Transaction processing on confidential data using cipherbase

Cipherbase is a comprehensive database system that provides strong end-to-end data confidentiality through encryption. Cipherbase is based on a novel architecture that combines an industrial strength database engine (SQL Server) with lightweight processing over encrypted data that is performed in secure hardware. The overall architecture provides significant benefits over the state-of-the-art in terms of security, performance, and functionality. This paper presents a prototype of Cipherbase that uses FPGAs to provide secure processing and describes the system engineering details implemented to achieve competitive performance for transactional workloads. This includes hardware-software co-design issues (e.g. how to best offer parallelism), optimizations to hide the latency between the secure hardware and the main system, and techniques to cope with space inefficiencies. All these optimizations were carefully designed not to affect end-to-end data confidentiality. Our experiments with the TPC-C benchmark show that in the worst case when all data are strongly encrypted, Cipherbase achieves 40% of the throughput of plaintext SQL Server. In more realistic cases, if only critical data such as customer names are encrypted, the Cipherbase throughput is more than 90% of plaintext SQL Server.

[1]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[2]  Ramarathnam Venkatesan,et al.  A secure coprocessor for database applications , 2013, 2013 23rd International Conference on Field programmable Logic and Applications.

[3]  M. Bellare,et al.  The FFX Mode of Operation for Format-Preserving Encryption Draft 1 . 1 , 2010 .

[4]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[5]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[6]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[7]  Nathan Chenette,et al.  Order-Preserving Symmetric Encryption , 2009, IACR Cryptol. ePrint Arch..

[8]  Michael Stonebraker,et al.  OLTP through the looking glass, and what we found there , 2008, SIGMOD Conference.

[9]  Ramarathnam Venkatesan,et al.  Automatic Secure Partitioning For Database Applications , 2013 .

[10]  Nickolai Zeldovich,et al.  An Ideal-Security Protocol for Order-Preserving Encoding , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  David B. Lomet,et al.  Key Range Locking Strategies for Improved Concurrency , 1993, VLDB.

[12]  Rodney Landrum,et al.  Transparent Data Encryption , 2009 .

[13]  Jens Teubner,et al.  Data Processing on FPGAs , 2013, Proc. VLDB Endow..

[14]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[15]  Samuel Madden,et al.  Processing Analytical Queries over Encrypted Data , 2013, Proc. VLDB Endow..

[16]  Raghav Kaushik,et al.  Oblivious Query Processing , 2013, ICDT.

[17]  Radu Sion,et al.  TrustedDB: A Trusted Hardware-Based Database with Privacy and Data Confidentiality , 2011, IEEE Transactions on Knowledge and Data Engineering.

[18]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[19]  Jeffrey F. Naughton,et al.  Query execution techniques for caching expensive methods , 1996, SIGMOD '96.

[20]  David B. Lomet,et al.  Implementing Performance Competitive Logical Recovery , 2011, Proc. VLDB Endow..

[21]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[22]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[23]  Vitaly Shmatikov,et al.  Myths and fallacies of "Personally Identifiable Information" , 2010, Commun. ACM.

[24]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[25]  Saar Drimer,et al.  Volatile FPGA design security { a survey , 2008 .

[26]  Ramarathnam Venkatesan,et al.  Orthogonal Security with Cipherbase , 2013, CIDR.

[27]  Chris Clifton,et al.  Security Issues in Querying Encrypted Data , 2005, DBSec.

[28]  Sebastian Breß,et al.  Why it is time for a HyPE: A Hybrid Query Processing Engine for Efficient GPU Coprocessing in DBMS , 2013, Proc. VLDB Endow..

[29]  Ramarathnam Venkatesan,et al.  FPGAs for trusted cloud computing , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[30]  Ken Eguro,et al.  Querying encrypted data , 2013, 2013 IEEE 29th International Conference on Data Engineering (ICDE).

[31]  Pradeep Dubey,et al.  FAST: fast architecture sensitive tree search on modern CPUs and GPUs , 2010, SIGMOD Conference.