TEEvil: Identity Lease via Trusted Execution Environments

We investigate identity lease, a new type of service in which users lease their identities to third parties by providing them with full or restricted access to their online accounts or credentials. We discuss how identity lease could be abused to subvert the digital society, facilitating the spread of fake news and subverting electronic voting by enabling the sale of votes. We show that the emergence of Trusted Execution Environments and anonymous cryptocurrencies, for the first time, allows the implementation of such a lease service while guaranteeing fairness, plausible deniability and anonymity, therefore shielding the users and account renters from prosecution. To show that such a service can be practically implemented, we build an example service that we call TEEvil leveraging Intel SGX and ZCash. Finally, we discuss defense mechanisms and challenges in the mitigation of identity lease services.

[1]  Rediet Abebe Can Cascades be Predicted? , 2014 .

[2]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[3]  Arjun Mukherjee,et al.  Spotting fake reviewer groups in consumer reviews , 2012, WWW.

[4]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[5]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[6]  Guido Caldarelli,et al.  Debunking in a world of tribes , 2015, PloS one.

[7]  Nicola Barbieri,et al.  Topic-aware social influence propagation models , 2012, Knowledge and Information Systems.

[8]  Éva Tardos,et al.  Maximizing the Spread of Influence through a Social Network , 2015, Theory Comput..

[9]  Jeremy Clark,et al.  Selections: Internet Voting with Over-the-Shoulder Coercion-Resistance , 2011, Financial Cryptography.

[10]  Srdjan Capkun,et al.  DelegaTEE: Brokered Delegation Using Trusted Execution Environments , 2018, IACR Cryptol. ePrint Arch..

[11]  Ralf Küsters,et al.  Accountability: definition and relationship to verifiability , 2010, CCS '10.

[12]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[13]  Byoungcheon Lee,et al.  Receipt-Free Electronic Voting Scheme with a Tamper-Resistant Randomizer , 2002, ICISC.

[14]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[15]  R. Ferguson,et al.  Word of mouth and viral marketing: taking the temperature of the hottest trends in marketing , 2008 .

[16]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[17]  Wei Chen,et al.  The influence of user-generated content on traveler behavior: An empirical investigation on the effects of e-word-of-mouth to hotel online bookings , 2011, Comput. Hum. Behav..

[18]  Stefan Dziembowski,et al.  FairSwap: How To Fairly Exchange Digital Goods , 2018, IACR Cryptol. ePrint Arch..

[19]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[20]  Ghassan O. Karame,et al.  Evaluating User Privacy in Bitcoin , 2013, Financial Cryptography.

[21]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[22]  Cameron Marlow,et al.  A 61-million-person experiment in social influence and political mobilization , 2012, Nature.

[23]  S. Sénécal,et al.  The influence of online product recommendations on consumers' online choices , 2004 .

[24]  Ana-Maria Popescu,et al.  A Machine Learning Approach to Twitter User Classification , 2011, ICWSM.

[25]  Véronique Cortier,et al.  SoK: Verifiability Notions for E-Voting Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[26]  Bing Liu,et al.  Opinion spam and analysis , 2008, WSDM '08.

[27]  Gang Wang,et al.  Serf and turf: crowdturfing for fun and profit , 2011, WWW.

[28]  Laks V. S. Lakshmanan,et al.  A Data-Based Approach to Social Influence Maximization , 2011, Proc. VLDB Endow..

[29]  Jon Crowcroft,et al.  Classification of Twitter Accounts into Automated Agents and Human Users , 2017, 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[30]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[31]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[32]  Krishna P. Gummadi,et al.  Towards Detecting Anomalous User Behavior in Online Social Networks , 2014, USENIX Security Symposium.

[33]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[34]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[35]  Claire Cardie,et al.  Estimating the prevalence of deception in online review communities , 2012, WWW.

[36]  Jong Kim,et al.  CrowdTarget: Target-based Detection of Crowdturfing in Online Social Networks , 2015, CCS.

[37]  Giovanni Luca Ciampaglia,et al.  The spread of low-credibility content by social bots , 2017, Nature Communications.

[38]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[39]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[40]  Yimin Chen,et al.  Automatic deception detection: Methods for finding fake news , 2015, ASIST.

[41]  Cliff Lampe,et al.  It's Complicated: Facebook Users' Political Participation in the 2008 Election , 2011, Cyberpsychology Behav. Soc. Netw..

[42]  Jinhui Tang,et al.  Online Topic-Aware Influence Maximization , 2015, Proc. VLDB Endow..

[43]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[44]  Patrick D. McDaniel,et al.  An Analysis of Anonymity in Bitcoin Using P2P Network Traffic , 2014, Financial Cryptography.

[45]  Srdjan Capkun,et al.  ZLiTE: Lightweight Clients for Shielded Zcash Transactions using Trusted Execution , 2019, IACR Cryptol. ePrint Arch..

[46]  Fergal Reid,et al.  An Analysis of Anonymity in the Bitcoin System , 2011, PASSAT 2011.

[47]  Véronique Cortier,et al.  Verifiability Notions for E-Voting Protocols , 2016, IACR Cryptol. ePrint Arch..

[48]  Lee Rainie,et al.  The future of free speech, trolls, anonymity and fake news online , 2017 .

[49]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[50]  Nor Badrul Anuar,et al.  Malicious accounts: Dark of the social networks , 2017, J. Netw. Comput. Appl..

[51]  Justin Cheng,et al.  Rumor Cascades , 2014, ICWSM.

[52]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[53]  G. Caldarelli,et al.  The spreading of misinformation online , 2016, Proceedings of the National Academy of Sciences.

[54]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[55]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[56]  Rüdiger Kapitza,et al.  Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[57]  Sinan Aral,et al.  The spread of true and false news online , 2018, Science.

[58]  Suhang Wang,et al.  Fake News Detection on Social Media: A Data Mining Perspective , 2017, SKDD.

[59]  Chris Kanich,et al.  Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context , 2010, USENIX Security Symposium.

[60]  Gang Wang,et al.  Man vs. Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers , 2014, USENIX Security Symposium.

[61]  Bo Sun,et al.  Stay On-Topic: Generating Context-specific Fake Restaurant Reviews , 2018, ESORICS.

[62]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[63]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[64]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[65]  Zheng Wang,et al.  Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach , 2018, CCS.

[66]  Elaine Shi,et al.  The Ring of Gyges: Investigating the Future of Criminal Smart Contracts , 2016, CCS.

[67]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[68]  Byoungcheon Lee,et al.  Providing Receipt-Freeness in Mixnet-Based Voting Protocols , 2003, ICISC.

[69]  Ben Y. Zhao,et al.  Automated Crowdturfing Attacks and Defenses in Online Review Systems , 2017, CCS.

[70]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[71]  Michela Del Vicario,et al.  Viral Misinformation: The Role of Homophily and Polarization , 2014, WWW.

[72]  Lada A. Adamic,et al.  The Anatomy of Large Facebook Cascades , 2013, ICWSM.

[73]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[74]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.