技术领域Technical Field
本发明涉及信息安全技术领域,尤其涉及一种基于Intel SGX的以太坊隐私保护交易预执行系统。The present invention relates to the field of information security technologies, and in particular to an Ethereum privacy protection transaction pre-execution system based on Intel SGX.
背景技术Background Art
以太坊交易预执行系统旨在通过交易模拟执行来帮助以太坊用户理解将要签署的交易,以防其遭遇钓鱼攻击等非预期行为。系统一般由两个组件组成,交易模拟组件与可选的策略分析组件。交易模拟组件负责基于最新区块对用户交易进行模拟执行,并记录执行路径、状态访问等详细的执行信息来作为交易模拟结果。目前Alchemy和Blocknative等以太坊基础设施公司均有推出各自的交易模拟产品。策略分析组件则针对交易模拟结果进行进一步的策略分析(如钓鱼检测等),从而为用户提供具有更高级语义的信息反馈。策略分析组件是可选的,并且不同的以太坊交易预执行服务提供商有着各自专有的分析策略。目前,商业化的以太坊交易预执行服务已成为以太坊社区的重要基础组件。The Ethereum transaction pre-execution system aims to help Ethereum users understand the transactions they are about to sign through transaction simulation execution to prevent them from encountering unexpected behaviors such as phishing attacks. The system generally consists of two components, a transaction simulation component and an optional strategy analysis component. The transaction simulation component is responsible for simulating the execution of user transactions based on the latest block, and recording detailed execution information such as execution path and state access as the transaction simulation result. Currently, Ethereum infrastructure companies such as Alchemy and Blocknative have launched their own transaction simulation products. The strategy analysis component conducts further strategy analysis (such as phishing detection, etc.) on the transaction simulation results, thereby providing users with information feedback with more advanced semantics. The strategy analysis component is optional, and different Ethereum transaction pre-execution service providers have their own proprietary analysis strategies. At present, commercial Ethereum transaction pre-execution services have become an important basic component of the Ethereum community.
然而,用户交易本身往往蕴含着用户的敏感信息,这使得以太坊用户在采用以太坊交易预执行服务的同时对于服务提供商有着去匿名性、待上链交易内容泄漏等隐私威胁的担忧。但对此,目前并没有相应的隐私保护方案出现。However, user transactions often contain sensitive information of users, which makes Ethereum users worry about privacy threats such as anonymization and leakage of transaction contents to be uploaded to the chain when using Ethereum transaction pre-execution services. However, there is currently no corresponding privacy protection solution.
发明内容Summary of the invention
针对现有技术的不足,本发明提出一种基于Intel SGX的以太坊隐私保护交易预执行系统,该系统利用Intel SGX来确保服务提供商在交易预执行服务的整个工作流程(包括交易模拟和策略分析)中都无法获取用户交易的内容。In view of the shortcomings of the prior art, the present invention proposes an Ethereum privacy-preserving transaction pre-execution system based on Intel SGX. The system uses Intel SGX to ensure that the service provider cannot obtain the content of user transactions during the entire workflow of the transaction pre-execution service (including transaction simulation and strategy analysis).
具体技术方案如下:The specific technical solutions are as follows:
一种基于Intel SGX的以太坊隐私保护交易预执行系统,包括交易模拟飞地和策略分析飞地;交易模拟飞地与策略分析飞地之间、用户与交易模拟飞地之间的交互通过基于SGX远程证明机制所建立的安全可信的通信信道进行;An Ethereum privacy protection transaction pre-execution system based on Intel SGX, including a transaction simulation enclave and a policy analysis enclave; the interaction between the transaction simulation enclave and the policy analysis enclave, and between the user and the transaction simulation enclave is carried out through a secure and trusted communication channel established based on the SGX remote attestation mechanism;
所述交易模拟飞地包括两个服务接口,一个用于接收用户提出的交易预执行请求,另一个用于接收策略分析飞地的注册信息;交易模拟飞地内部运行的以太坊Geth客户端,用于模拟执行交易预执行请求中的用户交易,得到交易模拟结果;所述交易模拟飞地向策略分析飞地发送策略分析请求并等待响应,所述策略分析请求包括交易模拟结果;收到策略分析飞地的响应后,交易模拟飞地聚合策略分析结果与交易模拟结果作为最终结果,并向用户发送最终结果;The transaction simulation enclave includes two service interfaces, one for receiving a transaction pre-execution request proposed by a user, and the other for receiving registration information of the strategy analysis enclave; the Ethereum Geth client running inside the transaction simulation enclave is used to simulate and execute the user transaction in the transaction pre-execution request to obtain a transaction simulation result; the transaction simulation enclave sends a strategy analysis request to the strategy analysis enclave and waits for a response, wherein the strategy analysis request includes a transaction simulation result; after receiving the response from the strategy analysis enclave, the transaction simulation enclave aggregates the strategy analysis result and the transaction simulation result as the final result, and sends the final result to the user;
所述策略分析飞地包括两个服务接口,一个用于接收服务提供商分发的策略分析代码及其底层数据和配置信息,所述配置信息包括:交易模拟飞地的IP地址列表、策略分析代码的签名及签名公钥、策略分析代码所需的交易模拟结果字段;所述策略分析飞地将接收时通过签名正确性验证的签名公钥作为标识策略分析代码身份的策略id;另一服务接口用于供交易模拟飞地提交策略分析请求;所述策略分析飞地依据所提供的交易模拟飞地的IP地址列表,将策略id和策略分析代码所需的交易模拟结果字段信息注册到相应的交易模拟飞地中;所述策略分析飞地通过其内部集成的Wasm运行时,运行策略分析代码,对策略分析请求中的交易模拟结果进行策略分析后,由策略分析飞地将策略分析结果返回给交易模拟飞地。The policy analysis enclave includes two service interfaces, one for receiving the policy analysis code and its underlying data and configuration information distributed by the service provider, the configuration information including: the IP address list of the transaction simulation enclave, the signature and signature public key of the policy analysis code, and the transaction simulation result field required by the policy analysis code; the policy analysis enclave uses the signature public key that has been verified for signature correctness upon receipt as the policy id for identifying the identity of the policy analysis code; the other service interface is used for the transaction simulation enclave to submit a policy analysis request; the policy analysis enclave registers the policy id and the transaction simulation result field information required by the policy analysis code to the corresponding transaction simulation enclave based on the IP address list of the transaction simulation enclave provided; the policy analysis enclave runs the policy analysis code through its internally integrated Wasm runtime, and after performing policy analysis on the transaction simulation result in the policy analysis request, the policy analysis enclave returns the policy analysis result to the transaction simulation enclave.
进一步地,所述交易模拟飞地在返回最终结果时,只返回策略分析结果和用户所指定的交易模拟结果字段对应的交易模拟结果;Furthermore, when returning the final result, the transaction simulation enclave only returns the strategy analysis result and the transaction simulation result corresponding to the transaction simulation result field specified by the user;
所述策略分析飞地在注册到交易模拟飞地时,将配置信息中服务提供商指定的交易模拟结果字段发送至交易模拟飞地;交易模拟飞地据此仅发送相应模拟结果字段到策略分析飞地。When the policy analysis enclave is registered with the transaction simulation enclave, the transaction simulation result field specified by the service provider in the configuration information is sent to the transaction simulation enclave; the transaction simulation enclave accordingly only sends the corresponding simulation result field to the policy analysis enclave.
进一步地,所述策略分析飞地中的Wasm运行时包括为策略分析代码提供的两个宿主接口和一个系统接口,其中一个宿主接口用于输入交易模拟结果,另一个宿主接口用于输出策略分析结果,所述系统接口用于策略分析代码对其底层数据进行只读访问。Furthermore, the Wasm runtime in the strategy analysis enclave includes two host interfaces and one system interface provided for the strategy analysis code, wherein one host interface is used to input transaction simulation results, and the other host interface is used to output strategy analysis results, and the system interface is used for the strategy analysis code to perform read-only access to its underlying data.
进一步地,所述交易模拟飞地和策略分析飞地均有多个,根据服务提供商配置,单个交易模拟飞地同时与多个包含不同策略分析代码的策略分析飞地建立连接,且单个策略分析飞地同时注册到多个交易模拟飞地中,以服务用户请求。Furthermore, there are multiple transaction simulation enclaves and policy analysis enclaves. According to the service provider configuration, a single transaction simulation enclave simultaneously establishes connections with multiple policy analysis enclaves containing different policy analysis codes, and a single policy analysis enclave is simultaneously registered with multiple transaction simulation enclaves to serve user requests.
进一步地,所述交易模拟飞地设置的两个服务接口、策略分析飞地提供的与服务提供商连接的服务接口均为HTTPS服务接口,其TLS层协议使用RA-TLS;所述策略分析飞地提供的与交易模拟飞地连接的服务接口为HTTP服务接口,且两者之间的交互数据使用策略分析飞地注册到交易模拟飞地过程中基于SGX远程证明机制协商出的会话密钥进行加密。Furthermore, the two service interfaces set by the transaction simulation enclave and the service interface provided by the policy analysis enclave to connect to the service provider are both HTTPS service interfaces, and their TLS layer protocol uses RA-TLS; the service interface provided by the policy analysis enclave to connect to the transaction simulation enclave is an HTTP service interface, and the interactive data between the two is encrypted using the session key negotiated based on the SGX remote attestation mechanism during the registration of the policy analysis enclave to the transaction simulation enclave.
一种基于Intel SGX的以太坊隐私保护方法,根据所述的基于Intel SGX的以太坊隐私保护交易预执行系统实现,其特征在于,用户与交易模拟飞地之间、交易模拟飞地与策略分析飞地之间、服务提供商与策略分析飞地之间的交互均通过基于SGX远程证明机制所建立的安全可信的通信信道进行;在所述方法的所有步骤执行过程中,所述交易模拟飞地持续监听以太坊网络并导入以太坊最新区块,基于该以太坊最新区块更新本地的以太坊世界状态,并将以太坊各区块数据与以太坊世界状态加密存储在宿主系统中;所述方法包括以下步骤:An Intel SGX-based Ethereum privacy protection method is implemented according to the Intel SGX-based Ethereum privacy protection transaction pre-execution system, characterized in that the interaction between the user and the transaction simulation enclave, between the transaction simulation enclave and the policy analysis enclave, and between the service provider and the policy analysis enclave is carried out through a secure and trusted communication channel established based on the SGX remote proof mechanism; during the execution of all steps of the method, the transaction simulation enclave continuously monitors the Ethereum network and imports the latest Ethereum block, updates the local Ethereum world state based on the latest Ethereum block, and encrypts and stores the Ethereum block data and the Ethereum world state in the host system; the method comprises the following steps:
S1、初始化:所述策略分析飞地接收服务提供商分发的、通过策略分析飞地的签名正确性验证的策略分析代码及其底层数据和配置信息,并将策略分析代码的底层数据加载到策略分析飞地内的内存文件系统中;所述策略分析飞地依据配置信息中指示的交易模拟飞地的IP地址列表,将标识策略分析代码身份的策略id和策略分析代码所需的交易模拟结果字段信息传输至交易模拟飞地,完成注册;注册过程中,交易模拟飞地通过SGX远程证明机制验证注册正确性,并与策略分析飞地协商会话密钥,后续交易模拟飞地与策略分析飞地之间的所有通信内容均使用该会话密钥进行加密;S1. Initialization: The policy analysis enclave receives the policy analysis code and its underlying data and configuration information distributed by the service provider and verified by the signature correctness of the policy analysis enclave, and loads the underlying data of the policy analysis code into the memory file system in the policy analysis enclave; the policy analysis enclave transmits the policy ID identifying the identity of the policy analysis code and the transaction simulation result field information required by the policy analysis code to the transaction simulation enclave according to the IP address list of the transaction simulation enclave indicated in the configuration information, and completes the registration; during the registration process, the transaction simulation enclave verifies the correctness of the registration through the SGX remote attestation mechanism, and negotiates a session key with the policy analysis enclave. All subsequent communications between the transaction simulation enclave and the policy analysis enclave are encrypted using the session key;
S2:用户向交易模拟飞地发送交易预执行请求,所述交易预执行请求包括:用户交易列表、策略id列表、需要返回的交易模拟结果字段;S2: The user sends a transaction pre-execution request to the transaction simulation enclave, where the transaction pre-execution request includes: a user transaction list, a strategy ID list, and a transaction simulation result field to be returned;
S3:交易模拟飞地接收到交易预执行请求,对所述用户交易列表中的各用户交易进行模拟执行,并产生交易模拟结果;在模拟执行过程中,交易模拟飞地根据需求从宿主系统中读取以太坊各区块数据和以太坊世界状态;S3: The transaction simulation enclave receives the transaction pre-execution request, simulates the execution of each user transaction in the user transaction list, and generates a transaction simulation result; during the simulation execution process, the transaction simulation enclave reads the Ethereum block data and Ethereum world state from the host system according to demand;
S4:交易模拟飞地依据所述策略id列表,向相应的策略分析飞地发送策略分析请求,并等待策略分析飞地的响应;所述策略分析请求中包含策略分析飞地需要的交易模拟结果;S4: The transaction simulation enclave sends a policy analysis request to the corresponding policy analysis enclave according to the policy ID list, and waits for a response from the policy analysis enclave; the policy analysis request includes the transaction simulation result required by the policy analysis enclave;
S5:策略分析飞地接收到所述策略分析请求,创建一个新的Wasm运行时实例并加载策略分析代码到该实例中;策略分析代码在执行过程中,从策略分析飞地处获取策略分析请求中的交易模拟结果,并通过Wasm系统接口对其底层数据进行只读访问,对交易模拟结果进行策略分析后,输出策略分析结果给策略分析飞地;S5: The policy analysis enclave receives the policy analysis request, creates a new Wasm runtime instance and loads the policy analysis code into the instance; during the execution of the policy analysis code, the policy analysis code obtains the transaction simulation result in the policy analysis request from the policy analysis enclave, and read-only accesses its underlying data through the Wasm system interface, performs policy analysis on the transaction simulation result, and outputs the policy analysis result to the policy analysis enclave;
S6:策略分析飞地将获取的策略分析结果返回给交易模拟飞地,并销毁S5创建的Wasm运行时实例;S6: The policy analysis enclave returns the obtained policy analysis results to the transaction simulation enclave and destroys the Wasm runtime instance created in S5;
S7:所述交易模拟飞地接收策略分析飞地的响应后,聚合策略分析结果与所述需要返回的交易模拟结果字段对应的交易模拟结果作为最终结果,并向用户发送所述最终结果。S7: After receiving the response from the policy analysis enclave, the transaction simulation enclave aggregates the policy analysis result and the transaction simulation result corresponding to the transaction simulation result field to be returned as the final result, and sends the final result to the user.
进一步地,所述交易模拟飞地对以太坊世界状态进行可验证加密操作,再将以太坊世界状态输出保存到宿主系统中进行持久化存储;所述S3中,交易模拟飞地根据需要,从宿主系统中读取以太坊世界状态并解密;所述可验证加密操作的密钥采用交易模拟飞地的SGX密封密钥。Furthermore, the transaction simulation enclave performs a verifiable encryption operation on the Ethereum world state, and then saves the Ethereum world state output to the host system for persistent storage; in the S3, the transaction simulation enclave reads and decrypts the Ethereum world state from the host system as needed; the key for the verifiable encryption operation uses the SGX sealing key of the transaction simulation enclave.
进一步地,所述S1中,服务提供商将策略分析代码编译成Wasm字节码格式,使用私钥对Wasm字节码进行签名,并在策略分析代码的配置信息中添加该签名及签名公钥;然后服务提供商提出分发请求,将编译成Wasm字节码形式的策略分析代码及其底层数据和配置信息分发至策略分析飞地;策略分析飞地在接收到分发请求后验证签名正确性,如果验证成功,则接收服务提供商分发请求中的所有内容,并将签名公钥作为策略分析代码的身份标识,即策略id;反之则拒绝服务提供商的分发请求。Furthermore, in S1, the service provider compiles the policy analysis code into Wasm bytecode format, signs the Wasm bytecode with a private key, and adds the signature and the signature public key to the configuration information of the policy analysis code; then the service provider makes a distribution request to distribute the policy analysis code compiled into Wasm bytecode format and its underlying data and configuration information to the policy analysis enclave; after receiving the distribution request, the policy analysis enclave verifies the correctness of the signature. If the verification is successful, it receives all the contents in the service provider's distribution request and uses the signature public key as the identity of the policy analysis code, i.e., the policy id; otherwise, the service provider's distribution request is rejected.
一种电子设备,包括存储器和一个或多个处理器,所述存储器中存储有可执行代码,所述一个或多个处理器执行所述可执行代码时,用于实现所述的基于Intel SGX的以太坊隐私保护方法。An electronic device includes a memory and one or more processors, wherein the memory stores executable code, and when the one or more processors execute the executable code, they are used to implement the Ethereum privacy protection method based on Intel SGX.
一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现所述的基于Intel SGX的以太坊隐私保护方法。A computer-readable storage medium having a computer program stored therein, wherein the computer program implements the Ethereum privacy protection method based on Intel SGX when executed by a processor.
本发明的有益效果是:The beneficial effects of the present invention are:
(1)本发明利用Intel SGX和Wasm沙箱技术,确保服务提供商在交易预执行服务的整个工作流程(包括交易模拟和策略分析)中都无法获取用户交易的内容,能够保护以太坊用户在使用交易预执行服务过程中的隐私性。(1) The present invention utilizes Intel SGX and Wasm sandbox technology to ensure that service providers cannot obtain the content of user transactions during the entire workflow of transaction pre-execution services (including transaction simulation and strategy analysis), thereby protecting the privacy of Ethereum users when using transaction pre-execution services.
(2)本发明系统可以直接部署到已有Intel处理器平台来提高以太坊交易预执行系统的用户隐私保护能力。(2) The system of the present invention can be directly deployed on the existing Intel processor platform to improve the user privacy protection capability of the Ethereum transaction pre-execution system.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本发明实施例提出的基于Intel SGX的以太坊隐私保护交易预执行系统及其流程示意图。FIG1 is a schematic diagram of an Ethereum privacy protection transaction pre-execution system based on Intel SGX and its flow chart proposed in an embodiment of the present invention.
图2是本发明实施例提供的一种电子设备的结构示意图。FIG. 2 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请的一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of this application.
在以下的描述中,涉及到“一个具体实施例”,其描述了所有可能实施例的子集,但是可以理解,“一个具体实施例”,其描述了所有可能实施例的相同子集或不同子集,并且可以在不冲突的情况下相互结合。In the following description, reference is made to “one specific embodiment”, which describes a subset of all possible embodiments, but it can be understood that “one specific embodiment” describes the same subset or different subsets of all possible embodiments and can be combined with each other without conflict.
除非另有定义,本文所使用的所有的技术的科学技术与属于本发明的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本发明实施例的目的,不是旨在限制本发明。Unless otherwise defined, all technical science and technology used herein have the same meaning as commonly understood by those skilled in the art of the present invention. The terms used herein are only for the purpose of describing the embodiments of the present invention and are not intended to limit the present invention.
在对本发明实施例进行进一步详细说明之前,对本发明实施例中涉及的名词和术语进行说明,本发明实施例中涉及的名词和术语适用于如下的解释。Before further describing the embodiments of the present invention in detail, the nouns and terms involved in the embodiments of the present invention are described. The nouns and terms involved in the embodiments of the present invention are subject to the following explanations.
(1)Intel SGX,是一种为满足可信计算行业需求而开发的技术。Intel SGX从硬件层面为敏感代码和数据提供了一个隔离的可信执行环境(本领域技术人员称其为Enclave,即飞地),使得外界(包括计算平台的所有者)在运行时无法获取或篡改敏感代码与数据的内容。此外,Intel SGX还提供了远程证明机制和密封机制,远程证明机制允许远端用户对Enclave进行身份验证并与之建立安全可信的通信通道,密封机制则允许Enclave将数据加密保存到宿主系统的持久化存储中。由于Intel SGX对Enclave内代码和数据的机密性与完整性保证是借助于硬件隔离所实现的,因此Intel SGX所带来的性能开销十分有限。(1) Intel SGX is a technology developed to meet the needs of the trusted computing industry. Intel SGX provides an isolated trusted execution environment (technical personnel in this field refer to it as an Enclave) for sensitive code and data at the hardware level, making it impossible for the outside world (including the owner of the computing platform) to obtain or tamper with the content of sensitive code and data during operation. In addition, Intel SGX also provides a remote attestation mechanism and a sealing mechanism. The remote attestation mechanism allows remote users to authenticate the Enclave and establish a secure and trusted communication channel with it, while the sealing mechanism allows the Enclave to encrypt and save data to the persistent storage of the host system. Since Intel SGX ensures the confidentiality and integrity of the code and data in the Enclave through hardware isolation, the performance overhead brought by Intel SGX is very limited.
(2)WebAssembly,简称Wasm,是一种可移植、体积小、加载速度快且兼容Web的全新格式,是一种面向Web的二进制指令格式,可以在Web浏览器中运行,还可以用作独立的虚拟机或容器的格式。(2) WebAssembly, or Wasm for short, is a new format that is portable, small in size, fast in loading, and Web-compatible. It is a Web-oriented binary instruction format that can run in a Web browser and can also be used as a standalone virtual machine or container format.
基于上述架构,本发明提出一种基于Intel SGX的以太坊隐私保护交易预执行系统,如图1所示,该系统包括交易模拟Enclave和策略分析Enclave。用户与交易模拟Enclave之间、交易模拟Enclave与策略分析Enclave之间、服务提供商与策略分析Enclave之间的交互均通过基于SGX远程证明机制所建立的安全可信的通信信道进行,保证数据通信的机密性与完整性。交易模拟Enclave对应现有交易预执行系统中的交易模拟组件,利用IntelSGX防止服务提供商在处理交易模拟任务的过程中获取用户交易内容;策略分析Enclave对应现有交易预执行系统中的策略分析组件,利用Intel SGX防止服务提供商获取交易模拟结果,并利用Wasm沙箱技术防止服务提供商的策略分析代码主动泄漏用户交易的模拟结果。Based on the above architecture, the present invention proposes an Ethereum privacy protection transaction pre-execution system based on Intel SGX, as shown in Figure 1, the system includes a transaction simulation Enclave and a policy analysis Enclave. The interaction between the user and the transaction simulation Enclave, between the transaction simulation Enclave and the policy analysis Enclave, and between the service provider and the policy analysis Enclave is carried out through a secure and trusted communication channel established based on the SGX remote proof mechanism to ensure the confidentiality and integrity of data communication. The transaction simulation Enclave corresponds to the transaction simulation component in the existing transaction pre-execution system, and uses Intel SGX to prevent the service provider from obtaining the user transaction content in the process of processing the transaction simulation task; the policy analysis Enclave corresponds to the policy analysis component in the existing transaction pre-execution system, and uses Intel SGX to prevent the service provider from obtaining the transaction simulation results, and uses Wasm sandbox technology to prevent the service provider's policy analysis code from actively leaking the simulation results of the user transaction.
具体地,交易模拟Enclave包括两个HTTPS服务接口,一个用于接收用户提出的交易预执行请求,另一个用于接收策略分析Enclave的注册信息。这两个HTTPS服务接口的TLS层协议均使用RA-TLS架构。RA-TLS架构由Intel所提出,其将SGX远程证明机制集成到了TLS连接建立过程中,使得远端实体(包括用户与Enclave)在与某一Enclave建立TLS连接的过程中完成对该Enclave身份的验证,最终所建立的TLS信道对于远端实体来说便是安全可信的通信信道。Specifically, the transaction simulation enclave includes two HTTPS service interfaces, one for receiving transaction pre-execution requests from users, and the other for receiving registration information of the policy analysis enclave. The TLS layer protocols of these two HTTPS service interfaces both use the RA-TLS architecture. The RA-TLS architecture was proposed by Intel, which integrates the SGX remote attestation mechanism into the TLS connection establishment process, allowing remote entities (including users and enclaves) to complete the verification of the identity of an enclave during the process of establishing a TLS connection with the enclave. The TLS channel finally established is a secure and reliable communication channel for the remote entity.
交易模拟Enclave内部运行的以太坊Geth客户端,基于以太坊最新区块模拟交易的执行,用于模拟执行交易预执行请求中的用户交易,得到交易模拟结果;其中,以太坊Geth客户端利用Geth tracer机制收集策略分析Enclave所需的交易执行信息,作为交易模拟结果输出,用于后续传递至策略分析Enclave,策略分析Enclave所需的交易执行信息包括:合约调用、状态读写、事件抛出、合约创建或合约销毁。交易模拟Enclave向策略分析Enclave发送策略分析请求并等待响应,该策略分析请求包括交易模拟结果。收到策略分析Enclave的响应后,交易模拟Enclave聚合策略分析结果与交易模拟结果作为最终结果,并向用户发送最终结果。The Ethereum Geth client running inside the transaction simulation enclave simulates the execution of transactions based on the latest Ethereum block, and is used to simulate the execution of user transactions in the transaction pre-execution request to obtain the transaction simulation result; wherein, the Ethereum Geth client uses the Geth tracer mechanism to collect the transaction execution information required by the policy analysis enclave as the transaction simulation result output for subsequent transmission to the policy analysis enclave. The transaction execution information required by the policy analysis enclave includes: contract call, state reading and writing, event throwing, contract creation or contract destruction. The transaction simulation enclave sends a policy analysis request to the policy analysis enclave and waits for a response. The policy analysis request includes the transaction simulation result. After receiving the response from the policy analysis enclave, the transaction simulation enclave aggregates the policy analysis result and the transaction simulation result as the final result, and sends the final result to the user.
策略分析Enclave包括两个服务接口,一个用于接收服务提供商分发的策略分析代码及其底层数据和配置信息,该服务接口为HTTPS服务接口,其TLS层协议使用RA-TLS架构;配置信息包括:交易模拟Enclave的IP地址列表、策略分析代码的签名及签名公钥、策略分析代码所需的交易模拟结果字段。策略分析Enclave将接收时通过签名正确性验证的签名公钥作为标识策略分析代码身份的策略id。另一服务接口用于供交易模拟Enclave提交策略分析请求,该服务接口为HTTP服务接口,但两者之间的交互内容会使用策略分析Enclave注册到交易模拟Enclave时两者所协商出的密钥进行加密。The policy analysis Enclave includes two service interfaces. One is used to receive the policy analysis code and its underlying data and configuration information distributed by the service provider. This service interface is an HTTPS service interface, and its TLS layer protocol uses the RA-TLS architecture. The configuration information includes: the IP address list of the transaction simulation Enclave, the signature and signature public key of the policy analysis code, and the transaction simulation result field required by the policy analysis code. The policy analysis Enclave uses the signature public key that has been verified for signature correctness upon receipt as the policy id that identifies the identity of the policy analysis code. The other service interface is used for the transaction simulation Enclave to submit policy analysis requests. This service interface is an HTTP service interface, but the interaction between the two will be encrypted using the key negotiated by the two when the policy analysis Enclave is registered with the transaction simulation Enclave.
策略分析Enclave依据交易模拟Enclave的IP地址列表,将策略id和策略分析代码所需的交易模拟结果字段信息注册到相应的交易模拟Enclave中,该过程基于SGX远程证明机制协商出的会话密钥进行加密。策略分析Enclave内集成有Wasm运行时,该Wasm运行时包括两个宿主接口和一个定制化的Wasm系统接口(即WASI接口),其中一个宿主接口recv_input用于供策略分析代码从策略分析Enclave获取交易模拟结果输入,另一个宿主接口send_output用于供策略分析代码输出策略分析结果,WASI接口用于策略分析代码对其底层数据进行只读访问。策略分析Enclave将策略分析代码加载到Wasm运行时中运行,策略分析代码在执行过程中对策略分析请求中的交易模拟结果进行策略分析,得到策略分析结果,由策略分析Enclave将策略分析结果返回给交易模拟Enclave。The policy analysis enclave registers the policy id and the transaction simulation result field information required by the policy analysis code to the corresponding transaction simulation enclave based on the IP address list of the transaction simulation enclave. This process is encrypted based on the session key negotiated by the SGX remote attestation mechanism. The policy analysis enclave is integrated with the Wasm runtime, which includes two host interfaces and a customized Wasm system interface (i.e., WASI interface). One host interface recv_input is used for the policy analysis code to obtain the transaction simulation result input from the policy analysis enclave, and the other host interface send_output is used for the policy analysis code to output the policy analysis result. The WASI interface is used for the policy analysis code to read-only access its underlying data. The policy analysis enclave loads the policy analysis code into the Wasm runtime for execution. During the execution process, the policy analysis code performs policy analysis on the transaction simulation result in the policy analysis request to obtain the policy analysis result, and the policy analysis enclave returns the policy analysis result to the transaction simulation enclave.
进一步地,用户在提交交易预执行请求到交易模拟Enclave时,选择指定所需返回的交易模拟结果字段,交易模拟Enclave在返回最终结果时,只返回策略分析结果和用户所指定的交易模拟结果字段对应的交易模拟结果。服务提供商在提交给策略分析Enclave的配置信息中,指定策略分析代码所需的交易模拟结果字段;策略分析Enclave在注册到交易模拟Enclave时,将服务提供商指定的交易模拟结果字段发送至交易模拟Enclave;交易模拟Enclave据此仅发送相应模拟结果字段到策略分析Enclave。Furthermore, when submitting a transaction pre-execution request to the transaction simulation Enclave, the user chooses to specify the transaction simulation result fields to be returned. When the transaction simulation Enclave returns the final result, it only returns the policy analysis results and the transaction simulation result fields corresponding to the transaction simulation result fields specified by the user. The service provider specifies the transaction simulation result fields required by the policy analysis code in the configuration information submitted to the policy analysis Enclave; when the policy analysis Enclave registers with the transaction simulation Enclave, it sends the transaction simulation result fields specified by the service provider to the transaction simulation Enclave; accordingly, the transaction simulation Enclave only sends the corresponding simulation result fields to the policy analysis Enclave.
进一步地,交易模拟Enclave和策略分析Enclave均有多个,根据服务提供商配置,单个交易模拟Enclave同时与多个包含不同策略分析代码的策略分析Enclave建立连接,且单个策略分析Enclave同时注册到多个交易模拟Enclave中,以服务用户请求。Furthermore, there are multiple transaction simulation enclaves and policy analysis enclaves. According to the service provider configuration, a single transaction simulation enclave simultaneously establishes connections with multiple policy analysis enclaves containing different policy analysis codes, and a single policy analysis enclave is simultaneously registered with multiple transaction simulation enclaves to serve user requests.
基于上述基于Intel SGX的以太坊隐私保护交易预执行系统,本发明实施例提出一种基于Intel SGX的以太坊隐私保护方法,在该方法的所有步骤执行过程中,交易模拟Enclave持续监听以太坊网络并导入以太坊最新区块,基于该以太坊最新区块更新本地的以太坊世界状态,从而保持与以太坊网络的同步状态;然后将以太坊各区块数据与以太坊世界状态加密存储在宿主系统中的磁盘中,进行持久化存储,后续交易模拟Enclave能按照需要从宿主系统中读取。其中,在输出以太坊世界状态到宿主系统之前,交易模拟Enclave对以太坊世界状态进行可验证加密操作,加密密钥为交易模拟Enclave的SGX密封密钥,从而使得只有交易模拟Enclave可以对以太坊世界状态进行解密操作。Based on the above-mentioned Ethereum privacy protection transaction pre-execution system based on Intel SGX, an embodiment of the present invention proposes an Ethereum privacy protection method based on Intel SGX. During the execution of all steps of the method, the transaction simulation Enclave continuously monitors the Ethereum network and imports the latest Ethereum block, updates the local Ethereum world state based on the latest Ethereum block, thereby maintaining synchronization with the Ethereum network; then encrypts and stores the Ethereum block data and the Ethereum world state in the disk in the host system for persistent storage, and the subsequent transaction simulation Enclave can read from the host system as needed. Among them, before outputting the Ethereum world state to the host system, the transaction simulation Enclave performs a verifiable encryption operation on the Ethereum world state, and the encryption key is the SGX sealing key of the transaction simulation Enclave, so that only the transaction simulation Enclave can decrypt the Ethereum world state.
