RA-WEBs: Remote Attestation for WEB services
Kosei Akama, Yoshimichi Nakatsuka, Korry Luke, Masaaki Sato, Keisuke Uehara
TL;DR
A novel RA protocol designed for high compatibility with the current web ecosystem is proposed, which leverages established web mechanisms for immediate deployability, enabling RA verification on existing browsers and conducts a comprehensive security analysis, demonstrating its resilience against various threats.
Abstract
Data theft and leakage, caused by external adversaries and insiders, demonstrate the need for protecting user data. Trusted Execution Environments (TEEs) offer a promising solution by creating secure environments that protect data and code from such threats. The rise of confidential computing on cloud platforms facilitates the deployment of TEE-enabled server applications, which are expected to be widely adopted in web services such as privacy-preserving LLM inference and secure data logging. One key feature is Remote Attestation (RA), which enables integrity verification of a TEE. However, $\textit{compatibility}$ issues with RA verification arise as no browsers natively support this feature, making prior solutions cumbersome and risky. To address these challenges, we propose $\texttt{RA-WEBs}$ ($\textbf{R}$emote $\textbf{A}$ttestation for $\textbf{Web}$ $\textbf{s}$ervices), a novel RA protocol designed for high compatibility with the current web ecosystem. $\texttt{RA-WEBs}$ leverages established web mechanisms for immediate deployability, enabling RA verification on existing browsers. We conduct a comprehensive security analysis, demonstrating $\texttt{RA-WEBs}$'s resilience against various threats. Our contributions include the $\texttt{RA-WEBs}$ proposal, a proof-of-concept implementation, an in-depth security analysis, and publicly available code for reproducible research.