ObliDB: Oblivious Query Processing using Hardware Enclaves

Hardware enclaves such as Intel SGX are a promising technology for improving the security of databases outsourced to the cloud. These enclaves provide an execution environment isolated from the hypervisor/OS, and encrypt data in RAM. However, for applications that use large amounts of memory, including most databases, enclaves do not protect against access pattern leaks, which let attackers gain a large amount of information about the data. Moreover,the naive way to address this issue, using Oblivious RAM (ORAM) primitives from the security literature, adds substantial overhead. A number of recent works explore trusted hardware enclaves as a path toward secure, access-pattern oblivious outsourcing of data storage and analysis. While these works efficiently solve specific subproblems (e.g. building secure indexes or running analytics queries that always scan entire tables), no prior work has supported oblivious query processing for general query workloads on a DBMS engine with multiple access methods. Moreover, applying these techniques individually does not guarantee that an end-to-end workload, such as a complex SQL query over multiple tables, will be oblivious. In this paper, we introduce ObliDB, an oblivious database engine design that is the first system to provide obliviousness for general database read workloads over multiple access methods. ObliDB supports a broad range of queries, including aggregation, joins, insertions, deletions and point queries. We implement ObliDB and show that, on analytics work-loads, ObliDB ranges from 1.1-19x faster than Opaque,a previous oblivious, enclave-based system designed only for analytics, and comes within 2.6x of Spark SQL. ObliDB supports point queries with 3-10ms latency, which runs over 7x faster than HIRB, a previous encryption-based oblivious index system.

[1]  Úlfar Erlingsson,et al.  Prochlo: Strong Privacy for Analytics in the Crowd , 2017, SOSP.

[2]  Stavros Papadopoulos,et al.  Practical Private Range Search Revisited , 2016, SIGMOD Conference.

[3]  Mark Zhandry,et al.  Semantically Secure Order-Revealing Encryption: Multi-input Functional Encryption Without Obfuscation , 2015, EUROCRYPT.

[4]  Insik Shin,et al.  SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs , 2017, NDSS.

[5]  Jonathan Katz,et al.  All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption , 2016, USENIX Security Symposium.

[6]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[7]  Stefano Tessaro,et al.  Oblivious Parallel RAM: Improved Efficiency and Generic Constructions , 2016, TCC.

[8]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[9]  Kapil Vaswani,et al.  EnclaveDB: A Secure Database Using SGX , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[12]  Christos Gkantsidis,et al.  Observing and Preventing Leakage in MapReduce , 2015, CCS.

[13]  Raphael Bost,et al.  ∑oφoς: Forward Secure Searchable Encryption , 2016, CCS.

[14]  Elaine Shi,et al.  ObliviStore: High Performance Oblivious Distributed Cloud Data Store , 2013, NDSS.

[15]  Elaine Shi,et al.  Constants Count: Practical Improvements to Oblivious RAM , 2015, USENIX Security Symposium.

[16]  Adam O'Neill,et al.  Generic Attacks on Secure Outsourced Databases , 2016, CCS.

[17]  Eli Upfal,et al.  Balanced Allocations , 1999, SIAM J. Comput..

[18]  Ramarathnam Venkatesan,et al.  Orthogonal Security with Cipherbase , 2013, CIDR.

[19]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[20]  Sameer Wagh,et al.  The Pyramid Scheme: Oblivious RAM for Trusted Processors , 2017, ArXiv.

[21]  Charles V. Wright,et al.  The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption , 2016, CCS.

[22]  Raghav Kaushik,et al.  Oblivious Query Processing , 2013, ICDT.

[23]  Kartik Nayak,et al.  Oblivious Data Structures , 2014, IACR Cryptol. ePrint Arch..

[24]  Ahmad-Reza Sadeghi,et al.  HardIDX: Practical and Secure Index with SGX , 2017, DBSec.

[25]  Shweta Shinde,et al.  Preventing Page Faults from Telling Your Secrets , 2016, AsiaCCS.

[26]  Joseph K. Bradley,et al.  Spark SQL: Relational Data Processing in Spark , 2015, SIGMOD Conference.

[27]  Yan Huang,et al.  Practicing Oblivious Access on Cloud Storage: the Gap, the Fallacy, and the New Way Forward , 2015, CCS.

[28]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[29]  Kartik Nayak,et al.  ObliVM: A Programming Framework for Secure Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[31]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[32]  Ashwin Machanavajjhala,et al.  ShrinkWrap: Efficient SQL Query Processing in Differentially Private Data Federations , 2018, Proc. VLDB Endow..

[33]  Ming Zhang,et al.  Preserving Access Pattern Privacy in SGX-Assisted Encrypted Search , 2018, 2018 27th International Conference on Computer Communication and Networks (ICCCN).

[34]  Charles V. Wright,et al.  Inference Attacks on Property-Preserving Encrypted Databases , 2015, CCS.

[35]  Kartik Nayak,et al.  An Oblivious Parallel RAM with O(log2 N) Parallel Runtime Blowup , 2016, IACR Cryptology ePrint Archive.

