Hardware-Supported ORAM in Effect: Practical Oblivious Search and Update on Very Large Dataset

Open access

Abstract

The ability to query and update over encrypted data is an essential feature to enable breach-resilient cyber-infrastructures. Statistical attacks on searchable encryption (SE) have demonstrated the importance of sealing information leaks in access patterns. In response to such attacks, the community has proposed the Oblivious Random Access Machine (ORAM). However, due to the logarithmic communication overhead of ORAM, the composition of ORAM and SE is known to be costly in the conventional client-server model, which poses a critical barrier toward its practical adaptations.

In this paper, we propose a novel hardware-supported privacy-enhancing platform called Practical Oblivious Search and Update Platform (POSUP), which enables oblivious keyword search and update operations on large datasets with high efficiency. We harness Intel SGX to realize efficient oblivious data structures for oblivious search/update purposes. We implemented POSUP and evaluated its performance on a Wikipedia dataset containing ≥229 keyword-file pairs. Our implementation is highly efficient, taking only 1 ms to access a 3 KB block with Circuit-ORAM. Our experiments have shown that POSUP offers up to 70× less end-to-end delay with 100× reduced network bandwidth consumption compared with the traditional ORAM-SE composition without secure hardware. POSUP is also at least 4.5× faster for up to 99.5% of keywords that can be searched compared with state-of-the-art Intel SGX-assisted search platforms.

[2] Google encrypted big query. https://github.com/google/encrypted-bigquery-client/.

[3] A. Ahmad, K. Kim, M. I. Sarfaraz, and B. Lee. Obliviate: A data oblivious file system for intel sgx. In Symposium on Network and Distributed System Security (NDSS), 2018.

[4] A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In CIDR. Citeseer, 2013.

[5] attardi. WikiExtractor. https://github.com/attardi/wikiextractor.

[6] M. Bellare, A. Boldyreva, and A. O’Neill. Deterministic and efficiently searchable encryption. In Annual International Cryptology Conference, pages 535–552. Springer, 2007.

[7] V. Bindschaedler, M. Naveed, X. Pan, X. Wang, and Y. Huang. Practicing oblivious access on cloud storage: the gap, the fallacy, and the new way forward. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 837–849. ACM, 2015.

[8] A. Boldyreva, N. Chenette, Y. Lee, and A. O’neill. Order-preserving symmetric encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 224–241. Springer, 2009.

[9] R. Bost, B. Minaud, and O. Ohrimenko. Forward and backward private searchable encryption from constrained cryptographic primitives. Technical report, IACR Cryptology ePrint Archive 2017, 2017.

[10] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, and A. Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. In Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT), Vancouver, BC, Canada, Aug. 2017.

[11] J. V. Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution. In USENIX Security, 2017.

[12] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou. Privacy-preserving multi-keyword ranked search over encrypted cloud data. IEEE Transactions on parallel and distributed systems, 25(1):222–233, 2014.

[13] D. Cash, P. Grubbs, J. Perry, and T. Ristenpart. Leakage-abuse attacks against searchable encryption. In Proceedings of the 22nd ACM CCS, pages 668–679. ACM, 2015.

[14] D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Dynamic searchable encryption in very-large databases: Data structures and implementation. IACR Cryptology ePrint Archive, 2014:853, 2014.

[15] D. Cash, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Roşu, and M. Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In Advances in Cryptology–CRYPTO 2013, pages 353–373. Springer, 2013.

[16] M. Chase and S. Kamara. Structured encryption and controlled disclosure. In Advances in Cryptology - ASIACRYPT 2010, volume 6477 of Lecture Notes in Computer Science, pages 577–594, 2010.

[17] V. Costan and S. Devadas. Intel SGX explained. Cryptology ePrint Archive, Report 2016/086, 2016. http://eprint.iacr.org/2016/086.pdf.

[18] V. Costan, I. Lebedev, S. Devadas, et al. Secure Processors Part II: Intel SGX security analysis and MIT Sanctum Architecture. Foundations and Trends® in Electronic Design Automation, 11(3):249–361, 2017.

[19] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In Proceedings of the 13th ACM CCS, pages 79–88. ACM, 2006.

[20] S. Devadas, M. van Dijk, C. W. Fletcher, L. Ren, E. Shi, and D. Wichs. Onion oram: A constant bandwidth blowup oblivious ram. In Theory of Cryptography Conference, pages 145–174. Springer, 2016.

[21] S. Eskandarian and M. Zaharia. An oblivious general-purpose SQL database for the cloud. CoRR, abs/1710.00458, 2017.

[22] M. Etemad, A. Küpçü, C. Papamanthou, and D. Evans. Efficient dynamic searchable encryption with forward privacy. Proceedings on Privacy Enhancing Technologies, 2018(1):5–20, 2018.

[23] B. Fisch, D. Vinayagamurthy, D. Boneh, and S. Gorbunov. Iron: functional encryption using intel sgx. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 765–782. ACM, 2017.

[24] C. W. Fletcher, M. v. Dijk, and S. Devadas. A secure processor architecture for encrypted computation on untrusted programs. In Proceedings of the seventh ACM workshop on Scalable trusted computing, pages 3–8. ACM, 2012.

[25] B. Fuhry, R. Bahmani, F. Brasser, F. Hahn, F. Kerschbaum, and A.-R. Sadeghi. Hardidx: practical and secure index with sgx. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 386–408. Springer, 2017.

[26] S. Garg, P. Mohassel, and C. Papamanthou. Tworam: Round-optimal oblivious ram with applications to searchable encryption. IACR Cryptology ePrint Archive, 2015:1010, 2015.

[27] C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009.

[28] C. Gentry, K. A. Goldman, S. Halevi, C. Julta, M. Raykova, and D. Wichs. Optimizing oram and using it efficiently for secure computation. In International Symposium on Privacy Enhancing Technologies Symposium, pages 1–18. Springer, 2013.

[29] O. Goldreich. Towards a theory of software protection and simulation by oblivious rams. In Proceedings of the nineteenth annual ACM symposium on Theory of computing, pages 182–194. ACM, 1987.

[30] J. Götzfried, M. Eckert, S. Schinzel, and T. Müller. Cache Attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security (EuroSec), 2017.

[31] P. Grubbs, T. Ristenpart, and V. Shmatikov. Why your encrypted database is not secure. In Proceedings of the 16th Workshop on Hot Topics in Operating Systems, pages 162–168. ACM, 2017.

[32] M. Hähnel, W. Cui, and M. Peinado. High-Resolution Side Channels for Untrusted Operating Systems. In Proceedings of the 2017 USENIX Annual Technical Conference (ATC), Santa Clara, CA, July 2017.

[33] W. He, D. Akhawe, S. Jain, E. Shi, and D. Song. Shadowcrypt: Encrypted web applications for everyone. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1028–1039. ACM, 2014.

[34] T. Hoang, C. D. Ozkaptan, A. A. Yavuz, J. Guajardo, and T. Nguyen. S3oram: A computation-efficient and constant client bandwidth blowup oram with shamir secret sharing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 491–505. ACM, 2017.

[35] T. Hoang, A. Yavuz, and J. Guajardo. Practical and secure dynamic searchable encryption via oblivious access on distributed data structure. In Proceedings of the 32nd Annual Computer Security Applications Conference (ACSAC). ACM, 2016.

[36] T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel. Ryoan: A distributed sandbox for untrusted computation on secret data. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Savannah, GA, Nov. 2016.

[37] Intel Corporation. Intel Software Guard Extensions Programming Reference (rev1), Sept. 2013. 329298-001US.

[38] Intel Corporation. Intel Software Guard Extensions Programming Reference (rev2), Oct. 2014. 329298-002US.

[39] Intel Corporation. Intel Software Guard Extensions SDK for Linux OS (Developer Reference), 2016. https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf.

[40] M. S. Islam, M. Kuzu, and M. Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In NDSS, volume 20, page 12, 2012.

[41] Y. Jang. Building Trust in the User I/O in Computer Systems. Georgia Institute of Technology, Aug. 2017.

[42] Y. Jang, J. Lee, S. Lee, and T. Kim. SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX), Shanghai, China, Oct. 2017.

[43] S. Kamara and T. Moataz. Boolean searchable symmetric encryption with worst-case sub-linear complexity. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 94–124. Springer, 2017.

[44] S. Kamara, C. Papamanthou, and T. Roeder. Dynamic searchable symmetric encryption. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 965–976. ACM, 2012.

[45] K. S. Kim, M. Kim, D. Lee, J. H. Park, and W.-H. Kim. Forward secure dynamic searchable symmetric encryption with efficient updates. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1449–1463. ACM, 2017.

[46] K. Kurosawa and Y. Ohtaki. UC-secure searchable symmetric encryption. In Financial Cryptography and Data Security (FC), volume 7397 of Lecture Notes in Computer Science, pages 285–298. Springer Berlin Heidelberg, 2012.

[47] B. Lau, S. P. Chung, C. Song, Y. Jang, W. Lee, and A. Boldyreva. Mimesis aegis: A mimicry privacy shield-a system’s approach to data privacy on public cloud. In USENIX Security Symposium, pages 33–48, 2014.

[48] J. Lee, J. Jang, Y. Jang, N. Kwak, Y. Choi, C. Choi, T. Kim, M. Peinado, and B. B. Kang. Hacking in darkness: Return-oriented programming against secure enclaves. In USENIX Security, pages 523–539, 2017.

[49] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing. In USENIX Security, 2017.

[50] C. Liu, L. Zhu, M. Wang, and Y.-a. Tan. Search pattern leakage in searchable encryption: Attacks and new construction. Information Sciences, 265:176–188, 2014.

[51] M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, and D. Song. Phantom: Practical oblivious computation in a secure processor. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 311–324. ACM, 2013.

[52] P. Mishra, R. Poddar, J. Chen, A. Chiesa, and R. A. Popa. Oblix: An efficient oblivious search index. In Security and Privacy (S&P), 2018 IEEE Symposium on. IEEE, 2018.

[53] M. Naveed. The fallacy of composition of oblivious ram and searchable encryption. In Cryptology ePrint Archive, Report 2015/668, 2015.

[54] M. Naveed, S. Kamara, and C. V. Wright. Inference attacks on property-preserving encrypted databases. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 644–655. ACM, 2015.

[55] M. Naveed, M. Prabhakaran, and C. A. Gunter. Dynamic searchable encryption via blind storage. In Security and Privacy (S&P), 2014 IEEE Symposium on, pages 639–654. IEEE, 2014.

[56] M. E. Newman. Power laws, pareto distributions and zipf’s law. Contemporary physics, 46(5):323–351, 2005.

[57] O. Ohrimenko, F. Schuster, C. Fournet, A. Mehta, S. Nowozin, K. Vaswani, and M. Costa. Oblivious multi-party machine learning on trusted processors. In USENIX Security Symposium, pages 619–636, 2016.

[58] A. Papadimitriou, R. Bhagwan, N. Chandran, R. Ramjee, A. Haeberlen, H. Singh, A. Modi, and S. Badrinarayanan. Big data analytics over encrypted datasets with seabed. In OSDI, pages 587–602, 2016.

[59] R. A. Popa, C. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 85–100. ACM, 2011.

[60] R. A. Popa, E. Stark, J. Helfer, S. Valdez, N. Zeldovich, M. F. Kaashoek, and H. Balakrishnan. Building web applications on top of encrypted data using mylar. In NSDI, pages 157–172, 2014.

[61] D. Pouliot and C. V. Wright. The shadow nemesis: Inference attacks on efficiently deployable, efficiently searchable encryption. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1341–1352. ACM, 2016.

[62] A. Rane, C. Lin, and M. Tiwari. Raccoon: Closing digital side-channels through obfuscated execution. In USENIX Security Symposium, pages 431–446, 2015.

[63] L. Ren, X. Yu, C. W. Fletcher, M. Van Dijk, and S. Devadas. Design space exploration and optimization of path oblivious ram in secure processors. ACM SIGARCH Computer Architecture News, 41(3):571–582, 2013.

[64] A. W. Richa, M. Mitzenmacher, and R. Sitaraman. The power of two random choices: A survey of techniques and results. Combinatorial Optimization, 9:255–304, 2001.

[65] S. Sasy, S. Gorbunov, and C. Fletcher. Zerotrace: Oblivious memory primitives from intel sgx. In Symposium on Network and Distributed System Security (NDSS), 2018.

[66] E. Shi, T.-H. H. Chan, E. Stefanov, and M. Li. Oblivious ram with o ((logn) 3) worst-case cost. In Advances in Cryptology–ASIACRYPT 2011, pages 197–214. Springer, 2011.

[67] D. X. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 44–55. IEEE Computer Society, 2000.

[68] E. Stefanov, C. Papamanthou, and E. Shi. Practical dynamic searchable encryption with small leakage. In Annual Network and Distributed System Security Symposium – NDSS, volume 14, pages 23–26, 2014.

[69] E. Stefanov and E. Shi. Multi-cloud oblivious storage. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 247–258. ACM, 2013.

[70] E. Stefanov and E. Shi. Oblivistore: High performance oblivious cloud storage. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 253–267. IEEE, 2013.

[71] E. Stefanov, M. Van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas. Path oram: an extremely simple oblivious ram protocol. In Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications security, pages 299–310. ACM, 2013.

[72] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, Y. T. Hou, and H. Li. Privacy-preserving multi-keyword text search in the cloud supporting similarity-based ranking. In ACM SIGSAC AsiaCCS, pages 71–82. ACM, 2013.

[73] W. Sun, R. Zhang, W. Lou, and Y. T. Hou. Rearguard: Secure keyword search using trusted hardware. In IEEE INFOCOM, 2018.

[74] B. Wang, S. Yu, W. Lou, and Y. T. Hou. Privacy-preserving multi-keyword fuzzy search over encrypted data in the cloud. In INFOCOM, 2014 Proceedings IEEE, pages 2112–2120. IEEE, 2014.

[75] C. Wang, N. Cao, J. Li, K. Ren, and W. Lou. Secure ranked keyword search over encrypted cloud data. In IEEE 30th International Conference on Distributed Computing Systems, pages 253–262. IEEE, 2010.

[76] X. Wang, H. Chan, and E. Shi. Circuit oram: On tightness of the goldreich-ostrovsky lower bound. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 850–861. ACM, 2015.

[77] X. S. Wang, Y. Huang, T. H. Chan, A. Shelat, and E. Shi. Scoram: oblivious ram for secure computation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 191–202. ACM, 2014.

[78] X. S. Wang, K. Nayak, C. Liu, T. Chan, E. Shi, E. Stefanov, and Y. Huang. Oblivious data structures. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 215–226. ACM, 2014.

[79] A. Waterman, Y. Lee, D. A. Patterson, and K. Asanovic. The RISC-V Instruction Set Manual, Volume I: Base User-level ISA. EECS Department, UC Berkeley, Tech. Rep. UCB/EECS-2011-62, 2011.

[80] N. Weichbrodt, A. Kurmus, P. Pietzuch, and R. Kapitza. AsyncShock: Exploiting synchronisation bugs in Intel SGX enclaves. In Proceedings of the 21th European Symposium on Research in Computer Security (ESORICS), Crete, Greece, Sept. 2016.

[81] Y. Xu, W. Cui, and M. Peinado. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015.

[82] Y. Zhang, J. Katz, and C. Papamanthou. All your queries are belong to us: The power of file-injection attacks on searchable encryption. In 25th USENIX Security Symposium (USENIX Security 16), pages 707–720, 2016.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 1042 1042 59
PDF Downloads 71 71 37