基于Intel SGX的以太坊隐私保护方法具体包括以下步骤:The Ethereum privacy protection method based on Intel SGX specifically includes the following steps:
S1:服务提供商根据需要创建交易模拟Enclave和策略分析Enclave实例,对于策略分析Enclave,进行以下初始化操作:S1: The service provider creates transaction simulation Enclave and policy analysis Enclave instances as needed. For the policy analysis Enclave, perform the following initialization operations:
(1.1)服务提供商将策略分析代码编译成Wasm字节码格式,使用私钥对生成的Wasm字节码进行签名,并在策略分析代码的配置信息中添加该签名及签名公钥。(1.1) The service provider compiles the policy analysis code into Wasm bytecode format, signs the generated Wasm bytecode with a private key, and adds the signature and the signature public key to the configuration information of the policy analysis code.
(1.2)服务提供商通过策略分析Enclave所提供的HTTPS服务接口,提出分发请求,将编译成Wasm字节码形式的策略分析代码及其底层数据和配置信息分发至策略分析Enclave。(1.2) The service provider makes a distribution request through the HTTPS service interface provided by the policy analysis enclave, and distributes the policy analysis code compiled into Wasm bytecode and its underlying data and configuration information to the policy analysis enclave.
(1.3)策略分析Enclave在接收到服务提供商的分发请求之后,首先基于策略分析代码的配置信息中的签名公钥,对策略分析代码的签名正确性进行验证。如果验证成功,则接收服务提供商分发请求中的所有内容,并将签名公钥作为策略分析代码的身份标识(即策略id),否则则拒绝服务提供商的分发请求。签名正确性验证成功后,还需将策略分析代码的底层数据加载到策略分析Enclave内的内存文件系统中,以允许后续策略分析代码通过WASI接口对底层数据进行只读访问。(1.3) After receiving the distribution request from the service provider, the policy analysis enclave first verifies the correctness of the signature of the policy analysis code based on the signature public key in the configuration information of the policy analysis code. If the verification is successful, all the contents in the service provider's distribution request are received, and the signature public key is used as the identity of the policy analysis code (ie, the policy id). Otherwise, the service provider's distribution request is rejected. After the signature correctness verification is successful, the underlying data of the policy analysis code must be loaded into the memory file system within the policy analysis enclave to allow subsequent policy analysis codes to read-only access the underlying data through the WASI interface.
(1.4)策略分析Enclave依据配置信息中指示的交易模拟Enclave的IP地址列表,将标识策略分析代码身份的策略id和策略分析代码所需的交易模拟结果字段信息传输至交易模拟飞地,完成注册,从而使得交易模拟Enclave在服务提供过程中,正确地将交易模拟结果分发给包含用户所指定策略分析代码的策略分析Enclave,并且只分发必要的交易模拟结果字段,从而减少通信开销。在注册过程中,交易模拟Enclave借助SGX远程证明机制,验证所注册的确实为策略分析Enclave,并通过密钥交换算法与策略分析Enclave之间生成一个会话密钥,后续交易模拟Enclave与策略分析Enclave之间的所有通信内容均使用该会话密钥进行加密。(1.4) The policy analysis enclave transmits the policy ID that identifies the policy analysis code and the transaction simulation result field information required by the policy analysis code to the transaction simulation enclave according to the IP address list of the transaction simulation enclave indicated in the configuration information to complete the registration, so that the transaction simulation enclave can correctly distribute the transaction simulation results to the policy analysis enclave containing the policy analysis code specified by the user during the service provision process, and only distribute the necessary transaction simulation result fields, thereby reducing communication overhead. During the registration process, the transaction simulation enclave uses the SGX remote attestation mechanism to verify that the registered one is indeed the policy analysis enclave, and generates a session key with the policy analysis enclave through the key exchange algorithm. All subsequent communications between the transaction simulation enclave and the policy analysis enclave are encrypted using the session key.
S2:用户通过交易模拟Enclave所提供的HTTPS服务接口向交易模拟Enclave发送交易预执行请求。交易预执行请求的内容包括:用户交易列表、策略id列表、需要返回的交易模拟结果字段。S2: The user sends a transaction pre-execution request to the transaction simulation Enclave through the HTTPS service interface provided by the transaction simulation Enclave. The content of the transaction pre-execution request includes: user transaction list, strategy ID list, and transaction simulation result field to be returned.
S3:交易模拟Enclave在接收到用户的交易预执行请求之后,对交易预执行请求的用户交易列表中的各用户交易进行模拟执行,并产生交易模拟结果。在模拟执行过程中,交易模拟飞地根据需求从宿主系统中读取以太坊各区块数据和以太坊世界状态。S3: After receiving the user's transaction pre-execution request, the transaction simulation enclave simulates the execution of each user transaction in the user transaction list of the transaction pre-execution request and generates a transaction simulation result. During the simulation execution process, the transaction simulation enclave reads the Ethereum block data and Ethereum world state from the host system according to demand.
S4:交易模拟Enclave依据交易预执行请求中的策略id列表,向相应的策略分析Enclave发送策略分析请求,并等待策略分析Enclave的响应;策略分析请求中包含用户交易的模拟结果。其中,对于每个策略分析Enclave,交易模拟Enclave只会传递其所需的交易模拟结果字段,以减少通信开销。S4: The transaction simulation enclave sends a policy analysis request to the corresponding policy analysis enclave according to the policy id list in the transaction pre-execution request, and waits for the response of the policy analysis enclave; the policy analysis request contains the simulation result of the user transaction. For each policy analysis enclave, the transaction simulation enclave only passes the transaction simulation result fields it needs to reduce communication overhead.
S5:策略分析Enclave在接收到来自交易模拟Enclave的策略分析请求之后,创建一个新的Wasm运行时实例并加载策略分析代码到该实例中。策略分析代码在执行策略分析过程中,策略分析代码通过recv_input接口从策略分析Enclave中获取策略分析请求中的交易模拟结果,策略分析代码对交易模拟结果进行策略分析后,通过send_output接口将策略分析结果输出至策略分析Enclave。策略分析代码在执行过程中还可以通过WASI接口对其存储于策略分析Enclave内存文件系统的底层数据进行只读访问。S5: After receiving the policy analysis request from the transaction simulation Enclave, the policy analysis Enclave creates a new Wasm runtime instance and loads the policy analysis code into the instance. During the policy analysis process, the policy analysis code obtains the transaction simulation results in the policy analysis request from the policy analysis Enclave through the recv_input interface. After the policy analysis code performs policy analysis on the transaction simulation results, it outputs the policy analysis results to the policy analysis Enclave through the send_output interface. During the execution process, the policy analysis code can also read-only access the underlying data stored in the policy analysis Enclave memory file system through the WASI interface.
