Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security 李芮,蒋希坤,崔男 2018年4月.

Published byLéon Jobin Modified over 6 years ago

Similar presentations

Presentation on theme: "Cloud Security 李芮,蒋希坤,崔男 2018年4月."— Presentation transcript:

1 Cloud Security 李芮,蒋希坤,崔男 2018年4月

2 A Data Obliviate File System for Intel SGX
Contents Cloud data 1 TenantGuard 2 A Data Obliviate File System for Intel SGX 3

3

4 Concerns Where’s data? Who has access? Do you have the right to audit?
Anyone else can see it? Could the data be duplicated? ……

5 Cloud virtual networks
Data privacy Liang K, Su C, Chen J, et al. Efficient Multi-Function Data Sharing and Searching Mechanism for Cloud-Based Encrypted Data[C]// ACM on Asia Conference on Computer and Communications Security. ACM, 2016:83-94. Cloud virtual networks Majumdar S, Wang Y, Madi T, et al. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation[C]// The Network and Distributed System Security Symposium Verification A Ahmad, K Kim, MI Sarfaraz, et al. OBLIVIATE: A Data Oblivious File System for Intel SGX [C]//Network and Distributed Systems Security (NDSS) Symposium 2018

6 A Data Obliviate File System for Intel SGX
Contents 1 Cloud data TenantGuard 2 A Data Obliviate File System for Intel SGX 3

7 For cloud data Homomorphic encryption For cloud computing Homomorphic
Cloud data share Cloud data search Cloud-Based Encrypted Data

8 What’s Homomorphic? (同态)
A way to delegate processing of your data, without giving away access to it. [Gen09] Example??

9 Example for Homomorphic

10 Application cloud computing
Processing data Without access to get

11

12 Comparison for HE

13 Cloud Data share and search

14 Algorithm 𝑺𝒆𝒕𝒖𝒑→(𝒎𝒑𝒌,𝒎𝒔𝒌) 𝑼𝒑𝑻𝑲𝑮𝒆𝒏→ 𝒖𝒑𝒕𝒌 𝒘𝒊→𝒘𝒋 𝑲𝒆𝒚𝑮𝒆𝒏→( 𝒑𝒌 𝑰𝑫 , 𝒔𝒌 𝑰𝑫 )
𝑹𝒆𝑬𝒏𝒄→𝑪𝑻 𝑬𝒏𝒄→𝑪𝑻 𝑼𝒑𝒅𝒂𝒕𝒆→𝑪𝑻 𝑻𝑲𝑮𝒆𝒏→𝑻𝑲 𝑺𝒆𝒂𝒓𝒄𝒉→𝟎/𝟏 𝑹𝒆𝑲𝒆𝒚𝑮𝒆𝒏→ 𝒓𝒌 𝑰𝒅𝒊→𝒊𝒅𝒋, 𝒘𝒊→𝒘𝒋 𝑫𝒆𝒄→𝒎

15 Data search phase

16 keyword description update and C share

17 Data sharing Privacy preservation
allow any system user with valid decryption rights of an encrypted data to share his/her encrypted data to others efficiently and securely Given either a search token or keyword update token, a cloud server does not know any knowledge of the keyword(s) Given an original ciphertext or shared (reencrypted) ciphertext, a cloud server does not know any information of the underlying message as well as the keyword description tagged with the ciphertext.

18 Realization – Bilinear Map

19 A Data Obliviate File System for Intel SGX
Contents 1 Cloud data TenantGuard 2 A Data Obliviate File System for Intel SGX 3

20 Paper Structure – Background of TenantGuard – Architecture of TenantGuard – Key Ideas of TenantGuard – Application of TenantGuard to OpenStack

21 Highlights

22 Isolation Breaches Isolation Breaches is one of the Biggest Security Concerns in Cloud.

23 Isolation Breaches One possible solution is: network isolation verification

24 Challenges of Network Isolation Verification

25 Existing Approaches

26 Network Isolation Verification

27 TenantGuard: Architecture

28 TenantGuard: Architecture

29 TenantGuard: Key Ideas

30 TenantGuard: Key Ideas

31 TenantGuard: Key Ideas

32 Hierarchical Virtual Network Model

33 Hierarchical Virtual Network Model

34 Baseline Approach

35 TenantGuard: Top-Down Verification

36 TenantGuard: Top-Down Verification

37 TenantGuard: Top-Down Verification

38 TenantGuard: Top-Down Verification

39 TenantGuard: Efficient Data Structure

40 TenantGuard: Efficient Data Structure

41 TenantGuard: Efficient Data Structure

42 TenantGuard: Efficient Data Structure

43 TenantGuard: Incremental Verification

44 Application to OpenStack

45 Performance Evaluation

46 Further Performance Improvement

47 Further Performance Improvement

48 Conclusion

49 Cloud data TenantGuard A Data Obliviate File System for Intel SGX
Contents 1 Cloud data 2 TenantGuard A Data Obliviate File System for Intel SGX 3

