ABSTRACT
Trusted execution environments (TEEs) allow asserting the integrity of previously untrusted third parties using novel hardware features. Unlike previous approaches to trusted computing, they have become readily available on most consumer devices sold today. This opens up the possibility for many novel applications, where not only the server, but also clients are equipped with trusted hardware.
This work presents a mechanism to run trusted proxies on clients in order to offload large parts of the workload from a database server. We show that none of the integrity and confidentiality guarantees provided by the database are weakened as a result this mechanism. Evaluation shows that we can improve throughput by at least an order of magnitude, when the database server itself runs in a TEE. Further we can improve performance by a factor of two, even in the case where the server is not limited by a TEE.
- Arvind Arasu, Spyros Blanas, Ken Eguro, Raghav Kaushik, Donald Kossmann, Ravishankar Ramamurthy, and Ramarathnam Venkatesan. 2013. Orthogonal Security with Cipherbase. In CIDR. Citeseer.Google Scholar
- Timothy G Armstrong, Vamsi Ponnekanti, Dhruba Borthakur, and Mark Callaghan. 2013. LinkBench: a database benchmark based on the Facebook social graph. In Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data. ACM, 1185--1196. Google ScholarDigital Library
- Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, GA, 689--703. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov Google ScholarDigital Library
- Sumeet Bajaj and Radu Sion. 2014. Trusteddb: A trusted hardware-based database with privacy and data confidentiality. IEEE Transactions on Knowledge and Data Engineering 26, 3 (2014), 752--765. Google ScholarDigital Library
- Erick Bauman and Zhiqiang Lin. 2016. A Case for Protecting Computer Games With SGX. In Proceedings of the 1st Workshop on System Software for Trusted Execution (SysTEX '16). ACM, New York, NY, USA, Article 4, 6 pages. Google ScholarDigital Library
- Andrew Baumann, Marcus Peinado, and Galen Hunt. 2014. Shielding Applications from an Untrusted Cloud with Haven. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI'14). USENIX Association, Berkeley, CA, USA, 267--283. htp://dl.acm.org/citation.cfm?id=2685048.2685070 Google ScholarDigital Library
- Byung-Gon Chun, Petros Maniatis, Scott Shenker, and John Kubiatowicz. 2007. Attested append-only memory: Making adversaries stick to their word. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 189--204. Google ScholarDigital Library
- Rene De La Briandais. 1959. File searching using variable length keys. In Papers presented at the the March 3-5, 1959, western joint computer conference. ACM, 295--298. Google ScholarDigital Library
- David Goltzsche, Colin Wulf, Divya Muthukumaran, Konrad Rieck, Peter Pietzuch, and Rüdiger Kapitza. 2017. TrustJS: Trusted Client-side Execution of JavaScript. In Proceedings of the 10th European Workshop on Systems Security (EuroSec'17). ACM, New York, NY, USA, Article 7, 6 pages. Google ScholarDigital Library
- Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, GA, 533--549. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/hunt Google ScholarDigital Library
- Joshua Lind, Ittay Eyal, Peter Pietzuch, and Emin Gün Sirer. 2016. Teechan: Payment Channels Using Trusted Execution Environments. arXiv preprint arXiv:1612.07766 (2016).Google Scholar
- Ralph C Merkle. 1987. A digital signature based on a conventional encryption function. In Conference on the Theory and Application of Cryptographic Techniques. Springer, 369--378. Google ScholarDigital Library
- Meni Orenbach, Pavel Lifshits, Marina Minkin, and Mark Silberstein. 2017. Eleos: ExitLess OS Services for SGX Enclaves. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys '17). ACM, New York, NY, USA, 238--253. Google ScholarDigital Library
- Anjo Vahldiek-Oberwagner, Eslam Elnikety, Aastha Mehta, Deepak Garg, Peter Druschel, Rodrigo Rodrigues, Johannes Gehrke, and Ansley Post. 2015. Guardat: Enforcing data policies at the storage layer. In Proceedings of the Tenth European Conference on Computer Systems. ACM, 13. Google ScholarDigital Library
- Fan Zhang, Ittay Eyal, Robert Escriva, Ari Juels, and Robbert van Renesse. 2017. REM: Resource-Efficient Mining for Blockchains. IACR Cryptology ePrint Archive 2017 (2017), 179.Google Scholar
Recommendations
The Use of Software Agents as Proxies
ISCC '00: Proceedings of the Fifth IEEE Symposium on Computers and Communications (ISCC 2000)As network technology is advancing at a rapid rate, clients can access information from the Internet using a variety of devices and via different types of networks. As the Internet is heterogeneous in nature, and with such diversities in devices, a ...
Reconfigurable trusted computing in hardware
STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computingTrusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The TrustedComputing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, ...
Enhancing Trusted Platform Modules with Hardware-Based Virtualization Techniques
SECURWARE '08: Proceedings of the 2008 Second International Conference on Emerging Security Information, Systems and TechnologiesWe present the design of a trusted platform module (TPM) that supports hardware-based virtualization techniques. Our approach enables multiple virtual machines to use the complete power of a hardware TPM by providing for every virtual machine (VM) the ...
Comments