Data Protection in Permissioned Blockchains using Privilege Separation

This paper concerns the Hyperledger Fabric permissioned blockchain system. This system is in popular use in several enterprise settings, where each participating corporate entity may have sensitive business-related data whose confidentiality it wishes to protect. Fabric provides the channel abstraction that ensures that channel data (e.g., data stored in that channel's ledger, or data transmitted via the network to members of that channel) are only accessible to members of that channel. Unfortunately, as we show in this paper, the channel abstraction only offers data protection under the implicit assumption that all system components in the permissioned blockchain are trustworthy. This assumption may not hold in the presence of compromised container nodes, on which several blockchain-related components execute, or malicious business users inside any one of the participating corporate entities. Under such situations, sensitive corporate data can be leaked to unauthorized entities. We present Aramid, which is an enhanced version of Fabric that offers data protection even in the presence of compromised blockchain components. Aramid uses a privilege-separated architecture in which blockchain components (such as peer or orderer nodes) that are members of multiple channels execute on different containers. Aramid is transparent to legacy Fabric applications, requiring no changes to their codebase. Through our prototype implementation, we show that Aramid robustly defends against a number of attacks possible on Fabric, and that it does so with performance comparable to Fabric.