research-article

EnclaveCache: A Secure and Scalable Key-value Cache in Multi-tenant Clouds using Intel SGX

Authors:

Hans-Arno JacobsenAuthors Info & Claims

Middleware '19: Proceedings of the 20th International Middleware Conference

Pages 14 - 27

https://doi.org/10.1145/3361525.3361533

Published: 09 December 2019 Publication History

Abstract

With in-memory key-value caches such as Redis and Memcached being a key component for many systems to improve throughput and reduce latency, cloud caches have been widely adopted for small companies to deploy their own cache systems. However, data security is still a major concern, which affects the adoption of cloud caches. Tenant's data stored in a multi-tenant cloud environment faces threats from both co-located other tenants, as well as the untrusted cloud provider.

We proposed EnclaveCache, which is a multi-tenant key-value cache that provides data confidentiality and privacy leveraging Intel Software Guard Extensions (SGX). Enclave-Cache utilizes multiple SGX enclaves to enforce data isolation among co-located tenants. With a carefully designed key distribution procedure, EnclaveCache ensures that a tenant-specific encryption key is securely guarded by an enclave to perform cryptography operations towards tenant's data. Experimental results show that EnclaveCache achieves comparable performance to traditional key-value caches (with secure communication) with a performance overhead of 13% while ensuring security guarantees and better scalability.

References

[1]

[n. d.]. Amazon Elasticache. https://aws.amazon.com/elasticache/.

[2]

[n. d.]. Intel Software Guard Extensions (Intel SGX) SDK. https://software.intel.com/sgx-sdk.

[3]

[n. d.]. Intel Vtune Amplifier. https://software.intel.com/en-us/vtune.

[4]

[n. d.]. mbedtls-SGX. https://github.com/bl4ck5un/mbedtls-SGX.

[5]

[n. d.]. Memcached, a distributed memory object caching system. https://memcached.org/.

[6]

[n. d.]. Memcachier. https://www.memcachier.com/.

[7]

[n. d.]. Redis. https://redis.io/.

[8]

[n. d.]. Redis Labs. https://www.redislabs.com/.

[9]

[n. d.]. Redis Protocol specification. https://redis.io/topics/protocol.

[10]

[n. d.]. SELECT index. https://redis.io/commands/select.

[11]

Amjad Alsirhani, Peter Bodorik, and Srinivas Sampalli. 2017. Improving database security in cloud computing by fragmentation of data. In Computer and Applications (ICCA), 2017 International Conference on. IEEE, 43--49.

[12]

Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, Vol. 13. ACM New York, NY, USA.

[13]

Arvind Arasu, Spyros Blanas, Ken Eguro, Raghav Kaushik, Donald Kossmann, Ravishankar Ramamurthy, and Ramarathnam Venkatesan. 2013. Orthogonal Security with Cipherbase. In CIDR. Citeseer.

[14]

Arvind Arasu, Ken Eguro, Raghav Kaushik, Donald Kossmann, Pingfan Meng, Vineet Pandey, and Ravi Ramamurthy. 2017. Concerto: A high concurrency key-value store with integrity. In Proceedings of the 2017 ACM International Conference on Management of Data. ACM, 251--266.

Digital Library

[15]

Sergei Arnautov, Andrey Brito, Pascal Felber, Christof Fetzer, Franz Gregor, Robert Krahn, Wojciech Ozga, André Martin, Valerio Schiavoni, Fábio Silva, et al. 2018. PubSub-SGX: Exploiting Trusted Execution Environments for Privacy-Preserving Publish/Subscribe Systems. In 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS). IEEE, 123--132.

[16]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'keeffe, Mark Stillwell, et al. 2016. SCONE: Secure Linux Containers with Intel SGX. In OSDI, Vol. 16. 689--703.

Digital Library

[17]

Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, and Kapil Vaswani. 2019. {SPEICHER}: Securing LSM-based Key-Value Stores using Shielded Execution. In 17th { USENIX} Conference on File and Storage Technologies ({FAST} 19). 173--190.

[18]

Sumeet Bajaj and Radu Sion. 2014. Trusteddb: A trusted hardware-based database with privacy and data confidentiality. IEEE Transactions on Knowledge and Data Engineering 26, 3 (2014), 752--765.

