Trusted execution environment (TEE) technology has found many applications in mitigating various security risks in an efficient manner, which is attractive for critical infrastructure protection. First, the natural of critical infrastructure requires it to be well protected from various cyber attacks. Second, performance is usually important for critical infrastructure and it cannot afford an expensive protection mechanism. While a large number of TEE-based critical infrastructure protection systems have been proposed to address various security challenges (e.g., secure sensing and reliable control), most existing works ignore one important feature, i.e., devices comprised the critical infrastructure may be equipped with multiple incompatible TEE technologies and belongs to different owners. This feature makes it hard for these devices to establish mutual trust and form a unified TEE environment. To address these challenges and fully unleash the potential of TEE technology for critical infrastructure protection, we propose DHTee, a decentralized coordination mechanism. DHTee uses blockchain technology to support key TEE functions in a heterogeneous TEE environment, especially the attestation service. A Device equipped with one TEE can interact securely with the blockchain to verify whether another potential collaborating device claiming to have a different TEE meets the security requirements. DHTee is also flexible and can support new TEE schemes without affecting devices using existing TEEs that have been supported by the system.

翻译：可信执行环境（TEE）技术已广泛应用于高效缓解多种安全风险，这对关键基础设施保护具有吸引力。首先，关键基础设施的本质要求其免受各类网络攻击。其次，性能通常对关键基础设施至关重要，无法承受高昂的保护机制。尽管已有大量基于TEE的关键基础设施保护系统被提出以应对各种安全挑战（例如安全感知与可靠控制），但现有工作大多忽略了一个重要特征：组成关键基础设施的设备可能配备多种不兼容的TEE技术，且归属不同所有者。这一特性使得这些设备难以建立相互信任并形成统一的TEE环境。为解决上述挑战并充分释放TEE技术在关键基础设施保护中的潜力，我们提出DHTee——一种去中心化协调机制。DHTee利用区块链技术在异构TEE环境中支持关键TEE功能，尤其是认证服务。配备某种TEE的设备可与区块链安全交互，以验证声称拥有不同TEE的另一潜在协作设备是否满足安全要求。DHTee还具有灵活性，可在不影响使用系统已支持现有TEE设备的情况下，支持新的TEE方案。