CreDB: A high integrity datastore

CreDB [kredəbəl] is a high integrity datastore that provides applications with a free standing “Blockchain of One”. In particular, CreDB is guaranteed to operate correctly even in the face of a powerful attacker that has take over the host operating system.




CreDB nodes issue witnesses, which are permanent and tamper-proof certificates of the state of the system. Further, they are independently verifiable, i.e. verification does not depend on the It can be used to establish facts about the datastore, such as the instantaneous contents of objects, the existence of certain data or past transactions, and ordering of transactions. This enables even untrusted applications, backed by CreDB, to provide proofs of their correct operation to third parties. Because witnesses are free-standing, they enable parties who are not direct clients of the database to verify crucial aspects of the database’s operation.

Policy Enforcement


CreDB enables every object to be coupled with an associated semantic security policy (SSP). These policies are inseparable from their associated data. Because SSPs are encoded symbolically as abstract syntax trees, they are amenable to analysis by third parties. Coupled with witnesses, these techniques enable a third party to inspect the policy associated with an object and thus establish trust in the future behavior of that object.



The CreDB datstore operates on top of an immutable log. This enables clients to replay the timeline of dependent events in order to reason about the order, and causality, of modifications to the data. The immutable log ensures that this timeline is final and can be reasoned about safely. The database can then answer questions such as ``who has updated X since it was first created?’’. This ability to explore object timelines enables applications to implement audits.

Protected Function Evaluation


CreDB provides a protected function evaluation (PFE) mechanism that enables clients to compute a function over remote private data, which in turn generates a witness carrying the result. For the party issuing the function call, the witness yields a verifiable, portable certificate that the function has been executed, with integrity, on the specified data, with the attached result. For security purposes, the holder of the data retains full control over what can be done with the data, and both parties, the invoker and the data holder, must agree on which functions can be executed.


Trusted Execution


CreDB relies on a trusted execution enviornment to ensure the correctness of it’s policy enformance mechanism and the immutability of its timeline. TEEs provide a reverse sandbox protecting the application from malicious operating systems and other applications co-located on the same machine. In particular, CreDB builds on top of the Intel Software Guard Extensions.



In order to enable more complex application logic, two CreDB nodes can be connected to each other and selectivley exchange data. To achieve this, nodes establish a secure and authenticated communication channel between their trusted execution environments. Multiple nodes can then create a network through which functions can be remotely invoked and data safely be exchanged.

Please see our tech report for more information.