Inout Secure DB: Maximizing security for data INside and OUTside the database
Keywords:Data Privacy, Privacy by Design, Secure DBMS
AbstractAs cloud services are becoming an alternative for internal IT infrastructures in many organizations, guarantees of data privacy become a priority. This article presents a secure database system that takes privacy as a design principle. The proposed system offers improved privacy guarantees for data in primary and secondary memory as well as for data that is served to users as a result of SQL queries. Data in working memory is protected using Intel’s SGX platform for trusted execution, while data in secondary memory uses network coding for secure storage. SGX provides hardware-based processing privacy offering protection for a wide range of sophisticated attacks. Network coding provides inter and intra-cloud privacy for stored data (by means of storage provided by Chocolate Cloud). For privacy of data served to the outside world, we propose a flexible role-based access control mechanism that anonymizes data at query-time. We have implemented a modular, multi-service architecture that is well suited to the advantages and limitations of the SGX platform. We present the architecture of the system, its components and performance evaluation.
A. Baumann, M. P. and Hunt, G. Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst., 2015.
ARM. Security technology - building a secure system using trustzone technology. Tech. rep., ARM Technical WhitePaper, 2009.
Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’Keeffe, D., Stillwell, M., Goltzsche, D., Eyers, D. M., Kapitza, R., Pietzuch, P. R., and Fetzer, C. Scone: Secure linux containers with intel sgx. In12th USENIX Symposium on Operating Systems Design andImplementation, OSDI 2016, Savannah, GA, USA, November 2-4, 2016, K. Keeton and T. Roscoe (Eds.). USENIXAssociation, pp. 689–703, 2016.
Basharat, I., Azam, F., and Muzaffar, A. W. Database security and encryption: A survey study. International Journal of Computer Applications 47 (12), 2012.
Brito, A. and Fetzer, C. Securecloud: Secure big data processing in untrusted clouds. InDSN Workshops. IEEE Computer Society, pp. 53–54, 2018.
Costan, V. and Devadas, S. Intel sgx explained. Tech. Rep. 2016/086, Cryptology ePrint Archive, 2016.
Cusumano, M. Cloud computing and saas as new computing platforms. Commun. ACM 53 (4): 27–29, Apr., 2010.
Dimakis, A. G., Godfrey, P. B., Wu, Y.,Wainwright, M. J., and Ramchandran, K. Network coding for distributed storage systems. IEEE Transactions on Information Theory 56 (9): 4539–4551, Sept, 2010.
Ferraiolo, D., Cugini, J., and Kuhn, R. Role based access control (RBAC): Features and motivations. In Annual Computer Security Applications Conference. IEEE Computer Society Press, 1995.
Garcia, C. and Delakis, M. Convolutional face finder: a neural architecture for fast and robust face detection. IEEE Transactions on Pattern Analysis and Machine Intelligence 26 (11): 1408–1423, Nov, 2004.
Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing. STOC ’09. ACM, New York, NY, USA, pp. 169–178, 2009.
Ho, T., Medard, M., Koetter, R., Karger, D. R., Effros, M., Shi, J., and Leong, B. A random linear network coding approach to multicast. IEEE Transactions on Information Theory 52 (10): 4413–4430, Oct, 2006.
Kaplan, D. and Powell, J. AMD memory encryption. Tech. rep., AMD, 2013. [link].
Kelly, D. J., Raines, R. A., Grimaila, M. R., Baldwin, R. O., and Mullins, B. E. A survey of state-of-the-art in anonymity metrics. In Proceedings of the 1st ACM workshop on Network Data Anonymization, NDA 2008, Alexandria, VA, USA, October 31, 2008, S. Antonatos, M. Bezzi, E. Boschi, B. Trammell, and W. Yurcik (Eds.). ACM, pp. 31–40, 2008.
Lucani, D. E., Feher, M., Fonseca, K., Rosa, M., and Despotov, B. Secure and scalable key value storage for managing big data in smart cities using intel sgx. In 2018 IEEE International Conference on Smart Cloud (SmartCloud). pp. 70–76, 2018.
Oleksenko, O., Trach, B., Krahn, R., Silberstein, M., and Fetzer, C. Varys: Protecting SGX enclaves from practical side-channel attacks. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, pp. 227–240, 2018.
Paramanathan, A., Pedersen, M. V., Lucani, D. E., Fitzek, F. H. P., and Katz, M. Lean and mean: network coding for commercial devices. IEEE Wireless Communications 20 (5): 54–61, October, 2013.
Pavlo, A. and Aslett, M. What’s really new with newsql? SIGMOD Record 45 (2): 45–55, 2016.
Richter, L., Götzfried, J., and Müller, T. Isolating operating system components with intel sgx. In SysTEX’16. Trento, Italy, 2016.
Schreiner, G. A., Duarte, D., and dos Santos Mello, R. Sqltokeynosql: a layer for relational to key-based nosql database mapping. In iiWAS, G. Anderst-Kotsis and M. Indrawan-Santiago (Eds.). ACM, pp. 74:1–74:9, 2015.
Shmueli, E., Vaisenberg, R., Elovici, Y., and Glezer, C. Database encryption: an overview of contemporary challenges and design considerations. SIGMOD Record (ACM Special Interest Group on Management of Data) 38 (3): 29–34, Sept., 2009.
Sipos, M., Braun, P. J., Lucani, D. E., Fitzek, F. H. P., and Charaf, H. On the effectiveness of recoding-based repair in network coded distributed storage. Periodica Polytechnica. Electrical Engineering and Computer Science 61 (1): 12–21, 2017. Copyright - Copyright Periodica Polytechnica, Budapest University of Technology and Economics 2017; Last updated - 2017-03-09.