Secure large-scale outsourced services founded on trustworthy code executions

Tese de doutoramento, Informatica (Ciencia da Computacao), Universidade de Lisboa, Faculdade de Ciencias, 2017

[1]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[2]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[3]  Marcos K. Aguilera,et al.  Fast Asynchronous Consensus with Optimal Resilience , 2010, DISC.

[4]  Priya Narasimhan,et al.  Static Analysis Meets Distributed Fault-Tolerance: Enabling State-Machine Replication with Nondeterminism , 2006, HotDep.

[5]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[6]  D. Mccormick Sequence the Human Genome , 1986, Bio/Technology.

[7]  Michael Dahlin,et al.  Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults , 2009, NSDI.

[8]  Arun Venkataramani,et al.  ZZ and the art of practical BFT execution , 2011, EuroSys '11.

[9]  Cédric Fournet,et al.  Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data , 2016, CCS.

[10]  Colin Boyd,et al.  On a Limitation of BAN Logic , 1994, EUROCRYPT.

[11]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[12]  Michael K. Reiter,et al.  Zzyzx: Scalable fault tolerance through Byzantine locking , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[13]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[14]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[16]  Margaret Eleanor Atwood The Circle Game , 1966 .

[17]  Rodrigo Rodrigues,et al.  Efficient middleware for byzantine fault tolerant database replication , 2011, EuroSys '11.

[18]  Christian F. Tschudin,et al.  Protecting Mobile Agents Against Malicious Hosts , 1998, Mobile Agents and Security.

[19]  Rajkumar Buyya,et al.  Ensuring Security and Privacy Preservation for Cloud Data Services , 2016, ACM Comput. Surv..

[20]  Christos Faloutsos,et al.  Polonium: Tera-Scale Graph Mining and Inference for Malware Detection , 2011 .

[21]  Michael K. Reiter,et al.  Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu , 2017, AsiaCCS.

[22]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[23]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[24]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[26]  Nuno Ferreira Neves,et al.  Securing Passive Replication through Verification , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).

[27]  Peter Alan Lee,et al.  Fault Tolerance , 1990, Dependable Computing and Fault-Tolerant Systems.

[28]  Nuno Ferreira Neves,et al.  Secure Identification of Actively Executed Code on a Generic Trusted Component , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[29]  Lidong Zhou,et al.  Niobe: A practical replication protocol , 2008, TOS.

[30]  Dutch T. Meyer,et al.  Remus: High Availability via Asynchronous Virtual Machine Replication. (Best Paper) , 2008, NSDI.

[31]  K Kasikumar,et al.  Applications of Data Mining Techniques in Healthcare and Prediction of Heart Attacks , 2018 .

[32]  Miguel Correia,et al.  Asynchronous Byzantine consensus with 2f+1 processes , 2010, SAC '10.

[33]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[34]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[35]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[36]  Miguel Correia,et al.  Low complexity Byzantine-resilient consensus , 2005, Distributed Computing.

[37]  Ninghui Li,et al.  Universal Accumulators with Efficient Nonmembership Proofs , 2007, ACNS.

[38]  Johannes Behl,et al.  Hybrids on Steroids: SGX-Based High Performance BFT , 2017, EuroSys.

[39]  Sven Bugiel,et al.  Implementing an application-specific credential platform using late-launched mobile trusted module , 2010, STC '10.

[40]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[41]  N. Falconer Structured Programming , 1973, Nature.

[42]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[43]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[44]  Beng Chin Ooi,et al.  M2R: Enabling Stronger Privacy in MapReduce Computation , 2015, USENIX Security Symposium.

[45]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[46]  Anne-Marie Kermarrec,et al.  Atum: Scalable Group Communication Using Volatile Groups , 2016, Middleware.

[47]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[48]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[49]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[50]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[51]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[52]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX ATC.

[53]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[54]  Alec Wolman,et al.  fTPM: A Software-Only Implementation of a TPM Chip , 2016, USENIX Security Symposium.

[55]  Mahadev Konar,et al.  ZooKeeper: Wait-free Coordination for Internet-scale Systems , 2010, USENIX ATC.

[56]  Marko Vukolic,et al.  The Next 700 BFT Protocols , 2015, ACM Trans. Comput. Syst..

[57]  Xavier Défago,et al.  Semi-passive replication , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[58]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[59]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[60]  Galen C. Hunt,et al.  Secure execution of unmodified applications on an untrusted host , 2013 .

[61]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[62]  Junfeng Yang,et al.  Parrot: a practical runtime for deterministic, stable, and reliable threads , 2013, SOSP.

[63]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[64]  Rachid Guerraoui,et al.  Replication Techniques for Availability , 2010, Replication.

[65]  Fred B. Schneider,et al.  Optimal Primary-Backup Protocols , 1992, WDAG.

[66]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[67]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[68]  Danai Koutra,et al.  Graph based anomaly detection and description: a survey , 2014, Data Mining and Knowledge Discovery.

[69]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[70]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[71]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[72]  Lawrie Brown,et al.  Computer Security: Principles and Practice , 2007 .

[73]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[74]  Miguel Correia,et al.  How to tolerate half less one Byzantine nodes in practical distributed systems , 2004, Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004..

[75]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[76]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[77]  Mark Silberstein,et al.  Eleos: ExitLess OS Services for SGX Enclaves , 2017, EuroSys.

[78]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[79]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[80]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[81]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[82]  H Steven Wiley,et al.  How low can you go? , 2018, eLife.

[83]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[84]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[85]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[86]  Charanjit S. Jutla,et al.  Parallelizable Authentication Trees , 2005, IACR Cryptol. ePrint Arch..

[87]  Dan Grossman,et al.  CoreDet: a compiler and runtime system for deterministic multithreaded execution , 2010, ASPLOS XV.

[88]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[89]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX Annual Technical Conference.

[90]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[91]  Navin Budhiraja The Primary-Backup Approach: Lower and Upper Bounds , 1993 .

[92]  Aniket Kate,et al.  On the (limited) power of non-equivocation , 2012, PODC '12.

[93]  Ramarathnam Venkatesan,et al.  Oblivious Hashing: A Stealthy Software Integrity Verification Primitive , 2002, Information Hiding.

[94]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[95]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[96]  William R. Claycomb,et al.  Insider Threats to Cloud Computing: Directions for New Research Challenges , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[97]  Frank Piessens,et al.  Ariadne: A Minimal Approach to State Continuity , 2016, USENIX Security Symposium.

[98]  Alysson Neves Bessani,et al.  State Machine Replication for the Masses with BFT-SMART , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[99]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[100]  Cas J. F. Cremers Unbounded verification, falsification, and characterization of security protocols by pattern refinement , 2008, CCS.

[101]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[102]  Ion Stoica,et al.  Opaque: An Oblivious and Encrypted Distributed Analytics Platform , 2017, NSDI.

[103]  Gene Tsudik,et al.  Itinerant Agents for Mobile Computing , 1995, IEEE Communications Surveys & Tutorials.

[104]  Tobias Distler,et al.  Extensible distributed coordination , 2015, EuroSys.

[105]  H. Chung,et al.  Oasis , 2001, Brain Research.

[106]  Yang Wang,et al.  All about Eve: Execute-Verify Replication for Multi-Core Servers , 2012, OSDI.

[107]  Johannes Behl,et al.  Consensus-Oriented Parallelization: How to Earn Your First Million , 2015, Middleware.

[108]  Nuno Ferreira Neves,et al.  Secure Tera-scale Data Crunching with a Small TCB , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[109]  Vivien Quéma,et al.  RBFT: Redundant Byzantine Fault Tolerance , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems.

[110]  GhemawatSanjay,et al.  The Google file system , 2003 .

[111]  Miguel Correia,et al.  Efficient Byzantine Fault-Tolerance , 2013, IEEE Transactions on Computers.

[112]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[113]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[114]  Miguel Castro,et al.  BASE: Using abstraction to improve fault tolerance , 2003, TOCS.

[115]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[116]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[117]  Gabriel Bracha,et al.  An asynchronous [(n - 1)/3]-resilient consensus protocol , 1984, PODC '84.

[118]  Radu Sion,et al.  TrustedDB: A Trusted Hardware-Based Database with Privacy and Data Confidentiality , 2011, IEEE Transactions on Knowledge and Data Engineering.

[119]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[120]  J. D. Day,et al.  A principle for resilient sharing of distributed resources , 1976, ICSE '76.

[121]  Dilsun Kirli Kaynar,et al.  A Logic of Secure Systems and its Application to Trusted Computing , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[122]  John M. Ferron,et al.  How Low Can You Go? An Investigation of the Influence of Sample Size and Model Complexity on Point and Interval Estimates in Two-Level Linear Models , 2014 .

[123]  Michael Franz,et al.  Mostly static program partitioning of binary executables , 2009, TOPL.

[124]  Jorge A. Gálvez,et al.  A Review of Analytics and Clinical Informatics in Health Care , 2014, Journal of Medical Systems.

[125]  Christian F. Tschudin,et al.  Towards mobile cryptography , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[126]  Alysson Neves Bessani,et al.  Analysis of operating system diversity for intrusion tolerance , 2014, Softw. Pract. Exp..

[127]  Biological Sequences and the Exact String Matching Problem Universal Turing Machine , 2011 .

[128]  Stephen N. Zilles,et al.  Programming with abstract data types , 1974, SIGPLAN Symposium on Very High Level Languages.

[129]  Brent Waters,et al.  Cloaking Malware with the Trusted Platform Module , 2011, USENIX Security Symposium.

[130]  Jacob R. Lorch,et al.  TrInc: Small Trusted Hardware for Large Distributed Systems , 2009, NSDI.

[131]  Mihir Bellare,et al.  Incremental cryptography and application to virus protection , 1995, STOC '95.

[132]  Gorka Irazoqui Apecechea,et al.  Cache Attacks Enable Bulk Key Recovery on the Cloud , 2016, CHES.

[133]  Arun Venkataramani,et al.  Separating agreement from execution for byzantine fault tolerant services , 2003, SOSP '03.

[134]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[135]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[136]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[137]  Gonçalo R. Abecasis,et al.  The Sequence Alignment/Map format and SAMtools , 2009, Bioinform..

[138]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[139]  Paul England,et al.  Authenticated Operation of Open Computing Devices , 2002, ACISP.

[140]  Paulo Veríssimo,et al.  Travelling through wormholes: a new look at distributed systems models , 2006, SIGA.

[141]  Angelos D. Keromytis,et al.  Adding Trust to P2P Distribution of Paid Content , 2009, ISC.

[142]  Marshall Copeland,et al.  Microsoft Azure , 2015, Apress.

[143]  Johannes Winter,et al.  A Hijacker's Guide to the LPC Bus , 2011, EuroPKI.

[144]  Bill Benda,et al.  The Circle Game. , 2016, Integrative medicine.

[145]  Dongsu Han,et al.  Enhancing Security and Privacy of Tor's Ecosystem by Using Trusted Execution Environments , 2017, NSDI.

[146]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[147]  Jean-Philippe Martin,et al.  Fast Byzantine Consensus , 2006, IEEE Transactions on Dependable and Secure Computing.

[148]  Mihir Bellare,et al.  Foundations of garbled circuits , 2012, CCS.

[149]  N. Asokan,et al.  Scheduling execution of credentials in constrained secure environments , 2008, STC '08.

[150]  Martín Abadi,et al.  A Logical Account of NGSCB , 2004, FORTE.

[151]  Alan Davies Customer Success Stories , 2013 .

[152]  Liuba Shrira,et al.  HQ replication: a hybrid quorum protocol for byzantine fault tolerance , 2006, OSDI '06.

[153]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[154]  Insik Shin,et al.  SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs , 2017, NDSS.

[155]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[156]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[157]  Dong Wei,et al.  Intrinsically resilient energy control systems , 2013, CSIIRW '13.

[158]  Emery D. Berger,et al.  Dthreads: efficient deterministic multithreading , 2011, SOSP.

[159]  SantosNuno,et al.  Verifying cloud services , 2013 .

[160]  David Grawrock Dynamics of a trusted platform: a building block approach , 2009 .

[161]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[162]  Shweta Shinde,et al.  Preventing Page Faults from Telling Your Secrets , 2016, AsiaCCS.

[163]  Steven L Salzberg,et al.  Fast gapped-read alignment with Bowtie 2 , 2012, Nature Methods.

[164]  Nuno Ferreira Neves,et al.  DiveInto: Supporting Diversity in Intrusion-Tolerant Systems , 2011, 2011 IEEE 30th International Symposium on Reliable Distributed Systems.

[165]  Milind Girkar,et al.  Partitioning programs for parallel execution , 1988, ICS '88.

[166]  Jacob R. Lorch,et al.  Tardigrade: Leveraging Lightweight Virtual Machines to Easily and Efficiently Construct Fault-Tolerant Services , 2015, NSDI.

[167]  John Lane,et al.  Prime: Byzantine Replication under Attack , 2011, IEEE Transactions on Dependable and Secure Computing.

[168]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[169]  Marc Fischlin Incremental Cryptography and Memory Checkers , 1997, EUROCRYPT.

[170]  Keith Marzullo,et al.  Tradeoffs in implementing primary-backup protocols , 1995, Proceedings.Seventh IEEE Symposium on Parallel and Distributed Processing.

[171]  Johannes Behl,et al.  CheapBFT: resource-efficient byzantine fault tolerance , 2012, EuroSys '12.

[172]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[173]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[174]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[175]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[176]  Alysson Neves Bessani,et al.  A High-Throughput Method to Detect Privacy-Sensitive Human Genomic Data , 2015, WPES@CCS.

[177]  Andrew S. Tanenbaum Lessons learned from 30 years of MINIX , 2016, Commun. ACM.

[178]  Marc Najork,et al.  Boxwood: Abstractions as the Foundation for Storage Infrastructure , 2004, OSDI.