Neo Service Layer Architecture
Overview
The Neo Service Layer provides a secure, scalable infrastructure for extending Neo N3 blockchain capabilities. This document explains the high-level architecture, security model, and core components of the service.
System Architecture
The Neo Service Layer uses a multi-layered architecture to provide secure, scalable off-chain services for Neo N3 applications:
Key Components
API Gateway Layer - Handles authentication, rate limiting, and request routing. This is the entry point for all external requests.
Service Orchestration Layer - Manages service discovery, load balancing, and request processing across the platform services.
TEE (Trusted Execution Environment) Services - Core services running in Azure Confidential Computing environments that provide secure execution isolated from the host system.
Blockchain Integration Layer - Handles communication with the Neo N3 blockchain, including transaction creation, signing, and monitoring.
Data Management Layer - Manages persistent data storage, caching, and retrieval for the service.
Trusted Execution Environment (TEE)
At the core of the Neo Service Layer security model is the use of Trusted Execution Environments (TEEs). We use Azure Confidential Computing to create secure, isolated environments for processing sensitive data and executing code.
How TEE Works
Memory Encryption
TEE uses hardware-level encryption to protect data in memory, ensuring that even the system administrators cannot access the data being processed.
Code Integrity
TEE validates the integrity of code before execution, ensuring that only authorized code runs in the secure environment.
Remote Attestation
TEE provides cryptographic proof that code is running in a genuine TEE with the expected configuration, allowing users to verify the environment.
Secure Key Management
Cryptographic keys are generated and stored within the TEE, never exposed to the host system or administrators.
TEE Implementation
The Neo Service Layer uses Azure Confidential Computing with Intel SGX (Software Guard Extensions) to create TEEs. This provides hardware-based memory encryption that isolates code and data in memory from the operating system, hypervisor, and other applications.
// Simplified representation of TEE initialization for Function execution
// Step 1: Create the TEE enclave
const enclave = await TEE.createEnclave({
type: 'SGX',
codeIdentity: 'function-executor-v1.2.3',
securityLevel: 'EAL5'
});
// Step 2: Load user code and secrets into the enclave
await enclave.loadCode(functionCode);
await enclave.loadSecrets(functionSecrets);
// Step 3: Generate attestation report
const attestation = await enclave.generateAttestation();
// Step 4: Execute code in the secure enclave
const result = await enclave.execute(functionInput);
// Step 5: Return result and attestation proof
return {
result,
attestation
};Technology Stack
| Component | Technologies | Purpose |
|---|---|---|
| API Gateway | Kong, NGINX, Azure API Management | Request routing, authentication, rate limiting |
| Service Core | Go, gRPC, Protocol Buffers | Core service implementation, inter-service communication |
| TEE Runtime | Intel SGX, Azure Confidential Computing, Open Enclave SDK | Secure execution environment |
| Function Runtime | Node.js (v16, v18) | JavaScript function execution |
| Blockchain Integration | NeoGo SDK, Neo.js, Custom RPC clients | Neo N3 blockchain interaction |
| Data Storage | PostgreSQL, Redis, Azure Cosmos DB | Persistent storage, caching |
| Monitoring & Logging | Prometheus, Grafana, ELK Stack | System monitoring, log aggregation, alerting |
| Infrastructure | Kubernetes, Docker, Azure Cloud | Container orchestration, infrastructure management |
Service Components
The Neo Service Layer is composed of several core services, each providing specific functionality:
Functions Service
The Functions Service allows developers to deploy and execute JavaScript code in a secure TEE.
Key Components:
- Function Executor - Runs JavaScript code in isolated environments
- Function Store - Manages deployed function code and metadata
- Invocation Manager - Handles function invocation requests and responses
- Context Provider - Supplies execution context to functions
Secrets Management
The Secrets Management service provides secure storage and access to sensitive credentials and data.
Key Components:
- Secret Store - Encrypted storage for sensitive data
- Access Control - Manages permissions for secret access
- Secret Provider - Delivers secrets to authorized functions
- Audit Logger - Records all secret access and modifications
Contract Automation
The Contract Automation service enables time and event-based triggers for smart contract interactions.
Key Components:
- Trigger Manager - Processes and evaluates trigger conditions
- Schedule Manager - Handles time-based scheduling
- Event Listener - Monitors blockchain and external events
- Action Executor - Performs the configured actions when triggered
Gas Bank
The Gas Bank service manages GAS deposits and consumption for service operations.
Key Components:
- Account Manager - Tracks user GAS balances
- Transaction Processor - Handles deposits and withdrawals
- Fee Calculator - Estimates and charges GAS fees for operations
- Billing Reporter - Generates usage reports
Price Feed
The Price Feed service provides reliable market price data for cryptocurrencies and tokens.
Key Components:
- Data Aggregator - Collects price data from multiple sources
- Price Validator - Validates and normalizes price data
- Update Scheduler - Manages the frequency of price updates
- On-chain Publisher - Publishes price data to smart contracts
Random Number Generation
The Random service provides secure, verifiable random numbers for applications.
Key Components:
- Entropy Collector - Gathers entropy from multiple sources
- Random Generator - Produces random values with cryptographic security
- Verification Provider - Creates proofs of randomness
- Distribution Manager - Delivers random values to applications
Oracle Service
The Oracle service connects smart contracts with external data sources.
Key Components:
- Data Fetcher - Retrieves data from external sources
- Data Transformer - Processes and formats data
- Consensus Engine - Validates data using configurable consensus methods
- Delivery Manager - Provides data to smart contracts
Security Model
The Neo Service Layer employs a comprehensive security model with multiple layers of protection:
1. TEE Protection
All sensitive operations occur within Trusted Execution Environments, providing hardware-level isolation from the host system.
2. Authentication & Authorization
Strong API key authentication and role-based access control restrict access to resources and operations.
3. Encryption
End-to-end encryption for all sensitive data, both in transit and at rest, using industry-standard algorithms and key management.
4. Secure Development
Rigorous secure development practices, including code reviews, static analysis, and penetration testing.
5. Operational Security
Comprehensive monitoring, logging, and alerting to detect and respond to security events.
6. Compliance & Auditing
Regular security audits and compliance with industry standards and best practices.
High Availability and Scalability
The Neo Service Layer is designed for high availability and scalability to ensure reliable service for blockchain applications:
Availability Features
- Multi-zone deployment across Azure regions
- Automatic failover and replication for critical services
- Load balancing and health monitoring
- Graceful degradation for non-critical services
Scalability Features
- Horizontal scaling for services based on demand
- Asynchronous request processing for improved throughput
- Efficient caching to reduce load on the blockchain
- Auto-scaling based on resource utilization metrics
Network Architecture
The Neo Service Layer interacts with multiple networks and systems:
Key Network Interfaces
Client Applications
Applications interact with the service layer through HTTPS REST APIs or WebSocket connections. All external communications are encrypted and authenticated.
Neo N3 Blockchain
The service layer connects to Neo N3 nodes using RPC and WebSocket connections to monitor events, submit transactions, and interact with smart contracts.
External Data Sources
For oracle and price feed services, the layer connects to external data providers using secure HTTPS connections, with data validation and transformation in TEEs.
Internal Services
Service components communicate using gRPC with mutual TLS authentication and encryption, ensuring secure and efficient internal communication.
Next Steps
Service Documentation
Explore the detailed documentation for each service in the Neo Service Layer.
View Services →Security Deep Dive
Learn more about the security features and model of the Neo Service Layer.
View Security Documentation →Getting Started
Start building with the Neo Service Layer using our quickstart guides.
View Getting Started Guide →