Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: remove the proxy altogether for transfers and MTCS #100

Closed
Tracked by #144
hu55a1n1 opened this issue Jul 15, 2024 · 6 comments
Closed
Tracked by #144

Proposal: remove the proxy altogether for transfers and MTCS #100

hu55a1n1 opened this issue Jul 15, 2024 · 6 comments
Assignees
Labels
devx Issues related to improving dev experience / tooling question Further information is requested
Milestone

Comments

@hu55a1n1
Copy link
Member

Summary

The contract-proxy-enclave design where devs are expected to write all 3 of these components (and ensure they're consistent) is error-prone and leads to bad devX. I propose we get rid of the proxy entirely (atleast for early versions of quartz) and instead move that logic into the enclave itself, such that the enclave talks directly with the smart contract.

Problem statement

Our main reason for the proxy AFAICT is to minimize the attack surface by preventing the enclave from making network calls. So we introduce a proxy bin (running on the host) that the enclave talks to (over files/gRPC) and the proxy connects to a blockchain node on the internet and facilitates communication between the enclave and the smart contract.

Why should the enclave and the smart contract communicate?

  1. Handshake - the enclave and the contract must pair with each other such that the contract verifies the RA for the secret generated on the enclave and the enclave must verify a proof-of-publication of the public key.
  2. Smart contract must be able to trigger execution on the enclave (this basically involves events)
  3. Enclave must be able to query & obtain on-chain data for execution (with light client and merkle proofs)
  4. Enclave must be able to submit the results of the execution to the contract with a proof of integrity (e.g. RA; EPID RA means we must make an additional network call to go from an enclave generated quote to a Intel attested report)

Why is this complicated?

The proxy must be app context aware so it cannot be a generic/universal bin that just works for all apps because it must know which events to listen to and what on-chain data to query (and how to get proofs for them).

Proposal

  • Allow the enclave to talk directly to the smart contract so we no longer need the proxy.
  • IIUC, the attack surface arguement doesn't apply because we're alreading checking a proof-of-publication/integrity ourselves, so it should be fine to let the enclave make network calls. (Is this correct? Are there other attacks that we should be concerned about?)
  • We can always add the proxy in the future if we decide to. We can also implement the proxy generically as an abstraction of the networking layer/stack. (basically as a interceptor)
  • This does however complicate the core logic (a bit) because the handshake must be handled inside of core quartz.
  • Also, the enclave will now contain networking code that is not exactly business logic. But this also means that the RA attests to this code which is nice for audits and integrity proofs.

(cc: @ebuchman, @amiller)

@hu55a1n1 hu55a1n1 added question Further information is requested devx Issues related to improving dev experience / tooling labels Jul 15, 2024
@hu55a1n1 hu55a1n1 modified the milestone: Quartz v0.1 Jul 15, 2024
@thanethomson
Copy link
Contributor

I'd love for there to be one less major component to a Quartz app 🙂

@amiller, could you please help us understand if/why we'd really need the proxy in the first place? I also don't really understand the threat model that necessitated its introduction.

@thanethomson
Copy link
Contributor

Looks like we've agreed to remove the proxy during Discourse today. What does "done" look like for this issue?

@hu55a1n1
Copy link
Member Author

What does "done" look like for this issue?

I think this is done when we no longer have a listen.sh script (or quartz listen command). So we basically move all listen.sh logic into the enclave. This includes ->

  • Listening for specific smart contract events over websockets
  • Querying on-chain data with light-client/merkle proofs
  • Submitting computation output directly to the smart contract (e.g. send transaction using wasmd)

A related improvement (optional, low prio future work) could be to move all handshake.sh logic into the enclave. This includes ->

  • enclave starts handshake as soon as it is up and terminates if it fails to do so.
  • so the flow would be ->
$ quartz deploy 
# deploys smart contract
$ quartz start 
# enclave runs
# enclave instantiates contract 
# enclave performs handshake

@davekaj
Copy link
Contributor

davekaj commented Aug 20, 2024

Blocked by #70 as we want the listen script to be updated to DCAP, and we want to put that in the enclave (i.e. remove the proxy)

@dangush
Copy link
Contributor

dangush commented Sep 6, 2024

#174 waiting for review

@davekaj davekaj changed the title Proposal: remove the proxy altogether Proposal: remove the proxy altogether for transfers and MTCS Sep 10, 2024
@davekaj
Copy link
Contributor

davekaj commented Sep 24, 2024

Closed by #174

@davekaj davekaj closed this as completed Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
devx Issues related to improving dev experience / tooling question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants