with.
- Confidentiality assurances: (Indirectly) Confidence that the TEE's protections are active.
- Setup assurance: Proof that the TEE has been correctly configured.
- Hardware validity: Confirmation that the TEE is running on genuine silicon.
Without attestation, you cannot be certain that the promised TEE protections are actually in place.
It is important to note, however, that attestation does more than just provide the person or entity that is executing the application with integrity and confidentiality assurances, but that the attestation verification can be used in a number of other ways.
Uniqueness and identity
The first and most obvious is that cryptographically signed data can provide evidence of uniqueness. Assuming that it is possible to inject unique data into the initial measurement - such as a nonce or a randomly generated string from within the TEE - then the uniqueness of that instance of a workload can be checked and assured. This leads to the ability to assert a second property, which is identity. While not sufficient on its own, uniqueness allows the binding of an identity to a workload instance, which means that inputs and outputs from that workload can be associated with a particular identity.
Attestation measurement as a certificate
Once you have a cryptographically signed blob of data with assurances of uniqueness and the identity, you basically have something that can be used as a certificate. This opens up a whole new set of possible ways of thinking about how the workload, its other properties and how they can be used.
Attestation Certificates vs. Standard Certificates:
Standard web certificates (from CAs like GlobalSign, LetsEncrypt) verify that the server possesses the private key associated with the domain.
Attestation certificates link back to the silicon vendor as the root of trust. The chip itself signs the measurement.
When using an Attestation Verification Service (AVS), the AVS provider verifies the measurement against the silicon vendor's data and can act as a Certificate Authority (CA) by counter-signing the verification. Trust then relies on both the AVS provider and the silicon vendor.
There are certain complexities associated with this arrangement which all revolve around the importance of verifying every single workload/TEE instance. If each attestation measurement goes to a centralized certificate authority, the time overhead on its own is likely to be significant for a deployment that includes multiple TEEs such as a distributed application with microservices. This is an issue that we have addressed at Super Protocol, and which is addressed in the second article in this series, Advanced use cases for Confidential Computing – a Technical Introduction.
Using certificates with Confidential Computing
Once you start to think about using attestation verification outputs as certificates, it quickly becomes clear that there are multiple uses that can be made of them.
Certificates for transport security
The most obvious of these uses cases - the most common use for certificates - is for communication. We are used to having certificates accepted for website access when we use browsers, and TLS already has a version which supports remote attestation, known as RA-TLS.
Stronger Identity Assurance
A standard certificate proves access to a key. An RA-TLS certificate proves not only access to the key but also that the key (and the communicating party) is protected by a verified TEE. This provides much stronger assurance against compromised servers compared to traditional TLS/HTTPS.
Non-transport uses for certificates
There are, of course, many other uses for certificates, and these apply equally - if not more - to certificates based on attestation verifications. Probably the most important in this context is the use of certificates for assurance around provenance. Where we were typically concerned about the confidentiality of our transport communications, in this case, we are much more interested in assurances around integrity.
Assuring Provenance and Integrity:
If the output of an application is signed with an attestation-based certificate, anyone receiving it can verify:
- The output came from the specific, expected application.
- The application was protected from interference during execution within a TEE.
This provides strong assurance about the integrity of results, not just since creation, but also during production.
This leads us to an astonishing property: because a certificate based on an attestation verification can give us assurances about both the integrity of the data and the application in the TEE, we can make very strong assertions that the results of a calculation or application came from a particular application and set of data. This has huge implications for very many collaborative applications, but possibly most importantly for AI/ML use cases. When we look at AI, the ability to tie the provenance of an inference model - and the answers it gives to questions - to the initial data sets and training model suddenly changes the way we think about how much we can trust what we are using. We will look at this use case - among others - in the second article in this series, Advanced use cases for Confidential Computing – a Technical Introduction.
Summary
Super Protocol's services revolve around Confidential Computing, and make the most of attestation, a process which, as we have seen in this article, can provide great benefits to users and consumers of the technology.
Next Steps
In the next article, Advanced use cases for Confidential Computing – a Technical Introduction, we will look in more detail at some of the advanced use cases enabled by attestation certificates. The third article, How Super Protocol Uses Attestation, will examine how Super Protocol's platform leverages these capabilities.
