Mujtaba Idrees, Advanced Software Engineer bei Telekom MMS

The increased use of cloud services enables companies and individuals to manage their data flexibly. Data is stored on central servers of cloud services to be available to users on demand at any time. The disadvantage of this is that centralized storage of data and running cloud-based apps require explicit trust in the cloud provider. It is also vulnerable to security attacks such as malicious root admin attacks. Blockchain technology on the other hand provides implicit trust through decentralized execution of applications and decentralized data storage.

Nevertheless, this design still carries challenges – especially in the areas of data protection and scalability. Thus, on the surface, ensuring the integrity of the application and the data is traded for trust in execution. To further expand the application areas for blockchain and its integration into real-world systems, the blockchain technology of the future must be both secure from attacks and ensure the appropriate level of data protection.

My master’s thesis presents one approach to solve these problems i.e. ‘privacy in public blockchains’, using Hyperledger Avalon. The open source framework enables the independent implementation of trusted compute specifications. This allows lightweight blockchains to run their heavy workloads securely in trusted off-chain environments.

While the roadmap and architecture of this open source project have already been published, they are only in pre-release. However, the basic infrastructure is developed, and some demos are already available on GitHub.

In the stable version, Hyperledger Avalon supports the Intel SDK and Graphene as Trusted Worker. However, the Trusted Compute framework can be extended to include other types.

Intel SDK is provided by Intel SGX. Intel SGX allows programming the workload to run in an Intel SGX-based trusted execution environment. Because Intel SGX introduces its own hardware instructions, legacy applications cannot be executed within Intel SGX-based secure enclaves without code customization. However, there are alternatives that support the execution of legacy applications in Intel SGX hardware, including Graphene and SCONE.

I have investigated the use of SCONE in Hyperledger Avalon in my master’s thesis. Legacy applications can be run in SCONE-based secure containers within the ecosystem of trusted compute workers provided by Hyperledger Avalon.

Thereby, the main architecture of Hyperledger Avalon remains unchanged. SCONE worker managers and SCONE workorder processors are added to the Avalon node. The overall system is backward compatible and can therefore support workers other than SCONE in the production environment. Hyperledger Avalon infrastructures can simply be extended by retrieving images of SCONE workers from Dockerhub.

But what does a practical use case look like in the blockchain environment, where data protection or privacy is essential in addition to security and trust? „Corporate rebates“ represent a simple example. For example, it is common for companies to offer discounts to their customers based on negotiation – as opposed to fixed prices. In this case, it is advantageous to keep the discount granted to a particular customer secret from other customers.

In the classic blockchain, such privacy-preserving financial transactions are not possible. However, Hyperledger Avalon’s „blockchain add-on“ enables this privacy. Similarly, other privacy use cases (such as smart camera inference) can be programmed and integrated into Blockchains using my work.

By using SCONE in Hyperledger Avalon, I have created an infrastructure where workers can run legacy applications without having to make code changes or instrumentations. At the same time, this infrastructure supports multiple clients, making blockchain technology scalable and privacy-friendly. Additionally, it should be noted that Hyperledger Avalon is so-called „work in progress“ and the architecture is evolving in many directions.

For example, as of now, a secure key manager must also be used in the infrastructure design to generate secure keypairs for SCONE workers and then transfer them to CAS. If, in the future, the keypairs required by Avalon are also generated directly by CAS, the intermediate step involving key manager could be dispensed with in some use cases – increasing the performance significantly.

>For extensive insight the whitepaper on my work is available.

Additionally, my work was presented to the Hyperledger Community.

>Record of the presentation

Blockchain guarantees trust and security through transparency and publicity. Until now, this transparency has been at the expense of privacy and data protection. Hyperledger Avalon represents a way to enable data protection in public blockchains as well. By integrating SCONE into Hyperledger Avalon, this capability becomes even more viable and scalable. In recognition of my work, the Hyperledger community appointed me to represent T-Systems as an official contributor and maintainer of the Hyperledger Avalon project.

Visible Trusted teamwork

Mujtaba Idrees, Advanced Software Engineer bei Telekom MMS

Since his graduation as a Software Engineer in 2015, Mujtaba has worked in IT industries of Asia and Europe for six years in various capacities. He has extensive experience in software development, managing teams, leading projects from inception until customer delivery. Mujtaba has recently completed his master’s studies from TU Dresden and has been part of Telekom MMS for the past 3 years. Besides development and project management, he has also collaborated on a few research and open-source projects.