VC3: Trustworthy Data Analytics in the Cloud using...
Transcript of VC3: Trustworthy Data Analytics in the Cloud using...
VC3: Trustworthy Data Analytics in the Cloud using SGX
FelixSchuster∗,ManuelCosta,CedricFournet,ChristosGkantsidis´MarcusPeinado,GloriaMainar-Ruiz,MarkRussinovich
MicrosoftResearch
Outline
• Introduction• Background• DesignOverview• JobDeployment• JobExecutionandVerification• RegionalSelf-Integrity• Implementation• Evaluation• RelatedWork• Conclusion
Introduction
• Cloudprovidersallowcomputersintodatacentersandmakethemavailableon-demand• Usershavetheabilitytorentoutcomputingcapacitytorunlarge-scaledistributedcomputationsbasedonframeworkslikeMapReduce• Amajorconcernforusersistheabilitytotrustthecloudproviderwiththeircodeanddata
Introduction (cont’d)
• Concerns:• Singlemaliciousinsiderwithadminaccessinthecloudcanleakormanipulatesensitiveuserdata• Externalattackersattempttoaccessdata(e.g.exploitvulnerabilitiesinanOS)• Externalattackersmaytamperwithusers’computations
• CloudUserExpectations• Confidentialityandintegrityforbothcodeanddata• Verifiabilityofexecutionofthecodeoverdata
• MultipartycomputationtechniquesmayaddressthesedemandsusingFullyHomomorphicEncryption(FHE)• However,FHEisnotefficientformostcomputations
Introduction (cont’d)
• VerifiableConfidentialCloudComputing(VC3)• AsystemthatallowsuserstorunMapReducecomputationsinthecloudwhilekeepingtheircodeanddatasecretandensuringcorrectnessandcompletenessoftheirresults
• ThreatModel• Powerfulattackersthatmayhavetheabilitytocontrolthewholecloudproviderssoftwareandhardwareinfrastructure
• ToolsUsed• TrustedSGXprocessors• RananunmodifiedHadoop
Introduction (cont’d)
• Challenges:• PartitionthesystemintotrustedanduntrustedpartstominimizeitsTCB• Guaranteeintegrityforthewholedistributedcomputation• Protectthecoderunningintheisolatedmemoryregionsfromattacksduetounsafememoryaccesses
Background
• MapReduce• Apopularprogrammingmodelforprocessinglargedatasets:userswritemapandreducefunctions,andexecutionoffunctionsisautomaticallyparallelizedanddistributed
• IntelSGX• Setofx86-64ISAextensions
• Setsupprotectedexecutionenvironments(calledenclaves)withoutrequiringtrustinanythingbutprocessorandcodeputintheenclaves
Adversary Model
• Awareofexternalattackersthatmaytrytocontroltheentiresoftwarestackinacloudprovider’sinfrastructure,includingthehypervisorandOS• AssumetheattackerisunabletophysicallyopenandmanipulatetatleasttheSGX-enabledprocessorpackages
Design Overview
• Goal:Maintainconfidentialityandintegrityofcodeanddata• ResearchersdesignedVC3toachievegoodperformanceandkeeplargesoftwarecomponentsoutoftheTCB• VC3allowsuserstoimplementMapReducejobsbywriting,testing,anddebuggingmapandreducefunctions• Whenmapandreducefunctionsarereadyforproduction,userscompileandencryptthecode,andobtainaprivateenclaveE-code• Inthecloud,enclavescontainingE-andE+areinitializedandl
Design Overview
Job Deployment
• Afterthedeploymentofauserscodetothecloud,cryptographicprotocolsareexchangedandtheactualMapReducejobexecutionstarts• CloudAttestation
• SGXremoteattestationforenclavesisachievedthroughquotesissuedbyQE• Threatmodelexcludesphysicalattacks,todefendagainstsuchattacks,theyusedanadditionalCloudQE• CloudQEwascreatedbythecloudproviderwhenanewSGX-enabledsystemiscreated
Job Deployment
• KeyExchange• ToexecuteMapReducejobs,enclavesneedtogetkeystodecrypttheresults• ResearcherscreatedtheirownkeyexchangeprotocolwhichisdesignedtoimplementaconventionalMapReducejobthatworkswithHadoop
Job Execution & Verification
• Keyexchangesandencryptioncodewillhelpcodeanddatabesafefromattacks• ResearchershavetoencryptdatainaMapReducejobandthiscapabilityneedstoworkwithinHadoop
Region Self-Integrity
• Finalaspectofdesignistoenforcearegionofself-integrityforusercodeloadedintoenclaves• Establishefficientcommunicationchannels
• Leadstoabroadenattacksurfaceonenclaves• Twosolutions:
• Region-write-integrity• Region-read-write-integrity
Discussion
• SeveralAttackScenarios:• InformationLeakage
• OnebasicprincipleofMapReduceisthatkey-valuepairswiththesamekeyneedtobeprocessedbythesamereducer
• Anetworkattackercancountthenumberofpairsbeingdeliveredandchangethepairs• ReplayAttacks
• AttackerscantrytofullyorpartiallyreplayapastMapReducejob
Implementation
• VC3wasimplementedusingC++forWindows64-bitandHDInsightdistributionofHadoop• SGXEmulation
• ResearchersimplementedVC3inanSGXEmulatorwhichwassuccessful• Aswell,createdtheirownemulator,howevertheemulatordoesnotprovidesecurityguarantees
Evaluation
• Researcherschoseamixofreal-worldapplicationsandbenchmarkstoevaluatetheVC3system• ThefollowingtableshowstheapplicationsusedtoevaluateVC3
Conclusion
• VC3createdasanapproachfortheverifiableandconfidentialexecutionofMapReducejobsinuntrustedcloudenvironments• VC3isabletobesuccessfulimplementedandhasstrongsecurityguarantees• VC3isabletoachievesecurecloudcomputations