This work addresses critical security vulnerabilities in existing Trusted Execution Environment (TEE)-based federated learning systems, which remain susceptible to server-side state rollback and I/O manipulation attacks that compromise privacy and robustness. To mitigate these threats, the authors propose a novel multi-TEE collaborative architecture that leverages an append-only ledger and an operation linearizability mechanism to effectively prevent state rollback within TEEs for the first time. Additionally, the design incorporates trusted input handling to counteract I/O manipulation. The resulting system enables secure and efficient distributed aggregation over wide-area networks, achieving a sixfold increase in throughput compared to prior approaches while preserving the performance of single-TEE deployments, thereby significantly expanding the security guarantees of TEE-based federated learning.

Trusted Execution Environments (TEEs)-aided federated learning protocols emerge as promising solutions to counter server-side adversaries and ensure the trustworthiness of the server. In this paper, we dissect existing protocols and demonstrate that server-side adversaries can still manipulate client selection and replay aggregation to compromise system robustness and privacy, by exploiting TEE limitations, i.e., state rollback and I/O manipulation. To this end, we present DIST-FL, a distributed system of servers guarded by multiple TEEs forming an append-only ledger for privacy-preserved, robust FL aggregation. Specifically, DIST-FL ensures operation linearizability to thwart state rollback attacks and incorporates inputs from reliable servers to mitigate I/O manipulation threats. We implement DIST-FL and conduct evaluations in WAN settings. Experimental results demonstrate that DIST-FL can effectively counter the proposed attacks and match the single-TEE's performance while offering a 6x throughput boost over its counterparts, leveraging TEE's computational advantages.