A lease is an important primitive for building distributed protocols, and it is ubiquitously employed in distributed systems. However, the scope of the classic lease abstraction is restricted to the trusted computing infrastructure. Unfortunately, this important primitive cannot be employed in the untrusted computing infrastructure because the trusted execution environments (TEEs) do not provide a trusted time source. In the untrusted environment, an adversary can easily manipulate the system clock to violate the correctness properties of lease-based systems. We tackle this problem by introducing trusted lease -- a lease that maintains its correctness properties even in the presence of a clock-manipulating attacker. To achieve these properties, we follow a "trust but verify" approach for an untrusted timer, and transform it into a trusted timing primitive by leveraging two hardware-assisted ISA extensions (Intel TSX and SGX) available in commodity CPUs. We provide a design and implementation of trusted lease in a system called T-Lease -- the first trusted lease system that achieves high security, performance, and precision. For the application developers, T-Lease exposes an easy-to-use generic APIs that facilitate its usage to build a wide range of distributed protocols.

中文翻译：

---

T租约：分布式系统的受信任租约基元

租约是构建分布式协议的重要原语，并且已广泛应用于分布式系统中。但是，经典租约抽象的范围仅限于受信任的计算基础结构。不幸的是，该重要原语不能在不受信任的计算基础结构中使用，因为受信任的执行环境（TEE）不提供受信任的时间源。在不受信任的环境中，对手可以轻松地操纵系统时钟，从而违反基于租用的系统的正确性。我们通过引入受信任的租约来解决此问题，租约即使在存在时钟操纵攻击者的情况下也能保持其正确性。为了获得这些属性，我们对不可信的计时器采取了“信任但验证”的方法，并利用商用CPU中提供的两个硬件辅助的ISA扩展（英特尔TSX和SGX）将其转换为可信赖的定时原语。我们在称为T租约的系统中提供了受信租约的设计和实现-T-Lease是第一个实现高安全性，性能和准确性的受信租约系统。对于应用程序开发人员而言，T-Lease公开了易于使用的通用API，这些API有助于其构建广泛的分布式协议。