## Intro
### Contribution
1. propose a TEE and blockchain assisted cross domain authorization system.
2. abac based dynamic iot cross-domain authorization (ABAC is dynamic because access decisions are evaluated at runtime based on current attribute values, not static role assignments.)
3. experiment to evaluate proposed system's performance

#### Scalability in Large-Scale IoT Systems

In IoT environments:
- devices are numerous
- identities are dynamic
- cross-domain access is common

IBS requires:
- tight coupling between identity and access rights
- frequent key updates when permissions change

ABAC decouples:
- identity management
- access policies

This allows policies to evolve without reissuing identities or keys, significantly improving scalability.

#### Cross-Domain Authorization Support

IBS-based systems assume a single trusted Private Key Generator (PKG) or tightly coordinated PKGs across domains.
Problems:
- PKG trust becomes a bottleneck
- cross-domain trust establishment is complex
- key escrow issues arise

ABAC enables:
- attribute verification across domains
- policy enforcement without shared identity infrastructure
- blockchain-backed attribute provenance

This aligns naturally with your cross-domain fog–blockchain architecture.

#### Reduced Key Management Complexity

IBS introduces:
- key escrow risk (PKG knows private keys)
- heavy cryptographic operations (pairings)
- complex revocation mechanisms

ABAC:
- uses standard public-key authentication for identity
- assigns attributes independently
- supports policy updates without rekeying

This is more suitable for resource-constrained IoT devices.

#### Security Policy Evolution

IoT systems evolve:
- devices change roles
- policies change frequently
- context changes dynamically

With IBS:
- permission changes require identity-level changes
- revocation is coarse-grained

With ABAC:
- attributes can be updated or revoked
- policies evolve independently
- authorization remains deterministic and auditable

#### Compatibility with TEE-Based Enforcement

ABAC policy evaluation:
- is deterministic
- operates on structured inputs
- fits well inside TEE execution

IBS:
- only verifies cryptographic signatures
- cannot express or enforce policies inside the enclave

Thus, ABAC integrates naturally with your TEE-based authorization design.

## Background
### Attribute Based Access Control Mechanism
The ABAC mechanism is ... and many researches have prove it is an optimal choice in IoT system, since ... [][]

### Attributes defination
1. Subject (IoT device or user) attributes
- role: employee, visitor, security staff, admin
- department: HR, Engineering, Maintenance
- securityLevel: 1–5 (trust evalution, use it as subsidise, not core basis )
- deviceType: sensor, actuator, gateway
- location: floor number or zone

2. Object (resource/device) attributes
- resourceType: temperatureSensor, doorLock, camera, HVAC
- sensitivityLevel: low, medium, high
- location: same zone/floor

3. Environmental attributes
- time: working hours or not
- alertState: normal, emergency, lockdown
- motionDetected: yes/no

### Policy defination


---
During the registration phase, an IoT device initiates the onboarding process by submitting a registration request containing basic device information, such as its identifier and manufacturer-related metadata, to a nearby fog node. To protect sensitive registration data from exposure, the fog node forwards the received information to its Trusted Execution Environment (TEE) enclave using a secure channel encrypted with the enclave’s public key.

Inside the TEE, the fog node verifies the device’s legitimacy by validating manufacturer certificates, firmware signatures, and administrative records with the assistance of attribute authorities. Based on the verified evidence, the enclave assigns a set of attributes to the IoT device, including static attributes (e.g., device type and manufacturer), administrative attributes (e.g., ownership domain and deployment zone), and dynamic attributes (e.g., security level). To ensure integrity and auditability, cryptographic hashes of the assigned attributes, together with issuer information and timestamps, are recorded on the blockchain through the attribute provider contract.

The complete attribute set is then encrypted using an enclave-protected symmetric key and stored locally on the fog node outside the enclave, preventing leakage even if the fog operating system is compromised. To enhance system reliability and fault tolerance, the fog node periodically backs up the encrypted attributes to a trusted cloud-based data storage service. Finally, upon successful completion of the registration process, the fog node notifies the IoT device of its registration status and enables it to request access to system resources in subsequent phases.


Registration phase:

We use elliptic curve encryption to ensure security communication. 

Step 1 — Registration Request by IoT Device  
  IoT sends basic identity info:  
 - deviceID
 - manufacturerID
 - model
 - firmwareVersion
 - MAC / serial  
These are claims, not trusted yet.

Step 2 — Secure Channel Establishment  
IoT encrypts registration data using fog TEE public key:
 - C = Enc(PK_fogTEE, registration_data)  
Only TEE can decrypt → protects against compromised fog OS.

Step 3 — Evidence Verification Inside Fog TEE  
Fog TEE verifies: 
 - Manufacturer signature on firmware
 - Certificate chain validity
 - Device uniqueness
 - Network consistency  
If verification fails → registration rejected.

Step 4 — Attribute Authority Decision Logic  
The AA (logically executed in fog TEE or coordinated AAs) assigns attributes based on verified evidence:  
Example decision table:
| Evidence                    | Assigned Attribute        |
| --------------------------- | ------------------------- |
| Verified firmware signature | `deviceType = sensor`     |
| Admin deployment record     | `ownerDomain = FactoryA`  |
| Fog cluster location        | `location = FogCluster03` |
| IDS benign behavior         | `securityLevel = 0.75`    |
  
Attributes are never inferred from device claims alone.

Step 5 - Attribute Blinding  
AA bind the set of attributes with deviceID then sign it to proove certification.  