Digital Library

[19]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with Haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 8.

Digital Library

[20]

Mihir Bellare and Chanathip Namprempre. 2000. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 531--545.

Digital Library

[21]

Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. arXiv preprint arXiv.1702.07521 (2017), 33.

[22]

Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt, Matthias Lorenz, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza. 2016. Securekeeper: Confidential ZooKeeper using Intel SGX. In Proceedings of the 17th International Middleware Conference. ACM, 14.

Digital Library

[23]

Dorian Burihabwa, Pascal Felber, Hugues Mercier, and Valerio Schiavoni. 2018. SGX-FS: Hardening a File System in User-Space with Intel SGX. In 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, 67--72.

[24]

Brian F Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. 2010. Benchmarking cloud serving systems with YCSB. In Proceedings of the 1st ACM symposium on Cloud computing. ACM, 143--154.

Digital Library

[25]

David Goltzsche, Signe Rüsch, Manuel Nieke, Sébastien Vaucher, Nico Weichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Cosa, Christof Fetzer, Pascal Felber, et al. 2018. Endbox: Scalable middle-box functions using client-side trusted execution. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 386--397.

[26]

David Goltzsche, Colin Wulf, Divya Muthukumaran, Konrad Rieck, Peter Pietzuch, and Rüdiger Kapitza. 2017. Trustjs: Trusted client-side Execution of Javascript. In Proceedings of the 10th European Workshop on Systems Security. ACM, 7.

Digital Library

[27]

Paul Grubbs, Kevin Sekniqi, Vincent Bindschaedler, Muhammad Naveed, and Thomas Ristenpart. 2017. Leakage-abuse attacks against order-revealing encryption. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 655--672.

[28]

David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache games-Bringing access-based cache attacks on AES to practice. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 490--505.

Digital Library

[29]

Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. HASP@ ISCA 11 (2013).

[30]

Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2018. Ryoan: A distributed sandbox for untrusted computation on secret data. ACM Transactions on Computer Systems (TOCS) 35, 4 (2018), 13.

Digital Library

[31]

Florian Kelbert, Franz Gregor, Rafael Pires, Stefan Köpsell, Marcelo Pasin, Aurélien Havet, Valerio Schiavoni, Pascal Felber, Christof Fetzer, and Peter Pietzuch. 2017. Securecloud: Secure big data processing in untrusted clouds. In Proceedings of the Conference on Design, Automation & Test in Europe. European Design and Automation Association, 282--285.

Digital Library

[32]

Taehoon Kim, Joongun Park, Jaewook Woo, Seungheun Jeon, and Jaehyuk Huh. 2019. ShieldStore: Shielded In-memory Key-value Storage with SGX. In Proceedings of the Fourteenth EuroSys Conference 2019. ACM, 14.

Digital Library

[33]

P Ravi Kumar, P Herbert Raj, and P Jelciana. 2018. Exploring data security issues and solutions in cloud computing. Procedia Computer Science 125 (2018), 691--697.

[34]

Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBOUNDS: Memory safety for shielded execution. In Proceedings of the Twelfth European Conference on Computer Systems. ACM, 205--221.

Digital Library

[35]

Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium, USENIX Security. 16--18.

Digital Library

[36]

David McGrew and John Viega. 2004. The Galois/counter mode of operation (GCM). Submission to NIST Modes of Operation Process 20 (2004).

[37]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution. HASP@ ISCA 10 (2013).

[38]

Sonia Ben Mokhtar, Antoine Boutet, Pascal Felber, Marcelo Pasin, Rafael Pires, and Valerio Schiavoni. 2017. X-search: Revisiting private web search using Intel SGX. In Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference. ACM, 198--208.

Digital Library

[39]

Muhammad Naveed, Seny Kamara, and Charles V Wright. 2015. Inference attacks on property-preserving encrypted databases. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 644--655.

Digital Library

[40]

Rajesh Nishtala, Hans Fugal, Steven Grimm, Marc Kwiatkowski, Herman Lee, Harry C Li, Ryan McElroy, Mike Paleczny, Daniel Peek, Paul Saab, et al. 2013. Scaling Memcache at Facebook. In nsdi, Vol. 13. 385--398.

[41]

Rafael Pires, David Goltzsche, Sonia Ben Mokhtar, Sara Bouchenak, Antoine Boutet, Pascal Felber, Rüdiger Kapitza, Marcelo Pasin, and Valerio Schiavoni. 2018. CYCLOSA: Decentralizing Private Web Search Through SGX-Based Browser Extensions. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 467--477.

[42]

Rafael Pires, Marcelo Pasin, Pascal Felber, and Christof Fetzer. 2016. Secure content-based routing using Intel Software Guard Extensions. In Proceedings of the 17th International Middleware Conference. ACM, 10.

Digital Library

[43]

Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2011. CryptDB: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. ACM, 85--100.

Digital Library

[44]

Christian Priebe, Kapil Vaswani, and Manuel Costa. 2018. EnclaveDB: A Secure Database using SGX. In EnclaveDB: A Secure Database using SGX. IEEE, 0.

[45]

Qifan Pu, Haoyuan Li, Matei Zaharia, Ali Ghodsi, and Ion Stoica. 2016. FairRide: Near-Optimal, Fair Cache Sharing. In NSDI. 393--406.

[46]

Kui Ren, Cong Wang, and Qian Wang. 2012. Security challenges for the public cloud. IEEE Internet Computing 16, 1 (2012), 69--73.

Digital Library

[47]

Vasily A Sartakov, Stefan Brenner, Sonia Ben Mokhtar, Sara Bouchenak, Gaël Thomas, and Rüdiger Kapitza. 2018. EActors: Fast and flexible trusted computing using SGX. In Proceedings of the 19th International Middleware Conference. ACM, 187--200.

Digital Library

[48]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy data analytics in the cloud using SGX. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 38--54.

Digital Library

[49]

Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2017. Malware guard extension: Using SGX to conceal cache attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3--24.

[50]

Jaebaek Seo, Byoungyoung Lee, Seong Min Kim, Ming-Wei Shih, Insik Shin, Dongsu Han, and Taesoo Kim. 2017. SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs. In NDSS.

[51]

Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating controlled-channel attacks against enclave programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA.

[52]

Shweta Shinde, Zheng Leong Chua, Viswesh Narayanan, and Prateek Saxena. 2016. Preventing page faults from telling your secrets. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 317--328.

Digital Library

[53]

Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena. 2017. Panoply: Low-TCB Linux Applications With SGX Enclaves.

[54]

David Shue, Michael J Freedman, and Anees Shaikh. 2012. Performance Isolation and Fairness for Multi-Tenant Cloud Storage. In OSDI, Vol. 12. Hollywood, CA, 349--362.

[55]

Rohit Sinha and Mihai Christodorescu. 2018. VeritasDB: High Throughput Key-Value Store with Integrity. IACR Cryptology ePrint Archive 2018 (2018), 251.

[56]

E Stewart. 2004. Intel integrated performance primitives: How to optimize software applications using Intel IPP. (2004).

[57]

Hongliang Tian, Qiong Zhang, Shoumeng Yan, Alex Rudnitsky, Liron Shacham, Ron Yariv, and Noam Milshten. 2018. Switchless Calls Made Practical in Intel SGX. In Proceedings of the 3rd Workshop on System Software for Trusted Execution. ACM, 22--27.

Digital Library

[58]

Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-SGX: A practical library OS for unmodified applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC).

[59]

Stephen Tu, M Frans Kaashoek, Samuel Madden, and Nickolai Zeldovich. 2013. Processing analytical queries over encrypted data. In Proceedings of the VLDB Endowment, Vol. 6. VLDB Endowment, 289--300.

Digital Library

[60]

Wesley Wong. 2001. Stunnel: SSLing Internet Services Easily. SANS Institute, November (2001).

[61]

Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2014. Cross-tenant side-channel attacks in PaaS clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 990--1003.

Digital Library

Cited By

Zhang FLiu DZhao FLiu XChang YWang RZhang HSun LXu S(2024)Security Enhancement Method for MQTT Based on TEE2024 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA63151.2024.00027(118-124)Online publication date: 9-Aug-2024
https://doi.org/10.1109/NaNA63151.2024.00027
Tanigassalame SPipereau YChader AToljaga JThomas G(2024)FastSGX: A Message-Passing Based Runtime for SGXAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_7(74-85)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_7
Briongos SKarame GSoriente CWilde A(2023)No Forking Way: Detecting Cloning Attacks on Intel SGX ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627187(744-758)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627187
Show More Cited By

Index Terms

EnclaveCache: A Secure and Scalable Key-value Cache in Multi-tenant Clouds using Intel SGX
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Trusted computing

Recommendations

A Comprehensive Study of Co-residence Threat in Multi-tenant Public PaaS Clouds
Information and Communications Security
Abstract
Public Platform-as-a-Service (PaaS) clouds are always multi-tenant. Applications from different tenants may reside on the same physical machine, which introduces the risk of sharing physical resources with a potentially malicious application. This ...
Secure Networking for Virtual Machines in the Cloud
CLUSTERW '12: Proceedings of the 2012 IEEE International Conference on Cluster Computing Workshops

Cloud computing improves utilization and flexibility of allocating computing resources while reducing the infrastructural costs. However, cloud technology is still proprietary in many cases and is tainted by security issues rooted in the multi-tenant ...
Towards Dynamic Tenant Management for Microservice based Multi-Tenant SaaS Applications
ISEC '18: Proceedings of the 11th Innovations in Software Engineering Conference

In a multi-tenant cloud application, more than one heterogeneous tenants share the single instance of the application. It increases the degree of resource sharing among tenants and brings down the operational cost. In this work, we propose a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '19: Proceedings of the 20th International Middleware Conference

December 2019

342 pages

ISBN:9781450370097

DOI:10.1145/3361525

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

Middleware '19

Sponsor:

ACM

Middleware '19: 20th International Middleware Conference

December 9 - 13, 2019

CA, Davis, USA

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Upcoming Conference

MIDDLEWARE '24

25th International Middleware Conference

December 2 - 6, 2024

Hong Kong , Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
852
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)9

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang FLiu DZhao FLiu XChang YWang RZhang HSun LXu S(2024)Security Enhancement Method for MQTT Based on TEE2024 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA63151.2024.00027(118-124)Online publication date: 9-Aug-2024
https://doi.org/10.1109/NaNA63151.2024.00027
Tanigassalame SPipereau YChader AToljaga JThomas G(2024)FastSGX: A Message-Passing Based Runtime for SGXAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_7(74-85)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_7
Briongos SKarame GSoriente CWilde A(2023)No Forking Way: Detecting Cloning Attacks on Intel SGX ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627187(744-758)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627187
Barrios CKumar M(2023)Service Caching and Computation Reuse Strategies at the Edge: A SurveyACM Computing Surveys10.1145/360950456:2(1-38)Online publication date: 20-Jul-2023
https://dl.acm.org/doi/10.1145/3609504
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Shen CFan L(2023)Pldb: Protecting LSM-based Key-Value Store using Trusted Execution Environment2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00111(762-771)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00111
Abdulsalam YBouamama JBenkaouz YHedabou M(2023)Decentralized SGX-Based Cloud Key ManagementNetwork and System Security10.1007/978-3-031-39828-5_18(327-341)Online publication date: 7-Aug-2023
https://doi.org/10.1007/978-3-031-39828-5_18
Mishra NChakraborty AChatterjee UMukhopadhyay D(2023)Time’s a Thief of MemorySmart Card Research and Advanced Applications10.1007/978-3-031-25319-5_1(3-24)Online publication date: 29-Jan-2023
https://doi.org/10.1007/978-3-031-25319-5_1
Correia CCorreia MRodrigues L(2022)Omega: A Secure Event Ordering Service for the EdgeIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.307852019:5(2952-2964)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TDSC.2021.3078520
Al Azad MMastorakis S(2022)The Promise and Challenges of Computation Deduplication and Reuse at the Network EdgeIEEE Wireless Communications10.1109/MWC.010.210057529:6(112-118)Online publication date: Dec-2022
https://doi.org/10.1109/MWC.010.2100575
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents