StealthDB: a Scalable Encrypted Database with Full SQL Query Support

Dhinakaran Vinayagamurthy 1 , Alexey Gribov 2 , and Sergey Gorbunov 3
  • 1 IBM Research India, Work done while at University of Waterloo
  • 2 Symbiont.io, Work done while at Stealthmine Inc.,
  • 3 University of Waterloo and Algorand,

Abstract

Encrypted database systems provide a great method for protecting sensitive data in untrusted infrastructures. These systems are built using either special-purpose cryptographic algorithms that support operations over encrypted data, or by leveraging trusted computing co-processors. Strong cryptographic algorithms (e.g., public-key encryptions, garbled circuits) usually result in high performance overheads, while weaker algorithms (e.g., order-preserving encryption) result in large leakage profiles. On the other hand, some encrypted database systems (e.g., Cipherbase, TrustedDB) leverage non-standard trusted computing devices, and are designed to work around the architectural limitations of the specific devices used.

In this work we build StealthDB – an encrypted database system from Intel SGX. Our system can run on any newer generation Intel CPU. StealthDB has a very small trusted computing base, scales to large transactional workloads, requires minor DBMS changes, and provides a relatively strong security guarantees at steady state and during query execution. Our prototype on top of Postgres supports the full TPC-C benchmark with a 30% decrease in the average throughput over an unmodified version of Postgres operating on a 2GB unencrypted dataset.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Amazon. AWS shell interface specification. https://github.com/aws/aws-fpga/blob/master/hdk/docs/AWS_Shell_Interface_Specification.md, 2017. Accessed: 2017-10-01.

  • [2] A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In CIDR, 2013.

  • [3] S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O’Keeffe, M. Stillwell, D. Goltzsche, D. M. Eyers, R. Kapitza, P. R. Pietzuch, and C. Fetzer. SCONE: secure linux containers with intel SGX. In OSDI, pages 689–703, 2016.

  • [4] S. Bajaj and R. Sion. Trusteddb: A trusted hardware based database with privacy and data confidentiality. In SIGMOD, pages 205–216, 2011.

  • [5] M. Balduzzi, J. Zaddach, D. Balzarotti, E. Kirda, and S. Loureiro. A security analysis of amazon’s elastic compute cloud service. In SAC, pages 1427–1434, 2012.

  • [6] A. Baumann, M. Peinado, and G. C. Hunt. Shielding applications from an untrusted cloud with haven. In OSDI, pages 267–283, 2014.

  • [7] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, and A. Sadeghi. Software grand exposure: SGX cache attacks are practical. In WOOT, 2017.

  • [8] S. Bugiel, S. Nürnberger, T. Pöppelmann, A. Sadeghi, and T. Schneider. Amazonia: when elasticity snaps back. In CCS, pages 389–400, 2011.

  • [9] J. V. Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx. Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In USENIX Security, pages 991–1008, 2018.

  • [10] D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Dynamic searchable encryption in very-large databases: Data structures and implementation. In NDSS, 2014.

  • [11] D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In CRYPTO I, pages 353–373, 2013.

  • [12] D. Cash and S. Tessaro. The locality of searchable symmetric encryption. In EUROCRYPT, pages 351–368, 2014.

  • [13] C. che Tsai, D. E. Porter, and M. Vij. Graphene-sgx: A practical library OS for unmodified applications on SGX. In USENIX ATC, pages 645–658, 2017.

  • [14] V. Costan and S. Devadas. Intel SGX explained. IACR Cryptology ePrint Archive, 2016:86, 2016.

  • [15] F. Dall, G. D. Micheli, T. Eisenbarth, D. Genkin, N. Heninger, A. Moghimi, and Y. Yarom. Cachequote: Efficiently recovering long-term secrets of SGX EPID via cache attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2018(2):171–191, 2018.

  • [16] V. data breach incident report. https://regmedia.co.uk/2016/05/12/dbir_2016.pdf, 2016.

  • [17] M. Dzulfakar. Advanced mysql exploitation. Black Hat Las Vegas, 2009.

  • [18] S. Eskandarian and M. Zaharia. An oblivious general-purpose SQL database for the cloud. CoRR, abs/1710.00458, 2017.

  • [19] S. Faber, S. Jarecki, H. Krawczyk, Q. Nguyen, M. Rosu, and M. Steiner. Rich queries on encrypted data: Beyond exact matches. In ESORICS II, pages 123–145, 2015.

  • [20] B. Fisch, D. Vinayagamurthy, D. Boneh, and S. Gorbunov. IRON: functional encryption using intel SGX. In CCS, pages 765–782, 2017.

  • [21] B. Fuhry, R. Bahmani, F. Brasser, F. Hahn, F. Kerschbaum, and A. Sadeghi. Hardidx: Practical and secure index with SGX. In DBSec, pages 386–408, 2017.

  • [22] B. Fuller, M. Varia, A. Yerukhimovich, E. Shen, A. Hamlin, V. Gadepally, R. Shay, J. D. Mitchell, and R. K. Cunningham. Sok: Cryptographically protected database search. In IEEE SP, pages 172–191, 2017.

  • [23] T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtual machine based computing environments. In HotOS, 2005.

  • [24] C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169–178, 2009.

  • [25] O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious rams. J. ACM, 43(3):431–473, 1996.

  • [26] Google. Encrypted BigQuery client. https://github.com/google/encrypted-bigquery-client, 2017.

  • [27] P. Grofig, I. Hang, M. Härterich, F. Kerschbaum, M. Kohler, A. Schaad, A. Schröpfer, and W. Tighzert. Privacy by encrypted databases. In Annual Privacy Forum, pages 56–69. Springer, 2014.

  • [28] P. Grubbs, M. Lacharité, B. Minaud, and K. G. Paterson. Pump up the volume: Practical database reconstruction from volume leakage on range queries. In CCS, pages 315–331, 2018.

  • [29] P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart, and V. Shmatikov. Breaking web applications built on top of encrypted data. In ACM CCS, pages 1353–1364, 2016.

  • [30] P. Grubbs, T. Ristenpart, and V. Shmatikov. Why your encrypted database is not secure. In HotOS, pages 162–168, 2017.

  • [31] B. D. A. Guimaraes. Advanced sql injection to operating system full control. Black Hat Europe, 2009.

  • [32] S. Halevi and V. Shoup. Algorithms in helib. In CRYPTO I, pages 554–571, 2014.

  • [33] T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel. Ryoan: A distributed sandbox for untrusted computation on secret data. In OSDI, pages 533–549, 2016.

  • [34] Y. Ishai, E. Kushilevitz, S. Lu, and R. Ostrovsky. Private large-scale databases with distributed searchable symmetric encryption. In CT-RSA, pages 90–107, 2016.

  • [35] G. Kellaris, G. Kollios, K. Nissim, and A. O’Neill. Generic attacks on secure outsourced databases. In CCS, pages 1329–1340, 2016.

  • [36] J. Lee, J. S. Jang, Y. Jang, N. Kwak, Y. Choi, C. Choi, T. Kim, M. Peinado, and B. B. Kang. Hacking in darkness: Return-oriented programming against secure enclaves. In USENIX Security, pages 523–539, 2017.

  • [37] S. Lee, M. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In USENIX Security, pages 557–574, 2017.

  • [38] K. Lewi and D. J. Wu. Order-revealing encryption: New constructions, applications, and lower bounds. In CCS, pages 1167–1178, 2016.

  • [39] F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In HASP, page 10, 2013.

  • [40] Microsoft SQL Server 2016. Always encrypted database engine. https://msdn.microsoft.com/en-us/library/mt163865.aspx, 2017.

  • [41] M. Naveed, S. Kamara, and C. V. Wright. Inference attacks on property-preserving encrypted databases. In ACM CCS, pages 644–655, 2015.

  • [42] O. Ohrimenko, F. Schuster, C. Fournet, A. Mehta, S. Nowozin, K. Vaswani, and M. Costa. Oblivious multi-party machine learning on trusted processors. In USENIX Security, pages 619–636, 2016.

  • [43] M. Orenbach, P. Lifshits, M. Minkin, and M. Silberstein. Eleos: Exitless OS services for SGX enclaves. In EuroSys, pages 238–253, 2017.

  • [44] A. Papadimitriou, R. Bhagwan, N. Chandran, R. Ramjee, A. Haeberlen, H. Singh, A. Modi, and S. Badrinarayanan. Big data analytics over encrypted datasets with seabed. In OSDI, pages 587–602, 2016.

  • [45] V. Pappas, F. Krell, B. Vo, V. Kolesnikov, T. Malkin, S. G. Choi, W. George, A. D. Keromytis, and S. M. Bellovin. Blind seer: A scalable private DBMS. In IEEE SP, pages 359–374, 2014.

  • [46] R. Poddar, T. Boelter, and R. A. Popa. Arx: A strongly encrypted database system. IACR Cryptology ePrint Archive, 2016:591, 2016.

  • [47] R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: protecting confidentiality with encrypted query processing. In SOSP, pages 85–100, 2011.

  • [48] PostgreSQL 9.5.10 Documentation. Extensions. https://www.postgresql.org/docs/9.5/static/external-extensions.html, 2018. Accessed: 2018-01-29.

  • [49] C. Priebe, K. Vaswani, and M. Costa. Enclavedb: A secure database using SGX. In IEEE SP, pages 264–278, 2018.

  • [50] T. Ristenpart and S. Yilek. When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In NDSS, 2010.

  • [51] F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: trustworthy data analytics in the cloud using SGX. In IEEE SP, pages 38–54, 2015.

  • [52] M. Schwarz, S. Weiser, D. Gruss, C. Maurice, and S. Mangard. Malware guard extension: Using SGX to conceal cache attacks. In DIMVA, pages 3–24, 2017.

  • [53] C. Tsai, K. S. Arora, N. Bandi, B. Jain, W. Jannen, J. John, H. A. Kalodner, V. Kulkarni, D. Oliveira, and D. E. Porter. Cooperation and security isolation of library oses for multiprocess applications. In EuroSys 2014, pages 9:1–9:14, 2014.

  • [54] N. Weichbrodt, A. Kurmus, P. R. Pietzuch, and R. Kapitza. Asyncshock: Exploiting synchronisation bugs in intel SGX enclaves. In ESORICS I, pages 440–457, 2016.

  • [55] Y. Xu, W. Cui, and M. Peinado. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In IEEE SP, pages 640–656, 2015.

  • [56] W. Zheng, A. Dave, J. G. Beekman, R. A. Popa, J. E. Gonzalez, and I. Stoica. Opaque: An oblivious and encrypted distributed analytics platform. In NSDI, pages 283–298, 2017.

OPEN ACCESS

Journal + Issues

Search