Top

Published in:

2017 | OriginalPaper | Chapter

Protecting In-memory Data Cache with Secure Enclaves in Untrusted Cloud

Authors : Yuxia Cheng, Qing Wu, Bei Wang, Wenzhi Chen

Published in: Cyberspace Safety and Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Achieving Differential Privacy of Data Disclosure from Non-intrusive Load Monitoring in Smart Grid

next chapter An Anonymization Method to Improve Data Utility for Classification

Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. ACM Trans. Comput. Syst. 33(3), 1–26 (2015)CrossRef

Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V., Freire, M.M., Inácio, P.R.M.: Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13(2), 113–170 (2013)CrossRef

Ardagna, C.A., Asal, R., Damiani, E., Vu, Q.H.: From security to assurance in the cloud. ACM Comput. Surv. 48(1), 1–50 (2015)CrossRef

Intel corporation: Intel® Software Guard Extensions Programming Reference, pp. 1–186, October 2014

ARM Ltd.: ARM Security Technology: Building a Secure System using TrustZone Technology. White paper (2009)

Checkoway, S., Shacham, H.: Iago attacks: why the system call API is a bad untrusted RPC interface. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 253–264 (2013)

McGrew, D., Viega, J.: The Galois/counter mode of operation (GCM). Submission to NIST Modes of Operation Process (2004)

Hoekstra, M., Lal, R., Pappachan, P., Phegade, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP), pp. 1–11 (2013)

Memcached Opensource Project. https://memcached.org/

10.

Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M.: VC3: Trustworthy data analytics in the cloud using SGX. In: IEEE Symposium on Security and Privacy (S&P), pp. 38–54 (2015)

11.

Prerit, J., Soham, D., Seongmin, K., et al.: OpenSGX: an open platform for SGX research. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 1–16, December 2016

12.

Ferdman, M., et al.: Clearing the clouds: a study of emerging scale-out workloads on modern hardware. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 37–48 (2012)

13.

Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP), pp. 1–11 (2013)

14.

McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP), pp. 1–10 (2013)

15.

Olga, O., Manuel, C., Cédric, F., Christos, G., Markulf, K., Divya, S.: Observing and preventing leakage in mapreduce. In: The ACM Conference on Computer and Communications Security (CCS) (2015)

16.

Rohit, S., Sriram, R., Sanjit A., S., Kapil, V.: Moat: verifying confidentiality of enclave programs. In: The ACM Conference on Computer and Communications Security (CCS) (2015)

17.

Shih, M.W., Kumar, M., Kim, T., Gavrilovska, A.: S-NFV: securing NFV states by using SGX. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 45–48 (2016)

18.

Kim, S., Shin, Y., Ha, J., Kim, T., Han, D.: A first step towards leveraging commodity trusted execution environments for network applications. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, pp. 1–7 (2015)

19.

Trusted Computing Group: Trusted Platform Module (TPM) Specifications. Technical report (2011)

20.

Greene, J.: Intel corporation: Intel® Trusted Execution Technology. White paper (2012)

21.

Levin, D., Douceur, J.R., Lorch, J.R., Moscibroda, T.: TrInc: small trusted hardware for large distributed systems. In: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), pp. 1–14 (2009)

22.

Azab, A.M., Ning, P., Zhang, X.: SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 375–388 (2011)

23.

Owusu, E., Guajardo, J., McCune, J.M., Newsome, J., Perrig, A., Vasudevan, A.: OASIS: on achieving a sanctuary for integrity and secrecy on untrusted platforms. In: Proceedings of the ACM SIGSAC Conference on Computer & Communications Security (CCS), pp. 13–24 (2013)

24.

Sun, K., Wang, J., Zhang, F., Stavrou, A.: SecureSwitch: BIOS-assisted isolation and switch between trusted and untrusted commodity OSes. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2012)

25.

McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd European Conference on Computer Systems (EuroSys), pp. 315–328 (2008)

26.

Costan, V., Devadas, S.: Intel SGX Explained. Technical report, February 2016

27.

Costan, V., Lebedev, I., Devadas, S.: Sanctum: minimal hardware extensions for strong software isolation. In: Proceedings of USENIX Security Symposium (2016)

Title: Protecting In-memory Data Cache with Secure Enclaves in Untrusted Cloud
Authors: Yuxia Cheng
Qing Wu
Bei Wang
Wenzhi Chen
Publisher: Springer International Publishing
Book: Cyberspace Safety and Security
Print ISBN: 978-3-319-69470-2

Electronic ISBN: 978-3-319-69471-9

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-69471-9_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner