Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shroud: Ensuring Private Access to Large-Scale Data in the Data Center James MickensBryan ParnoMariana RaykovaJoshua SchiffmanJacob R. Lorch.

Published byIsabella Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Shroud: Ensuring Private Access to Large-Scale Data in the Data Center James MickensBryan ParnoMariana RaykovaJoshua SchiffmanJacob R. Lorch."— Presentation transcript:

1 Shroud: Ensuring Private Access to Large-Scale Data in the Data Center James MickensBryan ParnoMariana RaykovaJoshua SchiffmanJacob R. Lorch

2 Jay Lorch, Microsoft ResearchShroud2 Our goal: Let users access cloud data without revealing private information to service providers.

3 Even if you trust a service provider, you may not trust it to resist attack. ShroudJay Lorch, Microsoft Research3 hackersbribed employees rogue employeessubpoenas

4 Jay Lorch, Microsoft ResearchShroud4 Theory Practice You are here Twitter, Facebook, Flickr, Bing Maps, etc. Oblivious RAM

5 Access patterns reveal private information. ShroudJay Lorch, Microsoft Research5 To: PBroadwell72@outlook.com L-bycx Deduce content from encrypted queries (Islam, Kuzu, Kantarcioglu 2012)

6 Access patterns reveal private information. ShroudJay Lorch, Microsoft Research6 Shroud

7 Shroud: Provide a virtual disk that hides not just content, but addresses. Jay Lorch, Microsoft ResearchShroud7 L-bycx Threat model: Controls storage Observes all traffic Can’t break crypto Can’t tamper with or see inside secure hardware

8 “Oblivious RAM” protocols are slow, particularly on large data. ShroudJay Lorch, Microsoft Research8 Data setNumber of objectsObject size Bing map tiles (zoom level 17)2 35 10 KB Twitter tweets2 35 0.14 KB Facebook images2 36 10 KB Flickr photos2 32 5 MB Hierarchical scheme (Goldreich and Ostrovsky 1996) on an $8,000 IBM 4764 Average request: 2 minutes Every 10,000th request: 1.5 hours Every 10,000,000th request: a week! Use massive parallelism to speed up by orders of magnitude.

9 Contributions of Shroud ShroudJay Lorch, Microsoft Research9 ChallengeApproach Result Oblivious RAM algorithms are slow Adapt Binary Tree algorithm to enable massive parallelism Worst-case access time goes from days to seconds Inter-device communication reveals information Use deterministic communication schedule Privacy preserved despite parallelism Data aggregation creates bandwidth bottleneck Leverage cryptography with oblivious aggregation I/O time reduced by a factor of two or more With many components, failures are frequent Use deterministic operations and replication Fault tolerance Binary Tree algorithm assumes honest-but- curious adversary Use Merkle trees to efficiently attest to states Can tolerate Byzantine malicious adversary

10 Talk outline Overview Background on oblivious RAM Design of Shroud Implementation Performance evaluation Future work Conclusions ShroudJay Lorch, Microsoft Research10 Theory Practice You are here

11 Talk outline Overview Background on oblivious RAM Design of Shroud Implementation Performance evaluation Future work Conclusions ShroudJay Lorch, Microsoft Research11 A whole lotta background on Oblivious RAM

12 Oblivious RAM enables efficient oblivious access. Jay Lorch, Microsoft ResearchShroud12 123458679123458679 This is not a real ORAM algorithm, just an illustration of the kinds of things ORAM does. CAUTION!

13 Oblivious RAM approach enables efficient access. Jay Lorch, Microsoft ResearchShroud13 123458679123 312 This is not a real ORAM algorithm, just an illustration of the kinds of things ORAM does. CAUTION!

14 This is not a real ORAM algorithm, just an illustration of the kinds of things ORAM does. CAUTION! Oblivious RAM approach enables efficient access. Jay Lorch, Microsoft ResearchShroud14 813927546 8, 1, 3, 9, 2, 5, 4, 7, 6

15 Oblivious RAM approach enables efficient access. Jay Lorch, Microsoft ResearchShroud15 813927546 5 Give me #6 CAUTION! This is not a real ORAM algorithm, just an illustration of the kinds of things ORAM does. Item #5 is at position #6

16 8, 1, 3, 9, 2, 5, 4, 7, 6 Data center Challenges: High WAN bandwidth and multi-user support. ShroudJay Lorch, Microsoft Research16 ORAM (lots of permutation) 8, 1, 3, 9, 2, 5, 4, 7, 6

17 Iliev and Smith 2005 Data center Trusted computing allows multiple users and reduces WAN use. ShroudJay Lorch, Microsoft Research17 Trusted coprocessor ORAM Intel TXT AMD-V

18 The Binary Tree algorithm offers advantages for data center operation. Jay Lorch, Microsoft ResearchShroud18 “Binary Tree” ORAM algorithm properties: Worst-case cost O(log 3 N) with low constant Suitable for parallelization Shi, Chan, Stefanov, Li 2011

19 Background: Binary Tree Algorithm Jay Lorch, Microsoft ResearchShroud19 How untrusted storage is organized How to look up a block How to move a looked-up block so it’s accessed differently next time Shi, Chan, Stefanov, Li 2011

20 Background: Binary Tree Algorithm Jay Lorch, Microsoft ResearchShroud20 How untrusted storage is organized How to look up a block How to move a looked-up block so it’s accessed differently next time Shi, Chan, Stefanov, Li 2011

21 Untrusted storage is physically an array… Jay Lorch, Microsoft ResearchShroud21

22 …but logically organized as a tree with log 2 N levels. Jay Lorch, Microsoft ResearchShroud22

23 Each node is a bucket containing O(log N) blocks. Jay Lorch, Microsoft ResearchShroud23

24 A block is inserted at the root. Jay Lorch, Microsoft ResearchShroud24 Encrypted with private key Address: 7 Block contents: “ABC…” Designator: LRRL

25 A shuffle makes room at the top by pushing down blocks. Jay Lorch, Microsoft ResearchShroud25 Selection must be random, unaffected by access pattern.

26 A shuffle makes room at the top by pushing down two blocks in each level. Jay Lorch, Microsoft ResearchShroud26 Selection must be random, unaffected by access pattern.

27 A shuffle hides which way the block goes. Jay Lorch, Microsoft ResearchShroud27 R

28 Background: Binary Tree Algorithm Jay Lorch, Microsoft ResearchShroud28 How untrusted storage is organized How to look up a block How to move a looked-up block so it’s accessed differently next time Shi, Chan, Stefanov, Li 2011

29 A block follows the path of its designator. Jay Lorch, Microsoft ResearchShroud29 L L R R Encrypted with private key Address: 7 Block contents: “ABC…” Designator: LRRL

30 The trusted device holds a mapping from addresses to designators. Jay Lorch, Microsoft ResearchShroud30 123456789 LLRRLRLRRRRLRRRRRLLRRLRLLRRLLLRRLLLL …

31 The device uses the designator to find the block at that address. Jay Lorch, Microsoft ResearchShroud31 123456789 LLRRLRLRRRRLRRRRRLLRRLRLLRRLLLRRLLLL … L L R R

32 Background: Binary Tree Algorithm Jay Lorch, Microsoft ResearchShroud32 How untrusted storage is organized How to look up a block How to move a looked-up block so it’s accessed differently next time Shi, Chan, Stefanov, Li 2011

33 After a block is looked up, it needs to be reinserted with a new designator. Jay Lorch, Microsoft ResearchShroud33 123456789 LLRRLRLRRRRLRRRRRLLRRLRLLRRLLLRRLLLL … L L R R RLLR

34 An oblivious insert necessitates re-encrypting all entries on path. Jay Lorch, Microsoft ResearchShroud34 123456789 LLRRLRLRRRRLRRRRRLLRRLRLLRRLLLRRLLLL … L L R R

35 An oblivious insert necessitates re-encrypting all entries on path. Jay Lorch, Microsoft ResearchShroud35 123456789 LLRRLRLRRRRLRRRRRLLRRLRLLRRLLLRRLLLL … L L R R RLLR

36 Talk outline Overview Background on oblivious RAM Design of Shroud Implementation Performance evaluation Future work Conclusions ShroudJay Lorch, Microsoft Research36

37 Contributions of Shroud ShroudJay Lorch, Microsoft Research37 ChallengeApproach Result Oblivious RAM algorithms are slow Adapt Binary Tree algorithm to enable massive parallelism Worst-case access time goes from days to seconds Inter-device communication reveals information Use deterministic communication schedule Privacy preserved despite parallelism Data aggregation creates bandwidth bottleneck Leverage cryptography with oblivious aggregation I/O time reduced by a factor of two or more With many components, failures are frequent Use deterministic operations and replication Fault tolerance Binary Tree algorithm assumes honest-but- curious adversary Use Merkle trees to efficiently attest to states Can tolerate Byzantine malicious adversary

38 Smart cards offer massive parallelism cheaply. Jay Lorch, Microsoft ResearchShroud38

39 Lookup can be parallelized. Jay Lorch, Microsoft ResearchShroud39 L L R R

40 Contributions of Shroud ShroudJay Lorch, Microsoft Research40 ChallengeApproach Result Oblivious RAM algorithms are slow Adapt Binary Tree algorithm to enable massive parallelism Worst-case access time goes from days to seconds Inter-device communication reveals information Use deterministic communication schedule Privacy preserved despite parallelism Data aggregation creates bandwidth bottleneck Leverage cryptography with oblivious aggregation I/O time reduced by a factor of two or more With many components, failures are frequent Use deterministic operations and replication Fault tolerance Binary Tree algorithm assumes honest-but- curious adversary Use Merkle trees to efficiently attest to states Can tolerate Byzantine malicious adversary

41 Reporting the found block is trickier. Jay Lorch, Microsoft ResearchShroud41

42 Reporting the found block creates a bottleneck. Jay Lorch, Microsoft ResearchShroud42

43 An aggregation tree reduces bandwidth. Jay Lorch, Microsoft ResearchShroud43

44 An aggregation tree reduces bandwidth. Jay Lorch, Microsoft ResearchShroud44

45 An aggregation tree reduces bandwidth. Jay Lorch, Microsoft ResearchShroud45

46 Even using an aggregation tree uses O(log log N) bandwidth. Jay Lorch, Microsoft ResearchShroud46 Cryptography can let us leverage the untrusted servers!

47 Contributions of Shroud ShroudJay Lorch, Microsoft Research47 ChallengeApproach Result Oblivious RAM algorithms are slow Adapt Binary Tree algorithm to enable massive parallelism Worst-case access time goes from days to seconds Inter-device communication reveals information Use deterministic communication schedule Privacy preserved despite parallelism Data aggregation creates bandwidth bottleneck Leverage cryptography with oblivious aggregation I/O time reduced by a factor of two or more With many components, failures are frequent Use deterministic operations and replication Fault tolerance Binary Tree algorithm assumes honest-but- curious adversary Use Merkle trees to efficiently attest to states Can tolerate Byzantine malicious adversary

48 Oblivious aggregation lets us avoid trusted component I/O Jay Lorch, Microsoft ResearchShroud48

49 Oblivious aggregation uses a pseudorandom function. Jay Lorch, Microsoft ResearchShroud49 A1A1 A2A2 A2A2 A3A3 A3A3 A4A4 A n-1 AnAn AnAn A1A1 A i = PRF K (Nonce || i) Data

50 Oblivious aggregation uses a pseudorandom function. Jay Lorch, Microsoft ResearchShroud50 A1A1 A2A2 A2A2 A3A3 A3A3 A4A4 A n-1 AnAn AnAn A1A1 A i = PRF K (Nonce || i) Data =

51 Oblivious aggregation uses a pseudorandom function. Jay Lorch, Microsoft ResearchShroud51 A1A1 A2A2 A2A2 A3A3 A3A3 A4A4 A n-1 AnAn AnAn A1A1 A i = PRF K (Nonce || i) Data =

52 Contributions of Shroud ShroudJay Lorch, Microsoft Research52 ChallengeApproach Result Oblivious RAM algorithms are slow Adapt Binary Tree algorithm to enable massive parallelism Worst-case access time goes from days to seconds Inter-device communication reveals information Use deterministic communication schedule Privacy preserved despite parallelism Data aggregation creates bandwidth bottleneck Leverage cryptography with oblivious aggregation I/O time reduced by a factor of two or more With many components, failures are frequent Use deterministic operations and replication Fault tolerance Binary Tree algorithm assumes honest-but- curious adversary Use Merkle trees to efficiently attest to states Can tolerate Byzantine malicious adversary

53 Parallelism means faults will be commonplace. Jay Lorch, Microsoft ResearchShroud53

54 Deterministic operations make recovery feasible. Jay Lorch, Microsoft ResearchShroud54 A2A2 A3A3

55 User accesses must be assigned increasing numbers. Jay Lorch, Microsoft ResearchShroud55 User request # of accesses so far: 37 # of accesses so far: 37 # of accesses so far: 37

56 User accesses must be assigned increasing numbers. Jay Lorch, Microsoft ResearchShroud56 User request # of accesses so far: 38 # of accesses so far: 38 # of accesses so far: 37 Access 38:

57 Failed coprocessors can be replaced via delegation. Jay Lorch, Microsoft ResearchShroud57 # of accesses so far: 38 # of accesses so far: 38 # of accesses so far: 38 Delegation of responsibility

58 Talk outline Overview Background on oblivious RAM Design of Shroud Implementation Performance evaluation Future work Conclusions ShroudJay Lorch, Microsoft Research58

59 We built Shroud using smart cards as our trusted coprocessors. Prototype – Uses Infineon SLE 88 smart cards – Runs on the 10 cards we have Emulator – Enables larger-scale tests – Ran on 139 machines in MSR Simulator – Enables massive-scale simulation Jay Lorch, Microsoft ResearchShroud59 PropertySLE 88 CPU66 MHz Memory16 KB I/O12 KB/s 3DES 1KB73 KB/s SHA-1 1KB155 KB/s Cost$4 Physical security FIPS 140-2 level 3

60 Workloads Jay Lorch, Microsoft ResearchShroud60 Data setNumber of objectsObject size Bing map tiles (zoom level 17)2 35 10 KB Twitter tweets2 35 0.14 KB Facebook images2 36 10 KB Flickr photos2 32 5 MB Small-scale2 20 1 KB

61 System shows high parallelism. Jay Lorch, Microsoft ResearchShroud61 Essentially linear speedup due to parallelism at low scales

62 System shows high parallelism. Jay Lorch, Microsoft ResearchShroud62 Essentially linear speedup due to parallelism at low scales

63 Emulation on larger scale still shows high parallelism. Jay Lorch, Microsoft ResearchShroud63 Essentially linear speedup due to parallelism at moderate scales

64 Emulation on larger scale still shows high parallelism. Jay Lorch, Microsoft ResearchShroud64 Essentially linear speedup due to parallelism at moderate scales

65 There’s a massive amount of parallelism available. Jay Lorch, Microsoft ResearchShroud65 Essentially linear speedup due to parallelismBeyond about 10,000 cards, not much further available parallelism

66 However, performance is still poor. Jay Lorch, Microsoft ResearchShroud66 Twitter tweets (2 35, 140 bytes each) take about 9 seconds to accessMap tiles (2 35, 10 KB each) take about 45 seconds to accessFlickr photos (2 32, 5 MB each) take way too long to access

67 The performance bottleneck is smart card bandwidth. Jay Lorch, Microsoft ResearchShroud67 I/O bandwidth just 12 KB/s! Algorithm is O(RB + R log N)

68 Talk outline Overview Background on oblivious RAM Design of Shroud Implementation Performance evaluation Future work Conclusions ShroudJay Lorch, Microsoft Research68

69 ApproachAdvantageChallenges Tamper- resistant FPGA 3 GB/s bandwidth Hardware customization, Higher cost Secure execution infrastructure >12 GB/s bandwidth Low physical security, High invocation overhead Make disk accesses trustworthy More efficient ORAM protocol Low physical security, Lots of code to verify We’re pursuing several ways to make Shroud faster. Jay Lorch, Microsoft ResearchShroud69 Intel TXT AMD-V

70 FPGAs are promising. Jay Lorch, Microsoft ResearchShroud70

71 Conclusions Encryption insufficient for keeping user access patterns private Oblivious RAM protocols can help, but are very slow Parallelism can substantially reduce latency – Need to carefully select and adapt algorithms – Oblivious aggregation can add more speed High-bandwidth trusted components are necessary for reasonable performance Jay Lorch, Microsoft ResearchShroud71

72 Thank you! ShroudJay Lorch, Microsoft Research72

Download ppt "Shroud: Ensuring Private Access to Large-Scale Data in the Data Center James MickensBryan ParnoMariana RaykovaJoshua SchiffmanJacob R. Lorch."

Similar presentations

Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Kai-Min Chung (Academia Sinica) joint work with Zhenming Liu (Princeton) and Rafael Pass (Cornell NY Tech)

Kai-Min Chung (Academia Sinica) joint work with Zhenming Liu (Princeton) and Rafael Pass (Cornell NY Tech)
CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware.

CS7380: Privacy Aware Computing Oblivious RAM 1. Motivation  Starting from software protection Prevent from software piracy A valid method is using hardware.
1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Sep 5, 2005 Lecture 2.

1 COMP 206: Computer Architecture and Implementation Montek Singh Mon., Sep 5, 2005 Lecture 2.
Federated, Available, and Reliable Storage for an Incompletely Trusted Environment Atul Adya, Bill Bolosky, Miguel Castro, Gerald Cermak, Ronnie Chaiken,

Federated, Available, and Reliable Storage for an Incompletely Trusted Environment Atul Adya, Bill Bolosky, Miguel Castro, Gerald Cermak, Ronnie Chaiken,
ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi

ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi
Network Support for Cloud Services Lixin Gao, UMass Amherst.

Network Support for Cloud Services Lixin Gao, UMass Amherst.
FARSITE: Federated, Available, and Reliable Storage for an Incompletely Trusted Environment.

FARSITE: Federated, Available, and Reliable Storage for an Incompletely Trusted Environment.
Computing Hardware Starter.

Computing Hardware Starter.
Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.

Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.
Larisa kocsis priya ragupathy

Larisa kocsis priya ragupathy
Yongzhi Wang, Jinpeng Wei VIAF: Verification-based Integrity Assurance Framework for MapReduce.

Yongzhi Wang, Jinpeng Wei VIAF: Verification-based Integrity Assurance Framework for MapReduce.
Ji-Yong Shin Cornell University In collaboration with Mahesh Balakrishnan (MSR SVC), Tudor Marian (Google), Lakshmi Ganesh (UT Austin), and Hakim Weatherspoon.

Ji-Yong Shin Cornell University In collaboration with Mahesh Balakrishnan (MSR SVC), Tudor Marian (Google), Lakshmi Ganesh (UT Austin), and Hakim Weatherspoon.
CSE332: Data Abstractions Lecture 8: Memory Hierarchy Tyler Robison Summer 2010 1.

CSE332: Data Abstractions Lecture 8: Memory Hierarchy Tyler Robison Summer
Accelerating Homomorphic Evaluation on Reconfigurable Hardware Thomas Pöppelmann, Michael Naehrig, Andrew Putnam, Adrian Macias.

Accelerating Homomorphic Evaluation on Reconfigurable Hardware Thomas Pöppelmann, Michael Naehrig, Andrew Putnam, Adrian Macias.
Modeling Billion-Node Torus Networks Using Massively Parallel Discrete-Event Simulation Ning Liu, Christopher Carothers 1.

Modeling Billion-Node Torus Networks Using Massively Parallel Discrete-Event Simulation Ning Liu, Christopher Carothers 1.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
© GCSE Computing Computing Hardware Starter. Creating a spreadsheet to demonstrate the size of memory. 1 byte = 1 character or about 1 pixel of information.

© GCSE Computing Computing Hardware Starter. Creating a spreadsheet to demonstrate the size of memory. 1 byte = 1 character or about 1 pixel of information.
Multilevel Caches Microprocessors are getting faster and including a small high speed cache on the same chip.

Multilevel Caches Microprocessors are getting faster and including a small high speed cache on the same chip.

Similar presentations

Ads by Google