CAPTCHAs are widely used for thwarting bots that seek to abuse web services. However, they are often ineffective against bots, frustrating for humans, and may even diminish user privacy. Meanwhile, client-side Trusted Execution Environments (TEEs), such as Intel SGX and ARM TrustZone, are becoming increasingly widespread, allowing remote parties to establish a degree of trust in client devices. This prompts the question: can TEEs help reduce (or remove entirely) the user burden of solving CAPTCHAs? In this talk, I’ll present CACTI, a system that allows legitimate clients to generate unforgeable rate-proofs demonstrating how frequently they have performed specific actions. Web servers may accept these rate-proofs in lieu of clients solving CAPTCHAs.

[Joint work with Yoshimichi Nakatsuka, Ercan Ozturk, and Gene Tsudik from the University of California, Irvine.]

Please email for a Zoom link

Andrew Paverd is a senior researcher at Microsoft Research Cambridge and the Microsoft Security Response Center (MSRC). His research interests include trusted execution environments and remote attestation, and more recently, security and privacy in ML systems.