attribution-reporting-api icon indicating copy to clipboard operation
attribution-reporting-api copied to clipboard

Published 20 hours ago verified publisher icon WICG

Details on Attestation in TEE Aggregator

Open eriktaubeneck opened this issue 2 years ago • 7 comments

The TEE version of the Aggregation Service for the Attribution Reporting API proposal states that:

Decryption and aggregation of raw aggregatable report data happens within a secure and isolated Trusted Execution Environment. This prevents adtech from accessing the decrypted inputs, intermediate data, and the decryption key.

I am assuming that the Confidential VM offering from GCP is one of the proposed cloud providers. When looking into this offering, it's not completely obvious how this guarantee is made, and it would be helpful to understand better how the API intends to do this.

Attestation of Code Executed The documentation only mentions a launch attestation report event, which attests to the boot state of the VM, but not the software that actually gets executed. I launched such an instance and was able to SSH onto the box and, as the tenant, view files and run commands. The proposal states:

Google will periodically release binary images of the aggregation server code for TEE deployment. A cryptographic hash of the build product (the image to be deployed on the TEE) is obtained as part of the build process. The build is reproducible so that anyone can build binaries from source and verify they are identical to the images released by Google.

Is the intention here that this binary release is a custom Linux engine? If so, is there any existing analysis and tooling around building such an image that limits the tenant to only executing the desired software and includes the necessary components of an image built from scratch?

This seems like an important feature, from the user agent POV, in order to trust that the system, operated by an adtech tenant, is actually unable to view the underlying attribution reports.

Attestation of SEV Mode When a Confidential VM is launched, the above mentioned launch attestation report event is generated. In testing, and the docs, it seems that this is simply a log that states it's in SEV mode:

sevLaunchAttestationReportEvent: {
    integrityEvaluationPassed: true
    sevPolicy: {
        debugEnabled: false
        sevOnly: true
        ...
    }
}

From the adtech POV, it seems that you would actually want to establish the root of trust all the way down to the hardware. I'm not an expert here, but my understanding was that the hardware manufacture, in this case AMD, runs essentially a certificate authority, which allows any user to verify that a cryptographic signature was generated by an authentic manufacturer chip (according to the manufacturer.) I wasn't able to find such a signature included in the launch attestation report event, nor any documentation on how a tenant might validate such a signature against a manufactures certificate authority.

The only component which seems to be possibly such a signature is value in the log:

sevLaunchAttestationReportEvent: {
    finalDigest: "j324ZkjlkYaklj/skljlj2908Aionkl"
}

The documentation doesn't seem to be clear on what this value actually is, or how you would validate it. (Also, in my quick poking around, it didn't show up in my own logs, but that may have just been a misconfiguration.)

Do such processes and documentation exist? From the POV of the adtech, this seems like an important component to establish the root of trust in the hardware (beyond simply trusting the cloud provider explicitly.)

eriktaubeneck avatar Mar 11 '22 17:03 eriktaubeneck

Hi Erik,

Thank you for the detailed post. We are working on providing more information. For now, I'll just say that per our recent update, our initial implementation will support Trusted Execution Environments (TEEs) provided by Amazon Web Services.

palenica avatar Mar 18 '22 18:03 palenica

@palenica Does it mean that it's AWS Nitro? Do you have any design details? Thanks.

peking2 avatar Apr 23 '22 09:04 peking2

Yes, this is AWS Nitro.

FYI, we have just published instructions, scripts and binaries needed for running the aggregation service (both locally in untrusted mode and in the cloud in AWS Nitro) if you'd like to take it for a spin. https://github.com/google/trusted-execution-aggregation-service/blob/main/README.md

We're working on publishing documentation, and getting the code in shape for open sourcing. Please stay tuned.

palenica avatar Apr 28 '22 13:04 palenica

Hello @palenica,

Any news on that ?

I had a look a the repo but the AWS lambda functions are only provided as [JARs]((https://storage.googleapis.com/trusted-execution-aggregation-service-public-artifacts). I would expect this to be open sourced somehow.

Can you also share some documentation on the client part ? In particular what keys are used to encrypt the reports from inside the browser ? Does this also use the TLS protocol similar to intel SGX technology (described here). Is this already implemented in chromium ?

fhoering avatar May 13 '22 15:05 fhoering