Functions Service
Overview
Key Features
Secure Execution
Run code within Azure Confidential Computing TEE for maximum security and data protection.
Resource Management
Memory limits, timeout enforcement, and VM-per-execution isolation for reliable operation.
Blockchain Access
Built-in Neo API for reading balances, fetching transactions, and interacting with contracts.
Secure Secrets
Access securely stored API keys and credentials within your function via the secrets API.
External API Access
Call external APIs securely using the standard fetch API while maintaining data privacy.
Security Sandbox
Frozen prototypes and strict mode enforcement to prevent prototype pollution and other attacks.
Trusted Execution Environment (TEE)
The Service Layer utilizes Azure Confidential Computing to provide hardware-based TEE capabilities that ensure:
- Code and data are protected while in use
- Code execution is verifiable via attestation
- Secrets can be securely managed within the TEE
We leverage Azure's DCsv3-series virtual machines featuring Intel SGX (Software Guard Extensions) technology.
TEE Architecture
1┌─────────────────────────────────────────────────────────────┐
2│ Host OS │
3│ │
4│ ┌─────────────────────────────────────────────────────┐ │
5│ │ TEE Container │ │
6│ │ │ │
7│ │ ┌────────────────┐ ┌───────────────────────────┐ │ │
8│ │ │ │ │ │ │ │
9│ │ │ JS Runtime │ │ Secure Secret Storage │ │ │
10│ │ │ │ │ │ │ │
11│ │ └────────────────┘ └───────────────────────────┘ │ │
12│ │ │ │
13│ │ ┌────────────────┐ ┌───────────────────────────┐ │ │
14│ │ │ │ │ │ │ │
15│ │ │ Attestation │ │ Secure Network Interface │ │ │
16│ │ │ Service │ │ │ │ │
17│ │ └────────────────┘ └───────────────────────────┘ │ │
18│ │ │ │
19│ └─────────────────────────────────────────────────────┘ │
20│ │
21└─────────────────────────────────────────────────────────────┘TEE Components
1. TEE Container
A Docker container running in the SGX-enabled VM that provides the TEE environment. The container is configured to leverage Intel SGX enclaves.
2. JavaScript Runtime
A secure JavaScript execution environment running within the TEE:
- V8 JavaScript engine with SGX support
- Sandboxed execution environment
- Limited standard library access
- Resource usage monitoring and limitations
3. Secure Secret Storage
A system for securely managing user secrets within the TEE:
- Secrets are encrypted at rest using keys only available in the TEE
- Secrets are only decrypted within the TEE memory during function execution
- Access control ensures only authorized functions can access specific secrets
4. Attestation Service
A service that provides cryptographic proof that:
- The TEE is genuine and running on trusted hardware
- The correct code is running within the TEE
- The TEE has not been tampered with
5. Secure Network Interface
A component that handles secure communication between:
- The TEE and external services
- The TEE and the Neo N3 blockchain
- The TEE and the rest of the service layer
Creating and Managing Functions
You can create, update, and delete functions through the API or web dashboard. Each function has:
- A unique name for identification
- JavaScript source code
- Optional configuration (memory limit, timeout, permissions)
- Execution history and logs
Function Structure
Your function must contain a main function that takes an args parameter and returns a value:
1function main(args) {
2 // Your code here
3
4 // You can access Neo N3 blockchain data
5 const balance = neo.getBalance(args.address, 'NEO');
6
7 // You can access your stored secrets
8 const apiKey = secrets.get('my_api_key');
9
10 // You can make external API calls
11 const response = await fetch('https://api.example.com/data');
12 const data = await response.json();
13
14 // Return a value (will be serialized as JSON)
15 return {
16 result: data,
17 balance: balance,
18 timestamp: new Date().toISOString()
19 };
20}Execution Model
Upload Function & Submit Request
You upload a JavaScript function to the service and submit it for execution with arguments. The source code and parameters are securely transferred to the TEE.
serviceLayer.functions.invoke("myFunction", {"param1": "value1"})Environment Setup
The service loads your function code into a secure V8 isolate inside the TEE. A sandboxed execution environment is set up with global objects like neo and secrets.
Secrets and Permissions
If your function uses secrets, they are securely accessed and decrypted within the TEE memory. The environment verifies your function has the appropriate permissions to access these secrets.
// Access a secret within the TEE
const apiKey = secrets.get('my_api_key');Function Execution
Your function executes in the isolated environment with access to the Neo blockchain API, secrets, and external resources via fetch. Memory and CPU usage are monitored and limited.
Result Processing
The function result is serialized as JSON and returned to the caller. Any temporary data in memory is securely wiped, and execution resources are released.
Security Considerations
Functions are executed in a secure sandbox with several security measures:
- Memory Limiting: Each function has a memory limit (default: 128MB) to prevent resource exhaustion attacks.
- Timeout Enforcement: Functions have a maximum execution time (default: 30 seconds) to prevent infinite loops.
- VM Isolation: Each function execution gets its own VM isolate to prevent cross-function interference.
- Frozen Prototypes: JavaScript prototypes are frozen to prevent prototype pollution attacks.
- Network Access Control: Network access is restricted to allowed domains and rate limited.
Additional Security Measures
- Memory Protection
- All sensitive data within the TEE is protected from external access
- Memory is securely wiped after use
- Side-Channel Protections
- Implementation includes mitigations for known side-channel attacks
- Regular security updates for the TEE components
- Network Security
- All communication with the TEE uses TLS 1.3
- Certificate pinning for additional security
- Code Integrity
- Function code is validated before execution
- JavaScript runtime is patched against known vulnerabilities
- Resource Limitations
- Functions have strict memory and CPU limits
- Timeouts prevent infinite loops or resource exhaustion
Important Security Note
JavaScript Runtime Environment
The Functions Service provides a modern JavaScript runtime with:
- ECMAScript 2020 support
- Async/await and Promises
- Standard built-in objects (Array, Object, Date, Math, etc.)
- JSON parse and stringify
- Console logging (redirected to function logs)
- Fetch API for HTTP requests
- TextEncoder/TextDecoder for working with binary data
JavaScript Runtime Security
The JavaScript runtime within the TEE is secured by:
- Removing unsafe APIs (e.g.,
eval,Functionconstructor) - Limiting file system access
- Restricting network access to whitelisted endpoints
- Applying resource quotas (memory, CPU)
- Timing out long-running operations
- Sanitizing inputs and outputs
Service-Specific Objects
The following objects are available in the global scope:
neo: Object for interacting with the Neo N3 blockchain (read balances, fetch transactions, etc.)secrets: Object for accessing your stored secrets (API keys, private credentials, etc.)storage: Object for persisting small amounts of data between function executions
Neo N3 Blockchain API
The neo object provides methods to interact with the Neo N3 blockchain:
1// Get balance for an address
2const neoBalance = neo.getBalance(address, 'NEO');
3
4// Get recent transactions for an address
5const transactions = neo.getTransactions(address, { limit: 5 });
6
7// Get current block height
8const blockHeight = neo.getBlockHeight();
9
10// Get current price
11const price = neo.getPrice('NEO/USD');
12
13// Call a contract method (read-only)
14const result = neo.call({
15 scriptHash: "0xd2a4cff31913016155e38e474a2c06d08be276cf",
16 operation: "getTotalStaked",
17 args: []
18});
19
20// Invoke a contract method (mutates state)
21const tx = await neo.invokeContract({
22 scriptHash: "0xd2a4cff31913016155e38e474a2c06d08be276cf",
23 operation: "stake",
24 args: [
25 { type: "Integer", value: "1000" }
26 ],
27 signers: [{ account: address, scopes: "CalledByEntry" }],
28 useGasBank: true
29});Secret Usage in Functions
The secrets object provides access to securely stored sensitive data:
1// Example function using secrets
2function fetchPriceData(token) {
3 // Access to secrets is provided via a secure API
4 const apiKey = secrets.get('exchange_api_key');
5
6 // Use the secret to make an authenticated request
7 const response = fetch(`https://api.exchange.com/prices/${token}`, {
8 headers: {
9 'Authorization': `Bearer ${apiKey}`
10 }
11 });
12
13 return response.json();
14}The secrets.get() API only retrieves secrets that have been explicitly allowed for the function, and the secret value is only accessible within the TEE.
Using Functions with Other Services
Functions can be combined with other Service Layer features:
- Automation Service: Schedule functions to run on a time-based schedule or in response to blockchain events
- Secrets Service: Store sensitive data securely and access it from your functions
- Oracle Service: Create custom oracles that fetch, process, and publish data to the blockchain
Integration with Automation Service
You can set up automation triggers to execute your functions:
Cron Triggers
1{
2 "trigger_type": "cron",
3 "trigger_config": {
4 "schedule": "0 0 * * *", // Daily at midnight
5 "timezone": "UTC"
6 },
7 "function_name": "dailyUpdate"
8}Price Triggers
1{
2 "trigger_type": "price",
3 "trigger_config": {
4 "asset_pair": "NEO/USD",
5 "condition": "above",
6 "threshold": 50.0,
7 "duration": 300 // Must be above threshold for 5 minutes
8 },
9 "function_name": "handlePriceAlert"
10}Blockchain Triggers
1{
2 "trigger_type": "blockchain",
3 "trigger_config": {
4 "contract_hash": "0x1234567890abcdef1234567890abcdef12345678",
5 "event_name": "Transfer"
6 },
7 "function_name": "processTransfer"
8}Monitoring and Metrics
The Functions Service provides monitoring for:
- Function execution counts and success rates
- Execution duration and resource usage
- Error rates and types
- TEE health and performance
These metrics help you optimize your functions and detect potential issues.
Examples
Basic Function Example
Try this simple function that returns a greeting message and timestamp. Edit the code or input and run it to see the results.
1function main(args) {
2 return {
3 message: "Hello, " + (args.name || "World") + "!",
4 timestamp: new Date().toISOString()
5 };
6}Fetch External Data
1async function main(args) {
2 try {
3 // Get API key from secrets
4 const apiKey = secrets.get('coingecko_api_key');
5
6 // Fetch crypto price data
7 const response = await fetch(
8 'https://api.coingecko.com/api/v3/simple/price?ids=neo&vs_currencies=usd',
9 { headers: { 'X-CoinGecko-Api-Key': apiKey } }
10 );
11
12 if (!response.ok) {
13 throw new Error('API request failed: ' + response.status);
14 }
15
16 const data = await response.json();
17
18 return {
19 neo_price_usd: data.neo.usd,
20 timestamp: new Date().toISOString(),
21 source: "CoinGecko API"
22 };
23 } catch (error) {
24 return { error: error.message };
25 }
26}Blockchain Interaction Example
This function retrieves blockchain data for an address. Try providing different addresses or leave it blank to see the default behavior.
1function main(args) {
2 const address = args.address;
3
4 if (!address) {
5 return { error: "Address is required" };
6 }
7
8 // Get NEO and GAS balances
9 const neoBalance = neo.getBalance(address, 'NEO');
10 const gasBalance = neo.getBalance(address, 'GAS');
11
12 // Get recent transactions
13 const transactions = neo.getTransactions(address, { limit: 5 });
14
15 return {
16 address: address,
17 balances: {
18 NEO: neoBalance,
19 GAS: gasBalance
20 },
21 recentTransactions: transactions,
22 blockHeight: neo.getBlockHeight(),
23 timestamp: new Date().toISOString()
24 };
25}API Reference
For a complete API reference, see the Functions API documentation.