[36]  Robert K. Cunningham,et al.  SoK: Cryptographically Protected Database Search , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[37]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[38]  Brice Minaud,et al.  Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives , 2017, CCS.

[39]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[40]  Radu Sion,et al.  TrustedDB: A Trusted Hardware-Based Database with Privacy and Data Confidentiality , 2011, IEEE Transactions on Knowledge and Data Engineering.

[41]  Elaine Shi,et al.  GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation , 2015, ASPLOS.

[42]  Mihai Christodorescu,et al.  VeritasDB: High Throughput Key-Value Store with Integrity , 2018, IACR Cryptol. ePrint Arch..

[43]  David Cash,et al.  Leakage-Abuse Attacks Against Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[44]  Murat Kantarcioglu,et al.  Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation , 2012, NDSS.

[45]  Dan Boneh,et al.  IRON: Functional Encryption using Intel SGX , 2017, CCS.

[46]  Vitaly Shmatikov,et al.  Breaking Web Applications Built On Top of Encrypted Data , 2016, CCS.

[47]  Olivier Bernard,et al.  Practical Passive Leakage-abuse Attacks Against Symmetric Searchable Encryption , 2017, SECRYPT.

[48]  Rishabh Poddar,et al.  Oblix: An Efficient Oblivious Search Index , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[49]  Yuan Xiao,et al.  SgxPectre: Stealing Intel Secrets from SGX Enclaves Via Speculative Execution , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[50]  David J. Wu,et al.  Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds , 2016, IACR Cryptol. ePrint Arch..

[51]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[52]  Liehuang Zhu,et al.  Search pattern leakage in searchable encryption: Attacks and new construction , 2014, Inf. Sci..

[53]  John C. Mitchell,et al.  Privacy-Preserving Shortest Path Computation , 2016, NDSS.

[54]  Elaine Shi,et al.  On the Depth of Oblivious Parallel RAM , 2017, ASIACRYPT.

[55]  Attila A. Yavuz,et al.  Hardware-Supported ORAM in Effect: Practical Oblivious Search and Update on Very Large Dataset , 2018, IACR Cryptol. ePrint Arch..

[56]  Beng Chin Ooi,et al.  M2R: Enabling Stronger Privacy in MapReduce Computation , 2015, USENIX Security Symposium.

[57]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[58]  Alexey Gribov,et al.  StealthDB: a Scalable Encrypted Database with Full SQL Query Support , 2017, Proc. Priv. Enhancing Technol..

[59]  Kartik Nayak,et al.  HOP: Hardware makes Obfuscation Practical , 2017, NDSS.

[60]  Adam J. Aviv,et al.  A Practical Oblivious Map Data Structure with Secure Deletion and History Independence , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[61]  Michael T. Goodrich,et al.  Randomized Shellsort: A Simple Data-Oblivious Sorting Algorithm , 2011, JACM.

[62]  Christopher W. Fletcher,et al.  ZeroTrace : Oblivious Memory Primitives from Intel SGX , 2018, NDSS.

[63]  Hari Balakrishnan,et al.  Building Web Applications on Top of Encrypted Data Using Mylar , 2014, NSDI.

[64]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[65]  Ramez Elmasri,et al.  Fundamentals of Database Systems, 5th Edition , 2006 .

[66]  Stratis Ioannidis,et al.  Privacy-Preserving Ridge Regression on Hundreds of Millions of Records , 2013, 2013 IEEE Symposium on Security and Privacy.

[67]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[68]  Kai-Min Chung,et al.  Oblivious Parallel RAM and Applications , 2016, TCC.

[69]  Hari Balakrishnan,et al.  CryptDB: processing queries on an encrypted database , 2012, CACM.

[70]  Lorenzo Alvisi,et al.  Obladi: Oblivious Serializable Transactions in the Cloud , 2018, OSDI.

[71]  Christian Gehrmann,et al.  Inference and Record-Injection Attacks on Searchable Encrypted Relational Databases , 2017, IACR Cryptol. ePrint Arch..

[72]  Ion Stoica,et al.  Opaque: An Oblivious and Encrypted Distributed Analytics Platform , 2017, NSDI.

[73]  Rishabh Poddar,et al.  Arx: A Strongly Encrypted Database System , 2016, IACR Cryptol. ePrint Arch..

[74]  Frank Wang,et al.  Splinter: Practical Private Queries on Public Data , 2017, NSDI.

[75]  Amr El Abbadi,et al.  TaoStore: Overcoming Asynchronicity in Oblivious Data Storage , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[76]  Jian Jhen Chen,et al.  LPAD : Building Secure Enclave Storage using Authenticated Log-Structured Merge Trees , 2018 .

[77]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[78]  Ashay Rane,et al.  Raccoon: Closing Digital Side-Channels through Obfuscated Execution , 2015, USENIX Security Symposium.

[79]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[80]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[81]  Radu Sion,et al.  ConcurORAM: High-Throughput Stateless Parallel Multi-Client ORAM , 2018, NDSS.