Step 6 Storage  
Attributes and access policies are encrypted using a symmetric key protected by the fog node’s TEE and stored outside the enclave on the fog node.(Attributes & policies encrypted using AES-GCM(K_store), symmetric key enryption is faster than public key encryption) To prevent data loss due to fog node failures, the fog node backs up authorization state to a trusted cloud-based DDS after first registeration or state update.

During backup, the TEE decrypts the local data, attaches metadata including owner identity, version number, and timestamp, and transmits the data to the cloud together with a TEE-generated signature. Upon receipt, the cloud verifies the signature and freshness before storing the backup data. This design enables efficient recovery while preserving integrity and authenticity of authorization information.

To ensure availability and fault tolerance, the fog node periodically backs up encrypted attributes and access policies to a trusted cloud-based DDS. The backup process is executed within the fog node’s TEE, which decrypts locally stored data using a sealed symmetric key, attaches metadata including owner identity, version number, and timestamp, and encrypts the backup payload for the cloud. The TEE further signs the encrypted payload to guarantee authenticity and integrity. Upon receiving the backup, the cloud verifies the signature and freshness before storing the data, enabling secure and efficient recovery in the event of fog node failure.

---
Upon receiving an access request, the fog node first authenticates the requesting IoT device by verifying its digital signature and checks request freshness using timestamps or nonces to prevent replay attacks. The fog node then verifies the existence and validity of the requested resource and its associated access policy before proceeding. Once these preliminary checks are completed, the fog node forwards the encrypted subject attributes and resource access policy to the Trusted Execution Environment (TEE) for authorization.

Within the enclave, the TEE securely decrypts the protected attributes and policies using enclave-bound keys and evaluates the access request according to predefined Attribute-Based Access Control (ABAC) rules. Because all sensitive authorization logic and data processing are confined within the enclave, neither a compromised fog operating system nor malicious insiders can manipulate attributes, alter policies, or influence authorization outcomes. The resulting access decision is then returned to the fog node for enforcement, enabling secure, fine-grained, and tamper-resistant authorization at the network edge

## Architecture  
### Components
1. Fog node: They are (Fog Nodes Are Blockchain Validators / Peers, which Propose transactions (registration, revocation); Validate transactions from other fog nodes; Reach consensus on block ordering; Store replicated ledger copies) partially trusted, means they may be OS-level compromised or exist malicious insiders, but the Trusted Execution Environment on each fog node is assumed to be secure and provides hardware-enforced isolation. Fog nodes in each domain jointly maintain a blockchain and manage Iot devices in the domain. It deploys TEE and runs smart contracts in the enclave. It can be treated as a Attribute Authority in the ABAC system. It also store registered iots' info(attributes/access policies) securitly and back up those info to cloud.
2. Iot node: They play the role of resource providers or consumer or both in the domain and untrusted. The computing and storage capacity is relatively weaker than the Fogs. It may ask access of other devices or resources inide or outside its own domain.
3. Cloud/DDS: The cloud-based Dedicated Data Storage (DDS) acts as a trusted, robust backend storage service. Unlike traditional centralized authorization servers, the cloud/DDS does not participate in real-time authentication or authorization decisions. Instead, it provides durability, recoverability, and global availability for authorization-related data. In addition to serving as a trusted storage backend, the cloud can also act as a resource provider(application services, analytics, historical data, resources that IoT devices may want to access). Access to cloud-hosted resources is also authorized by fog nodes, while the cloud enforces access by verifying short-lived authorization tokens without participating in policy evaluation.
4. blockchain: Serve as a global distributed ledger, the blockchain in this system carries the information of different domains which will be used for cross-domain authentication. The registered iots' identity information will be stored on the blockchain for later authentication. IoT's revoking information will also be placed on the.

### Security model


## Experiment

?overhead = Authorization latency; 
throughput= transcation send rate;



### A.Setup


##### _example (BTAA)_

In order to be able to document the actual time overhead, we conduct simulation experiments. For the simulation experiments in BTAA, we simulate the cryptographic operations in the authentication protocol and the user’s interaction with the blockchain, respectively.

For the cryptographic part of our protocol, we simulate it with the setting as follows. We simulate the AN and the ON in a laptop with an Intel Core i7-9750H CPU @ 2.60 GHz and 16.0 GB of RAM which is installed windows 10 Professional 64-bit operating system. We use Intel SGX as the TEE in our experiments. Our version of Intel SGX SDK and Intel SGX PSW for is v2.10.100.2. We use C and the PBC library to complete the encryption and signature algorithm in our protocol, which allows the computation of bilinear pairs. The version of pbc library we use in our experiments is pbc-0.5.14. Since pbc is not a trusted library for intel SGX, which means it is not possible to call functions belong to the pbc library directly in the enclave, so we use the ECALL/OCALL interface to call external functions for our experiments. We chose the curve in type F parameter provided by the pbc library for our experiments which can provide the asymmetric bilinear pairs.

For the part that interacts with the blockchain, we introduce the private blockchain into BTAA as a trusted distributed ledger for sharing domain-specific data. Our experimental environment is in a VMware workstation virtual machine with Ubuntu 20.04.2.0 LTS. We use geth to build an ethereum private chain as the public ledger for the experiment. The average transaction fee/cost is 23464 gas. The throughput of blockchain is 70 tps and the latency is 2.2 s. The blockNumber is 1577. The average block size is 801 byte and the average block time is 3.87 s. The reward per block is 0.293 ether and the hash rate is 33871.