S6:策略分析Enclave将获取的策略分析代码输出的策略分析结果返回给交易模拟Enclave,并销毁S5创建的Wasm运行时实例。S6: The policy analysis enclave returns the policy analysis results output by the obtained policy analysis code to the transaction simulation enclave, and destroys the Wasm runtime instance created in S5.
S7:交易模拟Enclave汇总策略分析Enclave的响应(即策略分析Enclave返回的策略分析结果),并聚合策略分析结果与需要返回的交易模拟结果字段对应的交易模拟结果作为最终结果,并向用户发送所述最终结果。其中,对于交易模拟结果,交易模拟Enclave只返回用户所指定需要的交易模拟结果字段,以减少通信开销。S7: The transaction simulation enclave aggregates the responses of the policy analysis enclave (i.e., the policy analysis results returned by the policy analysis enclave), aggregates the policy analysis results and the transaction simulation results corresponding to the transaction simulation result fields that need to be returned as the final result, and sends the final result to the user. Among them, for the transaction simulation results, the transaction simulation enclave only returns the transaction simulation result fields required by the user to reduce communication overhead.
为了证明本发明的系统在满足隐私保护的同时能满足性能要求,下面根据真实用户交易数据集对交易模拟Enclave和策略分析Enclave的延迟与吞吐量进行了性能测试。In order to prove that the system of the present invention can meet the performance requirements while meeting the requirements of privacy protection, the latency and throughput of the transaction simulation enclave and the policy analysis enclave are tested based on the real user transaction data set.
为了测试交易模拟Enclave的性能,首先将交易模拟Enclave的以太坊区块状态暂停在区块17786030,并且从区块17786030后面的4000个区块中挑选一组交易作为用来进行实验的数据集。挑选标准为:该交易可以基于区块17786030模拟执行成功而不会发生回滚。由此最终收集产生了一个包含有91520笔交易的实验数据集。然后使用192个并发连接来将实验数据集中的交易发送到交易模拟Enclave,以测试其延迟与吞吐量。此外,还运行了一个未使用本发明的系统进行保护的交易模拟组件,并进行了同样的实验过程,以作为性能开销的基准。In order to test the performance of the transaction simulation Enclave, the Ethereum block state of the transaction simulation Enclave is first paused at block 17786030, and a group of transactions are selected from the 4000 blocks after block 17786030 as the data set for the experiment. The selection criteria are: the transaction can be simulated and executed successfully based on block 17786030 without rollback. Thus, an experimental data set containing 91,520 transactions was finally collected and generated. Then 192 concurrent connections were used to send the transactions in the experimental data set to the transaction simulation Enclave to test its latency and throughput. In addition, a transaction simulation component that was not protected by the system of the present invention was also run, and the same experimental process was carried out as a benchmark for performance overhead.
表1展示了性能测试的最终结果。从表1中可以看出,交易模拟Enclave的安全保护为交易模拟组件带来了26毫秒的延迟开销和38%的吞吐量开销,性能开销是可接受的。Table 1 shows the final results of the performance test. As can be seen from Table 1, the security protection of the transaction simulation Enclave brings 26 milliseconds of latency overhead and 38% throughput overhead to the transaction simulation component, and the performance overhead is acceptable.
表1 交易模拟Enclave延迟与吞吐量的性能测试结果Table 1 Performance test results of transaction simulation Enclave latency and throughput
为了测试策略分析Enclave的性能,选取了钓鱼检测、合规性检测和攻击检测三类场景进行性能测试实验。首先实现了针对这三类场景的样例策略分析代码。然后,使用前述交易模拟Enclave性能测试实验中所产生的交易模拟结果(共有91520个)作为策略分析Enclave性能测试实验的实验数据集,并使用192个并发连接来将实验数据集中的交易模拟结果发送到策略分析Enclave,以测试其延迟与吞吐量。表2展示了性能测试的最终结果。从表2中可以看出,策略分析Enclave可以提供与交易模拟Enclave相同量级的延迟与吞吐量,说明策略分析Enclave可以匹配交易模拟Enclave的延迟与吞吐量。In order to test the performance of the policy analysis Enclave, three scenarios, namely phishing detection, compliance detection and attack detection, were selected for performance testing experiments. First, the sample policy analysis code for these three scenarios was implemented. Then, the transaction simulation results (a total of 91,520) generated in the aforementioned transaction simulation Enclave performance test experiment were used as the experimental data set for the policy analysis Enclave performance test experiment, and 192 concurrent connections were used to send the transaction simulation results in the experimental data set to the policy analysis Enclave to test its latency and throughput. Table 2 shows the final results of the performance test. As can be seen from Table 2, the policy analysis Enclave can provide the same order of magnitude of latency and throughput as the transaction simulation Enclave, indicating that the policy analysis Enclave can match the latency and throughput of the transaction simulation Enclave.
表2 策略分析Enclave延迟与吞吐量的性能测试结果Table 2 Performance test results of Enclave latency and throughput for policy analysis
如图2所示,本发明实施例提供的一种电子设备,包括存储器和一个或多个处理器,存储器中存储有可执行代码,一个或多个处理器执行可执行代码时,用于实现上述实施例中的基于Intel SGX的以太坊隐私保护方法。As shown in FIG2 , an electronic device provided by an embodiment of the present invention includes a memory and one or more processors. The memory stores executable code. When the one or more processors execute the executable code, they are used to implement the Ethereum privacy protection method based on Intel SGX in the above embodiment.
本发明提出的一种电子设备可以应用在任意具备数据处理能力的设备上,该任意具备数据处理能力的设备可以为诸如计算机等设备或装置。电子设备可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为一个逻辑意义上的装置,是通过其所在任意具备数据处理能力的设备的处理器,将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,如图2所示,为本发明一种电子设备所在任意具备数据处理能力的设备的一种硬件结构图,除了图2所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中本发明设备所在的任意具备数据处理能力的设备通常根据该任意具备数据处理能力的设备的实际功能,还可以包括其他硬件,对此不再赘述。An electronic device proposed in the present invention can be applied to any device with data processing capabilities, and the any device with data processing capabilities can be a device or apparatus such as a computer. The electronic device can be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in a logical sense, it is formed by the processor of any device with data processing capabilities in which it is located, reading the corresponding computer program instructions in the non-volatile memory into the memory for execution. From the hardware level, as shown in Figure 2, it is a hardware structure diagram of any device with data processing capabilities in which an electronic device of the present invention is located. In addition to the processor, memory, network interface, and non-volatile memory shown in Figure 2, any device with data processing capabilities in which the device of the present invention is located in the embodiment is usually based on the actual function of the device with data processing capabilities. It can also include other hardware, which will not be repeated here.
