T-Lease: A Trusted Lease Primitive for Distributed Systems
This work addresses a critical limitation for distributed systems developers by enabling lease-based protocols in untrusted infrastructures, though it is incremental as it builds on existing hardware extensions.
The paper tackles the problem of implementing a lease primitive in untrusted computing environments where adversaries can manipulate system clocks, by introducing T-Lease, a trusted lease system that uses hardware-assisted ISA extensions to achieve high security, performance, and precision.
A lease is an important primitive for building distributed protocols, and it is ubiquitously employed in distributed systems. However, the scope of the classic lease abstraction is restricted to the trusted computing infrastructure. Unfortunately, this important primitive cannot be employed in the untrusted computing infrastructure because the trusted execution environments (TEEs) do not provide a trusted time source. In the untrusted environment, an adversary can easily manipulate the system clock to violate the correctness properties of lease-based systems. We tackle this problem by introducing trusted lease -- a lease that maintains its correctness properties even in the presence of a clock-manipulating attacker. To achieve these properties, we follow a "trust but verify" approach for an untrusted timer, and transform it into a trusted timing primitive by leveraging two hardware-assisted ISA extensions (Intel TSX and SGX) available in commodity CPUs. We provide a design and implementation of trusted lease in a system called T-Lease -- the first trusted lease system that achieves high security, performance, and precision. For the application developers, T-Lease exposes an easy-to-use generic APIs that facilitate its usage to build a wide range of distributed protocols.