50 Trend 1: Security and Privacy Critical Factors in Technology Adoption
Demands for “security” and “privacy” are increasing Widespread use of Transport Layer Security (TLS) Popularity of anonymity networks (e.g., Tor) Use of strong authentication/encryption in WiFi Expectation on security and privacy impacts design decisions: Operating system (iOS, Android) Apps/services (e.g., messenger, adblocker) Network infrastructure (inter-domain SDN) I’d like to start by pointing out two big trends. First, security and privacy are becoming critical factors for technology adoption. Applications and services with enhanced security and privacy features are getting increasingly adopted. And they often impact our design decision. We see many examples like this in today’s market.

51 Trend 2: Commoditization of Trusted Execution Environment
Trusted Execution Environment (TEE) Isolated execution: integrity of code, confidentiality Remote attestation Commoditization of TEE Trusted Platform Module (TPM) : Slow performance ARM TrustZone : Only available for embedded devices Intel Software Guard Extension (SGX) 1. Native performance 2. Compatibility with x86 The second trend is commoditization of trusted execution environments or TEEs. TEEs provide hardware-based mechanisms for isolated execution and remote attestation. While the idea and implementation has been around for a long time, it had several practical limitation. However, the newly released Intel SGX truly signals the commoditization by lifting off some of the limitations ; it gives native performance to software running in the secure mode and is compatible with x86. Imagine all our laptops and servers on the Cloud supportingTEE. We believe that The commoditization of TEE brings new opportunities for network applications because many network and middlebox applications run on x86.

52 Network Applications + TEE = ?
What impact does TEE have on networking? Previous efforts: Adopting TEE to cloud platform Haven [OSDI’14] : Protects applications from an untrusted cloud VC3 [S&P’15] : Trustworthy data analytics in the cloud Network Applications TEE Enhanced security New design space New functionality Intel SGX

53 目录 Contents 4

54 目录 Contents 4

55 目录 Contents 4

56 目录 Contents 4

57 目录 Contents 4

58 目录 Contents 4

59 目录 Contents 4

60 目录 Contents 4

61 目录 Contents 4

62 目录 Contents 4

63 目录 Contents 4

64 目录 Contents 4

65 目录 Contents 4

66 目录 Contents 4

67 目录 Contents 4

68 目录 Contents 4

69 目录 Contents 4

70 目录 Contents 4

71 目录 Contents 4

72 目录 Contents 4

73 谢谢!

Download ppt "Cloud Security 李芮,蒋希坤,崔男 2018年4月."

Similar presentations

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Enhancing Demand Response Signal Verification in Automated Demand Response Systems Daisuke Mashima, Ulrich Herberg, and Wei-Peng Chen SEDN (Solutions for.

Enhancing Demand Response Signal Verification in Automated Demand Response Systems Daisuke Mashima, Ulrich Herberg, and Wei-Peng Chen SEDN (Solutions for.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
Exciting experience in participating EDM forum commissioned projects Protect Patient Privacy When Sharing Data for CER 12/01/11 – 6/01/12 Write a commissioned.

Exciting experience in participating EDM forum commissioned projects Protect Patient Privacy When Sharing Data for CER 12/01/11 – 6/01/12 Write a commissioned.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
This paper states that one of the major problem to the adoption of cloud computing is that of security.  Existing cloud computing problem or concerns.

This paper states that one of the major problem to the adoption of cloud computing is that of security.  Existing cloud computing problem or concerns.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.

Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.
HPCC 2015, August 24 - 26, New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.

HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
ITU Workshop on Future Trust and Knowledge Infrastructure, Phase 1 Geneva, Switzerland, 24 April 2015 The Open and Trustworthy ICT Platform Prof. Dr.

ITU Workshop on "Future Trust and Knowledge Infrastructure", Phase 1 Geneva, Switzerland, 24 April 2015 The Open and Trustworthy ICT Platform Prof. Dr.
TrustOTP: Smartphone as One-Time Password Token

TrustOTP: Smartphone as One-Time Password Token
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
VirtualBox What you need to know to build a Virtual Machine.

VirtualBox What you need to know to build a Virtual Machine.
The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

Similar presentations

Ads by Google