对于电子设备实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的电子设备实施例仅仅是示意性的,其中所说明的作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本发明方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。For the electronic device embodiment, since it basically corresponds to the method embodiment, the relevant parts can refer to the partial description of the method embodiment. The electronic device embodiment described above is only schematic, and the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the present invention. Ordinary technicians in this field can understand and implement it without paying creative work.
本发明实施例还提供一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时,实现上述实施例中的基于Intel SGX的以太坊隐私保护方法。An embodiment of the present invention also provides a computer-readable storage medium on which a program is stored. When the program is executed by a processor, the Ethereum privacy protection method based on Intel SGX in the above embodiment is implemented.
计算机可读存储介质可以是前述任一实施例的任意具备数据处理能力的设备的内部存储单元,例如硬盘或内存。计算机可读存储介质也可以是任意具备数据处理能力的设备的外部存储设备,例如所述设备上配备的插接式硬盘、智能存储卡(Smart MediaCard,SMC)、SD卡、闪存卡(Flash Card)等。进一步的,计算机可读存储介质还可以既包括任意具备数据处理能力的设备的内部存储单元也包括外部存储设备。计算机可读存储介质用于存储计算机程序以及任意具备数据处理能力的设备所需的其他程序和数据,还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an internal storage unit of any device with data processing capability in any of the aforementioned embodiments, such as a hard disk or a memory. The computer-readable storage medium may also be an external storage device of any device with data processing capability, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), an SD card, a flash card (Flash Card), etc. equipped on the device. Furthermore, the computer-readable storage medium may also include both an internal storage unit and an external storage device of any device with data processing capability. The computer-readable storage medium is used to store computer programs and other programs and data required by any device with data processing capability, and may also be used to temporarily store data that has been output or is to be output.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.
以上所述仅为本发明的优选实施例而已,使本领域技术人员能够理解或实现本发明并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化,且对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, which enables those skilled in the art to understand or implement the present invention and is not intended to limit the present invention. For those skilled in the art, the present invention may have various changes and variations, and the various modifications to these embodiments will be obvious to those skilled in the art. The general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410985353.5ACN118520506B (en) | 2024-07-23 | 2024-07-23 | Intel SGX-based Ethernet privacy protection transaction pre-execution system |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410985353.5ACN118520506B (en) | 2024-07-23 | 2024-07-23 | Intel SGX-based Ethernet privacy protection transaction pre-execution system |
| Publication Number | Publication Date |
|---|---|
| CN118520506A CN118520506A (en) | 2024-08-20 |
| CN118520506Btrue CN118520506B (en) | 2024-11-05 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410985353.5AActiveCN118520506B (en) | 2024-07-23 | 2024-07-23 | Intel SGX-based Ethernet privacy protection transaction pre-execution system |
| Country | Link |
|---|---|
| CN (1) | CN118520506B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491508A (en)* | 2022-01-18 | 2022-05-13 | 武汉大学 | Smart contract malicious transaction detection and analysis system and method based on data dynamic storage |
| CN115276982A (en)* | 2022-07-29 | 2022-11-01 | 武汉科技大学 | A method and system for Ethereum key management based on SGX |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110060054B (en)* | 2019-02-19 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method, node, system and storage medium for implementing privacy protection in block chain |
| CN116432235A (en)* | 2023-04-28 | 2023-07-14 | 蚂蚁区块链科技(上海)有限公司 | Privacy protection method and device for account data in blockchain |
| CN116861433A (en)* | 2023-05-24 | 2023-10-10 | 西安电子科技大学 | Ethereum smart contract transaction defect detection method and device based on No GIL parallelism |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491508A (en)* | 2022-01-18 | 2022-05-13 | 武汉大学 | Smart contract malicious transaction detection and analysis system and method based on data dynamic storage |
| CN115276982A (en)* | 2022-07-29 | 2022-11-01 | 武汉科技大学 | A method and system for Ethereum key management based on SGX |
| Publication number | Publication date |
|---|---|
| CN118520506A (en) | 2024-08-20 |
| Publication | Publication Date | Title |
|---|---|---|
| Parno et al. | CLAMP: Practical prevention of large-scale data leaks | |
| US9916439B2 (en) | Securing a computing environment against malicious entities | |
| US8068613B2 (en) | Method and apparatus for remotely provisioning software-based security coprocessors | |
| JP4732513B2 (en) | Method and apparatus for providing a software-based security coprocessor | |
| Pappas et al. | CloudFence: Data flow tracking as a cloud service | |
| Wang et al. | Running language interpreters inside SGX: A lightweight, legacy-compatible script code hardening approach | |
| CN115580413A (en) | A zero-trust multi-party data fusion computing method and device | |
| Parno | Trust extension as a mechanism for secure code execution on commodity computers | |
| Aslam et al. | Security and trust preserving inter‐and intra‐cloud VM migrations | |
| Chen et al. | A verified confidential computing as a service framework for privacy preservation | |
| Sardar et al. | Formal specification and verification of architecturally-defined attestation mechanisms in arm cca and intel tdx | |
| CN115114631B (en) | Trusted computing-based local key escrow method, apparatus, device and medium | |
| WO2025092260A1 (en) | Data processing method and data processing engine based on trusted execution environment | |
| CN118520506B (en) | Intel SGX-based Ethernet privacy protection transaction pre-execution system | |
| Krautheim | Building trust into utility cloud computing | |
| CN102770869B (en) | Secure Execution of Computing Resources | |
| Akkus et al. | Praas: Verifiable proofs of property as-a-service with intel sgx | |
| CN114240696A (en) | Property service management open platform, service access method, device and equipment | |
| Ferro et al. | Standard-Based Remote Attestation: The Veraison Project | |
| D'Onghia | Use of SGX to protect network nodes | |
| Liu et al. | Intel SGX-based trust framework designed for secure machine learning | |
| Vuillermoz | Analysis of TEE technologies as trust anchors | |
| Quaresma | TrustZone based attestation in secure runtime verification for embedded systems | |
| US20250254026A1 (en) | Verifiable computing | |
| Wilson et al. | Analysing TLS Implementations Using Full-Message Symbolic Execution |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |