TEBDS: A Trusted Execution Environment-and-Blockchain-supported IoT data sharing system

Highlights

• A TEE-and-Blockchain-supported data sharing architecture for IoT(TEBDS) is proposed.

• A SGX-based distributed storage system is designed to store off-chain IoT data.

• A novel incentive mechanism is introduced to promote entities to maintain the ledger.

• A comprehensive experiment is executed to investigate the performance of the system.

Abstract

Data sharing services based on massive IoT data have been widely used in various fields such as health monitoring and image recognition, providing users with more reliable, efficient, and flexible data services and significantly improving the user service quality. With the popularization of IoT applications, the usage rate of IoT data is getting higher and higher. Due to the dangerous network environment, the security of IoT data faces challenges. On the one hand, attacks such as data tampering can lead to the failure of IoT tasks, and on the other hand, the intrusion of malicious users can lead to the collapse of the entire IoT network. In recent years, many protection schemes used for IoT data security have been proposed. However, security flaws still exist in these schemes. Therefore, to solve the data security and identity security issues in the IoT data sharing process, in this paper, we propose a TEE-and-Blockchain-supported IoT data sharing architecture(TEBDS), which combines on-chain and off-chain methods to meet the security requirements of the IoT data sharing framework. Therein, the consortium blockchain realizes the protection of on-chain IoT data and the access control of IoT users. An Intel SGX-based Distributed Storage System (SDSS) is proposed to secure off-chain data. Besides, an incentive mechanism is developed to facilitate the whole system. Security analysis shows that TEBDS meets the requirements of data security and identity security. Experimental results show that TEBDS has better performance than the centralized method SPDS.

Introduction

The Internet of things(IoT) generates massive volumes of IoT data every day, to utilize data from different IoTs effectively and offer better services, different IoT owners begin to explore privacy-preserving data sharing methods in recent years. Cloud Storage owns a powerful storage capacity, which is widely used to construct privacy-preserving data sharing methods recently. But these methods have the problem of a single point of failure [1], [2].

To achieve secure data sharing and guarantee the security of both on-chain and off-chain data, Yuntao Wang et al. [3] propose a secure and auditable private data sharing (SPDS) scheme in the smart grid. They apply blockchain to achieve trust-free private data computation and data usage tracking, and smart contracts are employed to specify fine-grained data usage policies. They also design a trusted execution environment based off-chain smart contract execution mechanism to process confidential user datasets and relieve the computation overhead in blockchain systems. Besides, a two-phase atomic delivery protocol is designed to ensure the atomicity of data transactions in computing result release and payment. Although their method secures on-chain and off-chain data based on the characteristics of blockchain and TEE, respectively, the TEE module only exists in the cloud center and still can lead to the problem of a single point of failure.

Blockchain, a decentralized method, features immutability and traceability, which can verify the identities of entities in the network while protecting data. Besides, a Trusted execution environment(TEE) with the isolation property, such as Intel SGX [4], [5], [6], [7], can ensure that the content inside will not be affected even if the operating system(OS), as well as the privileged software, are controlled by an attacker. Thus, by combining blockchain and SGX technology, our method has the following advantages: $1$. the single point of failure problem can be solved by the distributed feature of blockchain. $2$. blockchain gives trust to different IoTs, every entity in the network has its own legal identity. $3$. user’s operation recorded in the blockchain is secure, traceable, and untamperable. $4$. SGX enclave secures off-chain data and code.

In this paper, to achieve data security and identity security in the process of IoT data sharing, we propose a TEE-and-Blockchain-supported data sharing system for IoT(TEBDS). Blockchain in our method is used to secure user communications, and TEE is used to guarantee the security of the off-chain data. Specifically, all kinds of nodes, including full nodes with SGX(FNS), full nodes without SGX(FN), and lightweight nodes(LN), maintain a consortium blockchain to ensure the secure read/write operations between users and record all the users’ behavior in IoT. Besides, an SGX-based distributed storage system(SDSS) formed by all FNSs is designed to store off-chain IoT data and respond to read/write requests. As storage nodes, FNSs also can choose to store a certain amount of data based on their capability and find out the correct data based on the user’s signature. Furthermore, an incentive mechanism is developed to facilitate the fairness of TEBDS. The contribution of this paper is shown as follows:

$•$ A TEE-and-Blockchain-supported data sharing architecture for IoT(TEBDS) is proposed to achieve secure distributed IoT data sharing and user authentication. Therein blockchain is used to achieve on-chain data security and user access control, and TEE is used to secure the off-chain IoT data. TEBDS realizes the security of both on-chain and off-chain data instead of focusing on on-chain data security like traditional methods.

$•$ A SGX-based distributed storage system(SDSS) is designed to store off-chain IoT data securely, where the Hash bucket links IoT data in an untrusted environment and prevents the rollback attack. Besides, nodes in SDSS can selectively store part or all of the IoT data according to their storage resources, making full use of the node’s fragmented resources. Furthermore, the distributed features of SDSS can guarantee the availability of off-chain IoT data. Because nodes that support SDSS may store some redundant data, when a node fails, it will not affect the data of other nodes, and the data requester can still obtain the complete data requested. SDSS provides a feasible solution for secure storage of off-chain data.

$•$ A novel incentive mechanism is introduced to encourage FNSs to store data and promote FNSs, FNs, and LNs to maintain the ledger, ensuring that only honest and active users can get more rewards.

$•$ We design a comprehensive experiment to analyze the availability and performance of TEBDS. First, benchmark experiments prove that the addition of Intel SGX has little effect on the performance of TEBDS. In addition, we also compare the read and write performance of TEDBS with centralized SPDS, and the results show that TEBDS outperforms SPDS. Finally, the blockchain experimental results show that the blockchain applied in TEBDS is also efficient and effective.

The remainder of this paper is organized as follows. In the rest of this paper, we introduce some related work in Section 2. Section 3 outlines the threat model and design goals. In Section 4, the design of TEBDS will be discussed in detail. Experiment and performance evaluation of TEBDS are given in Section 5. Finally, Section 6 concludes the whole paper.